GDPR for solicitors in Ireland: Law Society requirements

Solicitors' practices are subject to two overlapping regulatory regimes: GDPR/Data Protection Act 2018 (enforced by the DPC) and Law Society of Ireland regulations (enforced by the Law Society). Both require data protection compliance, but they approach it differently.

---

Law Society of Ireland position

The Law Society of Ireland has issued guidance on data protection for solicitors, recognising that legal practices process significant volumes of sensitive client data. Key positions:

• Solicitors must appoint a responsible person for data protection within the practice (for larger firms, a formal Data Protection Officer may be required)
• Client files must be stored securely with access restricted to those working on the matter
• Physical files must be stored securely; digital files must be encrypted or password-protected
• Solicitors must have a written data protection policy

---

Client confidentiality and GDPR

Legal professional privilege and client confidentiality are longstanding principles of Irish law. GDPR adds a layer of formal obligations on top of these duties.

Key interactions:

• Clients' right of access: A client can submit a Data Subject Access Request (DSAR) for all personal data you hold about them. You have one month to respond. Solicitor-client privilege may limit what you must disclose (communications covered by privilege may be withheld), but you cannot ignore DSARs entirely.
• Right to erasure: Clients can request deletion of their personal data. Solicitors can decline where retention is required by law (e.g. AML obligations) or necessary to defend legal claims.
• Third party data: Files often contain third party data (opposing parties, witnesses). Be careful about disclosing this in response to a client DSAR.

---

Anti-money laundering (AML) data retention

Solicitors are designated persons under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. AML obligations create specific data retention requirements that interact with GDPR's data minimisation principle.

Required AML records:

• Customer due diligence (CDD) documentation — copies of ID and verification documents
• Records of transactions you conducted on behalf of clients
• Correspondence and notes related to suspicious transaction reports (STRs)

Retention period: 5 years from the end of the business relationship or the date of the transaction.

This creates a floor on data retention that overrides a client's right to erasure for AML-covered records during the 5-year period.

---

Your firm's website

A solicitors' firm website typically collects personal data through:

• Contact enquiry forms
• Online consultation booking
• Newsletter or legal update subscriptions

Required on your website:

• Privacy policy covering how you handle enquiry data, who has access, and retention periods
• Cookie consent banner if using analytics
• Law Society of Ireland registration number (professional body requirement under SI 68/2003)
• CRO number and registered address if the practice is incorporated
• A direct contact email address

---

Professional indemnity and data protection

Data breaches and DPC enforcement actions may engage your professional indemnity insurance. Review your policy to understand coverage for:

• Costs of DPC investigations and legal representation
• Regulatory fines (note: GDPR administrative fines are generally not insurable, but investigation costs often are)
• Client notification costs in the event of a data breach

---

Checklist for solicitors' practices

| Item | Required? | |------|----------| | Written data protection policy | Yes | | Data Processing Agreements with practice management software | Yes | | Client privacy notice provided at engagement | Yes | | DSAR procedure documented | Yes | | AML records retained for 5 years | Yes (legal obligation) | | Data breach notification procedure | Yes | | Secure file storage (physical and digital) | Yes | | Privacy policy on firm website | Yes | | Law Society registration number on website | Yes |

---

Check your firm's website

Free compliance scan for your law firm website →

---

Sources

• Law Society of Ireland — Data protection guidance
• DPC — Guidance for legal practitioners
• Criminal Justice (Money Laundering and Terrorist Financing) Act 2010

---

This is technical analysis, not legal advice. Consult the Law Society of Ireland and a qualified data protection specialist for your specific situation.