← All guides
Data protection 6 min read · Updated June 2026

UK GDPR for law firms: the principles in practice

Under UK GDPR, firms are data controllers for the personal data they hold about clients and others. The seven principles aren’t abstract — they map onto concrete habits. Here’s how they look in a working firm.

The principles, applied

  • Lawfulness, fairness & transparency — clear client-care and privacy information, and clients who can see how their matter is handled
  • Purpose limitation — collect data for a defined matter, not “just in case”
  • Data minimisation — ask only for what the matter type actually needs
  • Accuracy — single client and matter records with update flows, not duplicates
  • Storage limitation — per-matter retention schedules and controlled deletion
  • Integrity & confidentiality — encryption, permissions, isolation and audit
  • Accountability — be able to demonstrate all of the above

Data subject rights

Clients can ask to access their data or exercise other rights. You need to find what you hold quickly and respond within the statutory timeframe — which is far easier when everything lives against one matter record rather than scattered across drives and inboxes.

Breaches

If a personal-data breach occurs, you may need to notify the ICO within 72 hours. An append-only audit of who accessed what makes it possible to understand the scope of an incident quickly.

How Fitzentic helps

The platform is built around these principles — minimised intake, single records, retention schedules, encryption, permissions and a complete audit trail — so accountability is the default, not an afterthought.

This guide is general information for UK firms, not legal advice. Always check the current rules and guidance that apply to your firm.

See how Fitzentic helps

Run your whole firm — confidentially, with the records a well-run practice needs.

More guides

See Fitzentic run your firm

Book a demo