GDPR compliance for solo lawyers and small law firms.

The narrative around GDPR pushes solo lawyers toward two opposite mistakes. The first is over-engineering: hiring a data protection officer the practice does not need, paying for software designed for organisations one hundred times larger. The second is dismissal: assuming that small size means small obligations, then discovering during a breach or a client complaint that the regulator does not grade on a curve.

The middle path is documented compliance proportionate to the practice. The four pillars below are what regulators actually look for when a question arises.

What GDPR requires in practice

A record of processing activities. Every solo lawyer and firm must maintain documentation of what personal data they process, for what purpose, on what legal basis, and how long they retain it. This does not need to be complex. A simple spreadsheet covering client data, supplier contacts, and staff records satisfies the requirement for most small practices. The spreadsheet is the artefact regulators expect to see when they ask. The absence of one is the answer to several other questions at once.

A defined retention period for each category. Client files, opposing-party data, witness statements, billing records, marketing contacts: each has a different professional and legal lifespan. Pick a period for each, document it in the same spreadsheet, and then implement a calendar reminder to review the older files. The deletion is not optional, even when the file remains useful.

A clear position on data subject access requests. Any individual can ask what you hold on them and receive an answer within thirty days. The administrative cost of producing the answer is low if your record of processing activities is current. It is high if you are reconstructing it under deadline. The exemption for legal privilege protects the substance of the file. It does not exempt you from the response.

A legal basis for every processing activity. For lawyers, most client data processing is justified under contractual necessity or legitimate interests. The legal basis must be documented before processing begins, not identified after a complaint. The choice of basis is also the choice of which data subject rights apply: a request to erase data held under contractual necessity is different from a request to erase data held under consent.

A breach response procedure that you have actually tested. Seventy-two hours to notify the supervisory authority of a personal data breach is not negotiable. The clock starts when you become aware of the breach, not when you finish analysing it. The procedure does not need to be elaborate, but it has to exist on paper and have been read by every person who could discover the breach.

A separate consideration applies to AI tools used in client work. The recent ruling that attorney-client privilege can break when a law firm uses ChatGPT sits at the intersection of GDPR and professional rules. The data is also personal data, and the cross-border transfer to a US provider triggers GDPR considerations on top of the privilege question.

The tools that make compliance practical

Proton Mail for encrypted client communications reduces the risk of a data breach through email interception and demonstrates a commitment to data minimisation. The end-to-end encryption between two Proton addresses removes the email provider from the chain of access entirely. For correspondence that crosses to non-Proton recipients, password-protected messages add a layer that satisfies the appropriate technical measures expected under Article 32.

A clear retention policy for client files, implemented through a practice management system or a documented manual process, satisfies the storage limitation principle. The exact tool matters less than the discipline of running it. The audited compliance record from a major practice management vendor is acceptable evidence. A consistent manual review every quarter, documented, is also acceptable.

A wider review of the operational stack for solo and small firms sits in our companion piece on digital security for lawyers and the protection of client data. The full inventory of confidentiality-grade tools is in the digital tools that actually preserve client confidentiality. Both extend the GDPR-specific framing here into the broader operational picture.

Frequently asked questions

Is a solo lawyer subject to GDPR?

If you process personal data of EU residents, yes, regardless of firm size. This includes client data, opposing party data, and witness information.

What is the most common GDPR violation for small law firms?

Keeping client data indefinitely without a retention policy and failing to honour data subject access requests.

Do you need a Data Processing Agreement if you use cloud services?

Yes. Any provider that processes personal data on your behalf requires a DPA. Most major providers offer these as standard contracts.

What happens if a client asks me to delete their entire file under GDPR?

You decline, in most cases, and you explain why. Professional retention obligations under bar rules typically require lawyers to retain client files for a period set by the regulator, often five to ten years after the matter closes. That obligation is a legal requirement under GDPR Article 6, which overrides a simple right-to-erasure request. The correct response is to acknowledge the request, explain the conflicting obligation, and document both. Quietly ignoring the request is the path that ends in a regulator complaint.

Proton Unlimited is the tool we recommend for encrypted email, VPN and secure storage. It’s what we’d use ourselves.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.