Do solicitors in the UK need to comply with UK GDPR?

Yes. Solicitors are data controllers and must comply with UK GDPR, the Data Protection Act 2018 and PECR. The Solicitors Regulation Authority (SRA) and the Law Society have published guidance on data protection for legal practices. The ICO can investigate complaints from clients and data subjects against firms of any size. Scottish solicitors are regulated by the Law Society of Scotland. Northern Irish solicitors by the Law Society of Northern Ireland.

How does legal professional privilege interact with UK GDPR?

Legal professional privilege protects communications between solicitor and client from disclosure in legal proceedings. It does not exempt solicitors from UK GDPR obligations. Clients still have data subject rights (access, rectification, erasure) subject to limitations. The Data Protection Act 2018 Schedule 2 paragraph 19 contains a specific privilege exemption that solicitors can rely on when responding to subject access requests.

How long must a UK solicitor retain client files?

The Law Society recommends retaining most client matter files for at least 6 years after the matter concludes, in line with the Limitation Act 1980. Some matters (property, wills, probate, child-related work) require longer retention. Anti-money laundering records under the Money Laundering Regulations 2017 must be retained for 5 years from the end of the business relationship. Always consult current Law Society and SRA guidance for your matter type.

GDPR & Privacy

GDPR for UK solicitors: SRA, Law Society, ICO rules

Steven | TrustYourWebsite · 3 May 2026 · Last updated: May 2026

UK legal practices are subject to overlapping regulatory regimes: UK GDPR / Data Protection Act 2018 (enforced by the ICO), SRA Standards and Regulations (Solicitors Regulation Authority for England and Wales) and the equivalent professional bodies in Scotland and Northern Ireland. All require data protection compliance, but they approach it differently.

Want a quick read on where your firm's website stands? Run our free compliance scan to see whether your privacy notice, cookie banner and SRA disclosures meet the baseline before you start the deeper work below.

SRA and Law Society position

The SRA Standards and Regulations require firms to maintain "appropriate systems and controls" for compliance with statutory and regulatory obligations, UK GDPR is squarely within scope. The Law Society of England and Wales has published practical guidance on data protection for solicitors and the Law Society of Scotland publishes its own equivalent.

Key positions across the UK regulators:

Firms must have a documented data protection policy and clearly identified responsibility for data protection compliance. Larger firms may need a formal Data Protection Officer (DPO) under UK GDPR Article 37
Client files must be stored securely with access restricted to those working on the matter
Physical files must be stored securely, digital files must be encrypted or appropriately access-controlled
Cyber Essentials certification is increasingly expected by professional indemnity insurers and sophisticated client-side procurement teams

Legal professional privilege and the duty of confidentiality are longstanding principles of English, Scots and Northern Irish law. UK GDPR adds a layer of formal obligations on top of these duties.

Key interactions:

Clients' right of access: A client can submit a Data Subject Access Request (DSAR) for all personal data you hold about them. You have one month to respond. The Data Protection Act 2018 Schedule 2 paragraph 19 provides a specific exemption for information covered by legal professional privilege, but you cannot ignore DSARs entirely, you must respond, claim the exemption explicitly and disclose what isn't privileged.
Right to erasure: Clients can request deletion of their personal data. Solicitors can decline where retention is required by law (e.g. MLR 2017) or necessary for the establishment, exercise or defence of legal claims under UK GDPR Article 17(3)(e).
Third-party data: Files often contain data about opposing parties, witnesses and others. Be careful about disclosing this in response to a client DSAR, UK GDPR Article 15(4) and DPA 2018 protections for third parties apply.
Stop-the-clock on SARs: The Data (Use and Access) Act 2025 introduced a UK-specific mechanism allowing controllers to pause the one-month SAR deadline while clarification is sought from the requester. This is a small but useful change for firms processing complex requests.

Anti-money laundering (AML) data retention

Solicitors are designated persons under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and must comply with related obligations under the Proceeds of Crime Act 2002 and the Terrorism Act 2000. AML obligations create specific retention requirements that interact with UK GDPR's data minimisation principle.

Required AML records:

Customer Due Diligence (CDD) documentation: copies of ID and verification documents
Records of transactions you conducted on behalf of clients
Correspondence and notes related to Suspicious Activity Reports (SARs) submitted to the National Crime Agency

Retention period: 5 years from the end of the business relationship or the date of the transaction.

This creates a floor on data retention that overrides a client's right to erasure for AML-covered records during the 5-year period. UK GDPR Article 17(3)(b) recognises this, retention is required by law.

Your firm's website

A solicitors' firm website typically collects personal data through:

Contact enquiry forms
Online consultation booking
Newsletter or legal-update subscriptions
Free initial assessment forms

Required on your website:

Required item	What it must include	Statutory basis
Privacy notice	How you handle enquiry data, who has access, retention periods, right to complain to the ICO	UK GDPR Arts 13-14, DPA 2018
Cookie consent banner	Reject-equal-to-accept if you use analytics or any non-essential cookies	PECR Regulation 6
SRA registration number + "authorised and regulated by the SRA" statement	Full firm name, SRA number, exact regulatory statement	SRA Transparency Rules
Companies House details	If incorporated (LLP or limited company): registered number, registered office address	Companies (Trading Disclosures) Regulations 2008
Direct contact email and geographic address	A monitored email address plus a real (not PO box) postal address	E-Commerce Regulations 2002 Reg 6
Price and service information for specified work types	Conveyancing, probate, immigration, employment tribunal, motoring offences, debt recovery, licensing (fee and timescale information per matter)	SRA Transparency Rules

The SRA Transparency Rules are firm-specific to the legal profession and have no equivalent in most other regulated sectors. Failure to publish the required information has been a stated SRA enforcement priority since 2018.

Professional indemnity and data protection

Data breaches and ICO enforcement actions may engage your professional indemnity insurance. The SRA's minimum terms and conditions of professional indemnity insurance require coverage for civil liability arising from the practice of law, but the interaction with UK GDPR fines and ICO investigation costs varies by insurer. Review your specific policy for:

Costs of ICO investigations and legal representation
Regulatory fines (UK GDPR fines are generally not insurable, investigation costs often are)
Client notification costs in the event of a data breach
Cyber-incident response (often a separate cyber endorsement)

Checklist for solicitors' practices

Item	Required?
Written data protection policy	Yes
Data Processing Agreements with practice-management software	Yes
Client privacy notice provided at engagement	Yes
DSAR procedure documented	Yes
AML records retained for 5 years (MLR 2017)	Yes (legal obligation)
Data breach notification procedure (72-hour ICO)	Yes
Secure file storage (physical and digital)	Yes
Privacy notice on firm website	Yes
SRA registration and transparency statement on website	Yes
SRA Transparency Rules pricing (where applicable)	Yes (specified work types)
ICO data-protection fee paid	Yes (typically Tier 1 or 2)

Check your firm's website

Free compliance scan for your law firm website

Sources

This is technical analysis, not legal advice. Consult the SRA and a qualified data protection specialist for your specific situation.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.

GDPR for dental practices in the UK

UK GDPR for dental practices in 2026. Patient data as special category, GDC registration, NHS record retention, online booking and breach notification.

UK GDPR for Charities: Fundraising, Volunteers, Donor Data

UK GDPR for charities in 2026. Fundraising consent, donor data, Gift Aid records, volunteer information and what the Fundraising Regulator now expects.

UK GDPR fines under the ICO: what penalties look like

ICO fine bands under UK GDPR: up to £17.5M or 4% of global turnover. Marriott, BA and TikTok cases explained. What SMBs realistically face.