Thoroughly knowledgeable,
very pragmatic and

Chambers Guide


Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.

Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.

Processing Personal Data

A practical approach to maintaining compliance with the GDPR

(This is the second blog in the series written by Alex Matheson)

The GDPR provides that personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.

In addition, you are obliged to inform your clients for the given period they will keep this personal data, or (if that is not possible) how the period will be determined. Therefore an assessment needs to be made at the outset so that the client can be accurately informed. You should think about the data retention period before any engagement letter is sent, making any adjustments necessary for a new client’s individual circumstances.

Most organisations will benefit from a data retention policy to help you select the appropriate period for each type of data.  You may choose to pick the shortest period that is workable, since organisations will have a duty to actively maintain data & keep it up to date whilst you are retaining it (or at least until the data processing activity changes to that of archiving – which should be clearly defined).

A mix of factors can determine the retention period, including case law, legislation, regulatory requirements, insurer expectations and your own traditions of practice.  You will need to determine which period applies for each type of case & for each type of data, or if this is impossible, the criteria by which this will be determined.

You may find it helpful to specify how you will determine when a matter will be archived.  Clients do not necessarily have a right to know this, however, stating an archiving cycle is in line with the spirit of transparency.

Lawful basis

You can only process personal data for specified, explicit & legitimate purposes, & where an organisation has a specific lawful basis for doing so.  In addition, you are obliged to inform your clients in advance as to what the lawful basis is under which they will be processing the individual’s personal data, before the client provides their personal data to the organisation – so engagement letters need to specify this.

The GDPR provides a list of possible lawful bases for processing data on which an organisation may rely.  Care should be taken to identify the appropriate lawful basis, since the data subject has different rights depending on which lawful basis is identified, & it would be difficult for an organisation to change the lawful basis for processing after they have collected the data, though multiple bases can be stated in advance.

An engagement letter needs to mention each of the types of data that are being collected from clients, the purpose for which the organisation will be processing it, and (in each case), the lawful basis for doing so.  Ultimately, clients need to be properly informed.

Consent as a lawful basis

Although consent is the first item in most of the guidance documents, for many organisations, consent might be the last option that you should seek to rely on if you do not have another reason for processing personal data.  The reason you might wish to consider consent last is that consent can be freely withdrawn at any time & leads to a wider range of rights for data subjects, which are not appropriate if the actual lawful basis is not consent.

If a contract needs to be performed which relies on personal data, then it is inappropriate for data subjects to be informed that they can withdraw consent If consent is indeed the basis (and the only basis) for collecting a person’s data, then organisations should state this.  Where consent is the basis, there is a high standard for obtaining informed consent and records of consent should be kept.

Implicit consent is not permitted.  Consent needs to be freely given, specific, informed and unambiguous.


White & Black is a specialist commercial and technology law firm.  If you need technology or commercial law advice, contact the team on 0800 035 2656 or email


Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.

This site uses cookies to improve your user experience. By using this site you agree to these cookies being set. To find out more see our cookies policy