Select Legal
Sales Enquiries: 0845 345 3300
Client Support: 01482 567600
General Enquiries: 01482 567601Sign Up For News

GDPR Manager Software Module

A GDPR Software Module for Law Firms

A set of tools to assist law firms with their GDPR compliance

The General Data Protection Regulation – GDPR (Regulation (EU) 2016/679) – 25-5-18 – is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

The LAWFUSION GDPR Manager Software Module has been developed to assist law firms with their compliance.

body of man wearing a suit holding a virtual data record in the forefront of the screen between his thumb and index finger

Key Features

Document Repository

The GDPR Module includes a repository for storing all your GDPR policy and procedures documents, with version control functionality. This is the perfect place for storing your ‘Privacy Notice’, and all its history of reviews and updates,  your Data Protection Impact Assessments and your Legitimate Interests Assessments etc.  Here you will also be able to store your GDPR staff induction material and any training documents on the subject.

Controller / Processor Contracts

In the eyes of the ICO (the regulator responsible for enforcing GDPR in the UK) law firms are either data controllers or data processors depending on what they are doing with the personal data they handle. Of course law firms could potentially wear both the controller hat and the processor hat at different times for different purposes. Whenever a controller uses a processor it needs to have a written contract in place so that both parties understand their responsibilities and liabilities. Within the LAWFUSION GDPR module firms can store all their controller / processor contracts they have in place with suppliers and business associates – i.e. with witnesses, financial institutions, estate agents, the courts, the police, health professionals, etc. – or any third party to which the firm needs to transfer personal data to enable it to deliver legal services to its clients. Firms can store any correspondence with suppliers and third parties relating to their controller / processor contracts within the GDPR document repository too.


The Rights of Individuals

Under GDPR individuals (or data subjects) have eight specific rights relating to their personal data:

  • – The right to be informed
  • – The right of access
  • – The right to rectification
  • – The right to erasure
  • – The right to restrict processing
  • – The right to data portability
  • – The right to object
  • – Rights in relation to automated decision making and profiling.

When a contact (data subject) wishes to exercise one of their rights, action by the law firm will be required. The LAWFUSION GDPR module enables users to log each request and allocate to a member of staff for action. The software also has functionality that enables the law firm to verify the ID of the person making the request. LAWFUSION users will also be able to configure the system to alert relevant users when pending requests are due for action, and it can also highlight overdue data requests escalating them to the relevant Data Protection Officer or Line Manager.

Actioning 'GDPR Rights' Requests

With regard to some of the rights there is additional functionality in LAWFUSION. For example for ‘the right of access’ a data subject can ask to see all the personal data the law firm holds about them. In LAWFUSION the law firm can produce a ‘contact report’ at the click of a button for sending off by email. The request must be logged, hence there is functionality to record the request, and allocate to a member of staff for action, date and time stamped so that GDPR timeframes can be adhered to. Of course the email with ‘contact report attachment’ can be recorded within LAWFUSION too.

When a contact makes a request to be erased, to restrict processing or to object to processing – there is functionality again to verify ID, to record the request and to action it with a check-box that prevents further processing of that personal data, with a date and time-stamp.

Requests for rectification can be dealt with in LAWFUSION in a similar way.

The Right To Be Forgotten

Erasure requests can be logged in the LAWFUSION GDPR Module. This provides the ability to record erasure requests with a date and time stamp, record when and how and by who it was actioned for GDPR compliance accountability evidence. If you cannot fulfill the deletion request you may agree with the individual that you will obfuscate (or scramble) the data and tag if for no further processing, but set a destroy date for when it can be deleted. This means you will still have a hidden record of what it was that only the Data Protection Office can see. If that person decides for whatever reason to give the firm consent to process their personal data again in the future, a full audit trail of both requests and subsequent actions are saved for completeness. When the destroy date comes up, the firm can liaise with the client to confirm their deletion wishes.

Six Lawful Grounds

There are six lawful grounds under GDPR that law firms can consider for processing personal data.

  • CONSENT – the individual has given clear consent for you to process their personal data for a specific purpose.
  • CONTRACT – if you have a contract with the data subject.
  • LEGAL OBLIGATION – for compliance with a legal obligation.
  • VITAL INTERESTS – you can process the personal data if it’s necessary to protect someone’s life.
  • PUBLIC TASK – for public interest.
  • LEGITIMATE INTERESTS – if you have a genuine and legitimate reason for processing an individual’s personal data (including commercial gain).

Once you have considered the circumstances of how you process personal data in different scenarios you can choose which lawful basis is most appropriate for each. LAWFUSION provides functionality for you to record this. For instance for your clients you may decide the the lawful grounds of ‘contract’ is the most appropriate for processing their data within the day to day running of your business. In LAWFUSION you will be able to record ‘contract’ as the lawful basis against each client contact, either individually or en masse.  Alternatively, when you consider the processing of data for direct marketing purposes to consumer clients, you may decide ‘consent’ is the most appropriate grounds. With LAWFUSION you can assign ‘consent’ to the relevant contacts on your database, and also record evidence of the consent received, date and time stamped. You can also remove the contact from processing should they withdraw consent at a later date and record it.

The Personal Data of Children

For law firms that need to hold contact records for children on your database for family law purposes, or any other reason, there needs to be a way of recording dates of birth, to keep a track of ages.  The processing of a child’s personal data is allowed under GDPR if consent is obtained from a parent or guardian. The law firm must record evidence of the consent. LAWFUSION provides functionality to record dates of birth on contact records, functionality for consent and evidence of consent to be recorded and you can set the system to restrict processing according to age.

GDPR Resources For Law Firms

The best resource is the Information Commissioner’s Office (ICO) website – as this is the regulator responsible for enforcing the General Data Protection Regulation (GDPR) in the UK.

Select Legal Systems Limited produced a white paper (November 2017) six months prior to GDPR coming into force, entitled “Do You Have All Your Ducks In A Row?”. This law-firm specific document makes a number of suggestions on how firms might get its 15 GDPR ducks in a row, in the right order, in time for the May 2018 deadline.

Due to all the hype and misinformation surrounding the new legislation, we also published a blog (April 2017) listing the top 7 GDPR myths we believed law firms needed to be aware of.

Recording A Data Breach

Under GDPR a law firm, or any organisation, that encounters a data security breach has to notify the relevant supervisory authority (The Information Commissioner’s Office in the UK), within 72 hours of them becoming aware of the breach – e.g.  a loss of client details where the breach leaves individuals open to identity theft. Failing to notify a breach when required to do so can result in a significant fine. There is functionality within the LAWFUSION GDPR Module for logging breach notifications, enabling firms to record any breach instances, how they were reported, who by and who to, and how they were managed and rectified.

Catch us on twitter


select_legal @select_legal
No petrol required: Virtual conference presentations especially for law firms:
The majority of legal aid crime firms are not claiming for their unused material yet under the latest fees rules -…
Breaking news! Today @select_legal became part of @theaccessgroup. Read more about this exciting announcement here:…

Contact LAWFUSION Sales

    Your name (Required)

    Your phone number (Required)

    E-mail (Required)

    Got a question? (Required)

    LAWFUSION Users wishing to contact support out of hours please follow this link

    Privacy Notice