¾«Æ·¹ú²ú×ÔÏßÎçÒ¹¸£Àû

The GDPR requires organisations to demonstrate and document the ways in which they comply with data protection principles. This is called the ‘accountability principle’ (Article 5(2) GDPR). This generally involves

1. documenting the personal data processed by the firm, key risks relating to that data and measures that the firm is taking to protect that data (creating a ‘data inventory’) and
2. maintaining records of data processing activities (see Article 30 GDPR). In the light of these provisos it is likely that the vast majority of law firms will need to have a record of processing activities.

The firm should also consider and document other matters such as transfers of personal data outside the EEA, special categories of data, data relating to children or minors and processing which causes a security risk such as bank details of clients or counterparties. 

The reasoning behind these measures is to assist with other requirements in the GDPR. For example, if there is a data breach, the firm will have a list to hand identifying who to notify. It may even assist with identifying the source of a data breach. Another example of the utility of the record is where personal data of some individuals are affected by the breach and not others; there may be a common service provider for the affected data that can be identified as the source of the breach. The record can also be of assistance where personal data is inaccurate. In that circumstance, the firm will be required to follow up and correct that information with all the third parties with whom it shared the inaccurate data.

Note that with respect to the requirement to maintain records of data processing activities, there is a derogation for entities with less than 250 employees. However, the derogation cannot apply if the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data (Article 9(1) GDPR) or personal data relating to criminal convictions and offences (Article 10 GDPR).

Many types of processing carried out by law firms, particularly relating to client data but also relating to any non-occasional processing such as that relating to employees, is unlikely to be able to avail of the derogation from the requirement to maintain records.  For further information on this issue, please see .

Helpful Templates

• Template 1: Data inventory

• Template 2: Record of activities as controller

• Template 3: Record of activities as processor

Note: The data inventory template is a basic template to assist a firm in getting started with GDPR compliance. It should be tailored to the activities of each firm and built upon by each firm.

Creating a data inventory can be very complex. The complexity is not necessarily proportionate to the firm’s size. A small firm that deals with family law, employment and personal injury litigation may be dealing with many different types of data, including special categories of data. A large firm that deals with the business matters of corporate clients may hold no special categories of data on behalf of clients and limited personal data.

• See guidance from the Data Protection Commission:

Return to GDPR Guidance and templates >

Accountability checklist

• Has your firm completed a record of its processing activities (a data inventory), and does it maintain it?

• Is your firm able to provide a record of its personal data processing to the Data Protection Commission if they requested it?

• Does your firm have an agreed schedule to review and update the data processing record?

Return to GDPR Guidance and templates >