Can solicitors withhold documents from a subject access request?

Yes, in specific circumstances. Legal professional privilege is an exemption from the right of access under DPA 2018 Schedule 2. Documents subject to legal advice privilege or litigation privilege may be withheld, but the exemption must be assessed document by document — it is not a blanket right to withhold all client file material.

Do law firms need Data Processing Agreements with clients?

Where a law firm processes personal data on a client s instructions — for example, managing employee data in an employment matter — the firm may act as a data processor, requiring a DPA under Article 28(3) UK GDPR. However, in many legal matters the firm is acting as a controller in its own right, processing data to provide legal advice. The position depends on the nature of the matter.

How does MLR 2017 affect data retention for law firms?

Law firms regulated for AML purposes must retain CDD records for five years from the end of the client relationship under MLR 2017 regulation 40. This conflicts with UK GDPR storage limitation. The conflict must be documented using the Article 17(3)(b) exemption and reflected in the firm privacy notice and data retention policy.

Vertical guide · Legal services

UK GDPR for solicitors and law firms

Updated April 2026 UK GDPR · MLR 2017 · POCA 2002 SRA regulated firms

A solicitor's practice operates at the intersection of UK GDPR, legal professional privilege, the Money Laundering Regulations 2017, and SRA regulatory obligations. Data protection compliance for a law firm is not a standard SME exercise — it requires the standard framework to be adapted for the privilege regime, the AML conflict, and the specific ways in which legal matter data is processed and retained.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

⚠ Privilege does not suspend GDPR obligations

Legal professional privilege provides specific exemptions from the right of access in DSARs, but it does not suspend the broader data protection obligations. A law firm must still have a lawful basis for processing, a privacy notice, a ROPA, a breach log, staff training, and all other elements of a compliant programme — regardless of whether some data is privileged.

Controller and processor in legal practice

Law firms are typically data controllers for the personal data they process in the course of providing legal advice. The firm determines the purposes and means of processing — it is not acting under the instruction of the client in the same way a payroll processor does. The client's data appears in the matter file because the firm needs it to provide legal services, not because the client has instructed the firm to process it in a particular way.

However, in some practice areas, the position is more complex. An employment law practice that manages a client's disciplinary process, processes employee records, or administers HR systems on the client's behalf may be acting as a processor for some of that data. Each matter type should be assessed to establish whether the firm is controller or processor, and the ROPA should reflect both roles where they apply.

Where the firm acts as processor — even in a legal context — an Article 28(3)-compliant Data Processing Agreement must be in place. A matter engagement letter does not satisfy this requirement. The absence of a DPA where one is required is a breach of both Article 28(1) (controller's obligation to use only processors providing sufficient guarantees) and Article 28(3) (requirement for the processing contract).

Source: UK GDPR Articles 4(7), 4(8), 28; ICO guidance on controllers and processors in legal services

Legal professional privilege and subject access requests

Legal professional privilege — both legal advice privilege and litigation privilege — is an exemption from the right of access under DPA 2018 Schedule 2 paragraph 19. Documents that are subject to legal advice privilege (communications between client and solicitor for the purpose of giving or receiving legal advice) or litigation privilege (communications created for the dominant purpose of litigation that is reasonably anticipated) may be withheld from a DSAR response.

However, the exemption must be applied document by document. It is not a blanket right to withhold an entire client file. A law firm receiving a DSAR must review the file, identify which documents are subject to privilege, and provide the remainder. Documents that contain both privileged and non-privileged information should be redacted rather than withheld entirely where possible.

The privilege exemption does not apply to third-party data protection rights. If a third party — such as an opposing party — sends a DSAR, the firm cannot withhold all client file material simply because it contains information obtained in privileged communications with its own client. The assessment must be made document by document, balancing the requester's right of access against the firm's duty of confidentiality to its client.

Source: DPA 2018 Schedule 2 Para 19; Three Rivers District Council v Bank of England [2004]; ICO right of access guidance

AML/GDPR retention conflict

Law firms regulated for AML purposes — those providing legal services that fall within the scope of the MLR 2017 — must retain Customer Due Diligence records for five years from the end of the matter or client relationship under regulation 40. This directly conflicts with UK GDPR's storage limitation principle.

The conflict is resolved by Article 17(3)(b) UK GDPR, which exempts the right to erasure where retention is necessary for compliance with a legal obligation. The MLR 2017 five-year retention requirement constitutes such an obligation. The firm must document this conflict resolution in its data retention policy, reflect it in the privacy notice, and apply it consistently to CDD data only — not to all client file material.

