Do solicitors in the UK need to comply with UK GDPR?

Yes. Solicitors are data controllers and must comply with UK GDPR, the Data Protection Act 2018, and PECR. The Solicitors Regulation Authority (SRA) and the Law Society have published guidance on data protection for legal practices. The ICO can investigate complaints from clients and data subjects against firms of any size. Scottish solicitors are regulated by the Law Society of Scotland; Northern Irish solicitors by the Law Society of Northern Ireland.

How does legal professional privilege interact with UK GDPR?

Legal professional privilege protects communications between solicitor and client from disclosure in legal proceedings. It does not exempt solicitors from UK GDPR obligations. Clients still have data subject rights (access, rectification, erasure) subject to limitations. The Data Protection Act 2018 Schedule 2 paragraph 19 contains a specific privilege exemption that solicitors can rely on when responding to subject access requests.

How long must a UK solicitor retain client files?

The Law Society recommends retaining most client matter files for at least 6 years after the matter concludes, in line with the Limitation Act 1980. Some matters (property, wills, probate, child-related work) require longer retention. Anti-money laundering records under the Money Laundering Regulations 2017 must be retained for 5 years from the end of the business relationship. Always consult current Law Society and SRA guidance for your matter type.

GDPR & Privacy

GDPR for solicitors in the UK: SRA, Law Society, and ICO requirements

Steven | TrustYourWebsite · 3 May 2026

UK legal practices are subject to overlapping regulatory regimes: UK GDPR / Data Protection Act 2018 (enforced by the ICO), SRA Standards and Regulations (Solicitors Regulation Authority for England and Wales), and the equivalent professional bodies in Scotland and Northern Ireland. All require data protection compliance, but they approach it differently.

SRA and Law Society position

The SRA Standards and Regulations require firms to maintain "appropriate systems and controls" for compliance with statutory and regulatory obligations — UK GDPR is squarely within scope. The Law Society of England and Wales has published practical guidance on data protection for solicitors, and the Law Society of Scotland publishes its own equivalent.

Key positions across the UK regulators:

Firms must have a documented data protection policy and clearly identified responsibility for data protection compliance. Larger firms may need a formal Data Protection Officer (DPO) under UK GDPR Article 37
Client files must be stored securely with access restricted to those working on the matter
Physical files must be stored securely; digital files must be encrypted or appropriately access-controlled
Cyber Essentials certification is increasingly expected by professional indemnity insurers and sophisticated client-side procurement teams

Legal professional privilege and the duty of confidentiality are longstanding principles of English, Scots, and Northern Irish law. UK GDPR adds a layer of formal obligations on top of these duties.

Key interactions:

Clients' right of access: A client can submit a Data Subject Access Request (DSAR) for all personal data you hold about them. You have one month to respond. The Data Protection Act 2018 Schedule 2 paragraph 19 provides a specific exemption for information covered by legal professional privilege, but you cannot ignore DSARs entirely — you must respond, claim the exemption explicitly, and disclose what isn't privileged.
Right to erasure: Clients can request deletion of their personal data. Solicitors can decline where retention is required by law (e.g. MLR 2017) or necessary for the establishment, exercise, or defence of legal claims under UK GDPR Article 17(3)(e).
Third-party data: Files often contain data about opposing parties, witnesses, and others. Be careful about disclosing this in response to a client DSAR — UK GDPR Article 15(4) and DPA 2018 protections for third parties apply.
Stop-the-clock on SARs: The Data (Use and Access) Act 2025 introduced a UK-specific mechanism allowing controllers to pause the one-month SAR deadline while clarification is sought from the requester. This is a small but useful change for firms processing complex requests.

Anti-money laundering (AML) data retention

Solicitors are designated persons under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), and must comply with related obligations under the Proceeds of Crime Act 2002 and the Terrorism Act 2000. AML obligations create specific retention requirements that interact with UK GDPR's data minimisation principle.

Required AML records:

Customer Due Diligence (CDD) documentation: copies of ID and verification documents
Records of transactions you conducted on behalf of clients
Correspondence and notes related to Suspicious Activity Reports (SARs) submitted to the National Crime Agency

Retention period: 5 years from the end of the business relationship or the date of the transaction.

This creates a floor on data retention that overrides a client's right to erasure for AML-covered records during the 5-year period. UK GDPR Article 17(3)(b) recognises this — retention is required by law.

Your firm's website

A solicitors' firm website typically collects personal data through:

Contact enquiry forms
Online consultation booking
Newsletter or legal-update subscriptions
Free initial assessment forms

Required on your website:

Privacy notice covering how you handle enquiry data, who has access, retention periods, and the right to lodge a complaint with the ICO
Cookie consent banner if using analytics — PECR Regulation 6 applies
SRA registration number, full firm name, and a statement that you are "authorised and regulated by the Solicitors Regulation Authority" (SRA Transparency Rules)
Companies House details if the practice is incorporated as an LLP or limited company (Companies (Trading Disclosures) Regulations 2008)
A direct contact email address and geographic address (E-Commerce Regulations 2002 Reg 6)
Price and service information for specified work types (SRA Transparency Rules — applies to conveyancing, probate, immigration, employment tribunal, motoring offences, debt recovery, and licensing)

The SRA Transparency Rules are firm-specific to the legal profession and have no equivalent in most other regulated sectors. Failure to publish the required information has been a stated SRA enforcement priority since 2018.

Professional indemnity and data protection

Data breaches and ICO enforcement actions may engage your professional indemnity insurance. The SRA's minimum terms and conditions of professional indemnity insurance require coverage for civil liability arising from the practice of law, but the interaction with UK GDPR fines and ICO investigation costs varies by insurer. Review your specific policy for:

Costs of ICO investigations and legal representation
Regulatory fines (UK GDPR fines are generally not insurable; investigation costs often are)
Client notification costs in the event of a data breach
Cyber-incident response (often a separate cyber endorsement)

Checklist for solicitors' practices

Item	Required?
Written data protection policy	Yes
Data Processing Agreements with practice-management software	Yes
Client privacy notice provided at engagement	Yes
DSAR procedure documented	Yes
AML records retained for 5 years (MLR 2017)	Yes (legal obligation)
Data breach notification procedure (72-hour ICO)	Yes
Secure file storage (physical and digital)	Yes
Privacy notice on firm website	Yes
SRA registration and transparency statement on website	Yes
SRA Transparency Rules pricing (where applicable)	Yes (specified work types)
ICO data-protection fee paid	Yes (typically Tier 1 or 2)

Check your firm's website

Free compliance scan for your law firm website →

Sources

This is technical analysis, not legal advice. Consult the SRA and a qualified data protection specialist for your specific situation.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Scan your site free

Website Guides

Can You Run Analytics Without Consent in the UK? The ICO's Position

The ICO's position on running analytics without consent in the UK. Why Google Analytics requires prior consent, what server-side and privacy-preserving alternatives qualify as exempt, and how to decide.

Complete GDPR Website Audit: Step-by-Step Checklist

A step-by-step GDPR audit checklist for your website. Check cookies, tracking, privacy policy, forms, third-party services, and security in one pass.

Cookie banner dark patterns in the UK: ICO enforcement in 2026

The 12 cookie banner dark patterns per EDPB taxonomy. ICO top-100 letter campaign, PECR enforcement and what the scanner detects after clicking reject all.