GDPR Compliance Checklist

Map every category of personal data your firm processes (client files, HR records, marketing) to one of the six lawful bases. Document the rationale in your Records of Processing Activities.

For processing that relies on legitimate interests (e.g., conflict checks, business development), complete a three-part balancing test documenting the purpose, necessity, and impact on individuals.

When consent is the lawful basis (e.g., marketing emails, optional profiling), ensure it is freely given, specific, informed, and unambiguous. Use clear opt-in mechanisms — never pre-ticked boxes.

Store timestamped evidence of each consent action including the version of the notice shown, the channel used, and the specific purposes consented to. Enable retrieval for audit or DSAR response.

Provide a simple mechanism for individuals to withdraw consent at any time. Withdrawal must be as easy as giving consent and must take effect without undue delay.

Provide clients with a clear, concise privacy notice at the start of each engagement explaining what personal data you collect, why, how long you keep it, and their rights.

Publish a comprehensive privacy policy on your firm's website covering all data processing activities — website analytics, contact forms, cookie usage, and recruitment.

Integrate data protection clauses into client engagement letters specifying the controller identity, purposes of processing, data sharing with third parties, and retention periods.

Give staff and job applicants a dedicated privacy notice covering HR data processing — payroll, performance monitoring, background checks, and internal communications.

Clearly inform data subjects about any sharing of their personal data with barristers, experts, courts, regulators, or other third parties. Name categories of recipients.

Apply encryption to client files, databases, email communications, and portable devices. Enforce TLS 1.2+ for all data in transit and AES-256 or equivalent for data at rest.

Restrict access to personal data based on job function using the principle of least privilege. Maintain access logs and review permissions quarterly.

Document a clear incident response procedure. Notify the supervisory authority within 72 hours of becoming aware of a qualifying breach. Inform affected individuals without undue delay when there is a high risk.

Perform periodic vulnerability assessments and penetration tests on systems that process personal data. Address findings promptly and document remediation.

Protect physical premises with appropriate access controls. For remote work, enforce VPN usage, multi-factor authentication, and endpoint security on all devices accessing client data.

Establish a documented procedure to receive, verify, and respond to data subject access requests within one calendar month. Train staff to recognise and escalate requests promptly.

Enable individuals to correct inaccurate data and request deletion. Document lawful grounds for refusal (e.g., legal obligation to retain) and communicate these clearly.

Where processing is based on consent or contract, provide personal data in a structured, commonly used, machine-readable format (CSV, JSON) upon request.

Stop processing personal data for direct marketing immediately upon objection. For other objections based on legitimate interests, assess whether compelling grounds override the individual's interests.

If your firm uses automated profiling or decision-making that significantly affects individuals, provide meaningful information about the logic involved and offer the right to human review.

Keep a comprehensive ROPA documenting every processing activity — purpose, categories of data, recipients, retention periods, and technical and organisational security measures.

Determine whether your firm is required to appoint a Data Protection Officer. If appointed, ensure they have sufficient resources, independence, and direct reporting to senior management.

Perform a DPIA before any processing likely to result in high risk to individuals — large-scale profiling, systematic monitoring, or processing of special category data.

Execute Data Processing Agreements with all processors (IT providers, cloud services, external counsel). Audit processor compliance regularly and maintain a register of all sub-processors.

Deliver mandatory data protection training to all staff at induction and annually. Maintain written policies for data handling, clean desk, acceptable use, and incident reporting.

Identify every transfer of personal data outside the EEA — cloud hosting, cross-border litigation support, international co-counsel. Document the destination country and legal basis for each transfer.

For transfers to countries without an adequacy decision, put Standard Contractual Clauses or Binding Corporate Rules in place. Conduct Transfer Impact Assessments where required.

Recognise when you process special category data (health records, criminal offence data, racial or ethnic origin) in litigation or advisory work. Apply enhanced safeguards and document the Art. 9 condition relied upon.

Set clear retention periods for each data category — client files, financial records, HR data. Implement automated deletion or anonymisation when retention periods expire.

Collect only the personal data strictly necessary for each purpose. Review intake forms, data collection practices, and legacy databases. Purge unnecessary data regularly.