CDD data retained beyond the five-year period has no legal justification and must be deleted. The deletion itself must be documented — the firm must be able to show that CDD data was deleted at the appropriate time, not retained indefinitely by default. An annual review of CDD records approaching the destruction point, with documented authorisation of destruction, is the operational expression of this obligation.

Source: MLR 2017 Regulation 40; UK GDPR Articles 5(1)(e), 17(3)(b)

Tipping off and DSARs

Where a law firm has filed a Suspicious Activity Report with the NCA in relation to a client, and that client subsequently submits a data subject access request, responding in full would disclose the existence of the SAR — constituting the criminal offence of tipping off under POCA 2002 s.333A if it is likely to prejudice any resulting investigation. The criminal penalty for tipping off is up to five years' imprisonment.

The DPA 2018 Schedule 2 paragraph 2 provides the mechanism for withholding information where disclosure would be likely to prejudice the prevention or detection of crime. On receipt of every DSAR, the firm’s MLRO should check whether the requester is the subject of an open SAR. Where a match is found:

Provide the non-SAR-related data in the normal way
Withhold SAR-related data under the Schedule 2 paragraph 2 exemption
Document the assessment and the basis for withholding in detail, retained as evidence
Obtain qualified legal advice — the criminal liability for tipping off under POCA 2002 s.333A is serious

NCA Circular 004/2021 should be reviewed as part of any firm-level tipping-off procedure.

Source: POCA 2002 s.333A; DPA 2018 Schedule 2 Para 2; NCA Circular 004/2021

SRA obligations

The Solicitors Regulation Authority's Code of Conduct requires solicitors to keep client information confidential and to behave in a way that upholds public trust in the profession. Data protection breaches — particularly unauthorised disclosure of client data — can constitute regulatory breaches as well as ICO enforcement matters.

The SRA has published guidance on data protection for law firms, and compliance with UK GDPR is considered part of the obligation to maintain effective systems for the management of risk. SRA monitoring, inspection, and investigation activity may include review of data protection arrangements. A firm with a documented, governed compliance programme and an evidence record is materially better positioned in an SRA review than one relying on informal arrangements.

Firms subject to Lexcel accreditation, Law Society Practice Management Standard, or ISO 27001 should review their data protection documentation against those frameworks as well as against the UK GDPR programme. Lexcel includes specific data protection requirements and reviewers will look for documented policies, ROPA, DPAs, and breach log.

Special category data in legal matters

Legal matters frequently involve special category personal data — health records in personal injury or clinical negligence matters, criminal records in criminal defence or employment matters, political or religious information in asylum matters. Processing special category data requires both an Article 6 lawful basis and an Article 9 condition, which must be documented separately for each processing activity.

For legal proceedings, the Article 9(2)(f) condition — processing necessary for the establishment, exercise, or defence of legal claims — is typically the most relevant. This condition must still be documented in the ROPA for each matter type where special category data is processed. A bare assertion that the processing is for legal proceedings is insufficient — the specific condition must be recorded.

Source: UK GDPR Articles 9(2)(f); ICO special category data guidance

The evidence record for law firms

A law firm’s data protection evidence record must address both the standard UK GDPR framework and the sector-specific obligations. The minimum evidence base should include:

An Article 30 ROPA distinguishing controller and processor activities
Executed Article 28(3)-compliant DPAs where the firm acts as processor
A privacy notice addressing CDD retention under MLR 2017 and the privilege position
A breach log with documented breach response procedure
Documented staff training records
A data retention policy with the AML/GDPR conflict addressed
A DSAR log and a SAR log with MLRO check documentation

GDPRLedger Pro addresses the full complexity of AML-regulated professional services firms. The 87-task programme covers the processor role, the AML/GDPR retention conflict, the DSAR/tipping-off procedure, the regulatory obligations matrix, and the annual re-attestation programme. The client-shareable processor governance pack produced as part of the Pro evidence record supports tender responses and client due diligence queries about the firm's data handling.

Record this. Document the privilege assessment for every DSAR response, every SAR log check on DSAR receipt, every CDD destruction decision, and every DPA executed. For a law firm, data protection evidence may be examined by the ICO, the SRA, HMRC as AML supervisor, and in litigation. It must hold up to scrutiny from all four.

Not legal advice. This guide is derived from UK GDPR (DPA 2018 / DUAA 2025), MLR 2017, POCA 2002, SRA Code of Conduct, and ICO published guidance as at April 2026. Data protection in legal practice is highly fact-specific. Consult a qualified solicitor, data protection practitioner, and your firm's MLRO for advice on specific matters. Consult a qualified solicitor for legal advice.