New

Partner content

How should law firms navigate data processing with their service providers?

18 Mar 2025

2 minutes read

Tony ImossiHead of the secretariat at the Association of British Investigators

Association of British InvestigatorsLaw Society partner

Event

Legislative changes in economic crime compliance

Go to events

Books

Conflicts, Confidentiality and Disclosure

Go to bookshop

You might know a great deal about GDPR – but are your service providers also taking the right steps to protect your clients’ data? Tony Imossi, secretariat at the Association of British Investigators (ABI), breaks down two key concepts that should guide how you work with personal information.

The UK General Data Protection Regulation (GDPR) means legal practitioners must navigate complex issues around processing personal data.

But so must the service providers appointed by law firms, such as professional investigators and litigation support agents.

While lawyers will understand the roles and responsibilities between themselves and those they engage, how can they mitigate risk should their preferred service providers not be as savvy?

Two critical concepts that lawyers need to make sure their agents understand are legitimate interest and consent to share personal data.

These principles guide how personal information can be used in legal matters, while ensuring compliance with data protection laws.

Legitimate interest

The lawful basis of legitimate interest allows personal data to be processed if it is necessary for the purposes of the legitimate interests pursued by the ‘data controller’, provided that these interests are not compromised by the rights and freedoms of the affected individuals.

The controller is the individual or entity that determines the purposes and means of data processing.

The controller is usually the law firm or a third party.

A three-part test can determine if legitimate interest can be relied on:

1. Identify a legitimate interest

Lawyers must work out what legitimate interest they have identified as a basis for processing of personal data. This could include fraud prevention, legal compliance or the establishment of legal claims.

2. Demonstrate necessity

It is crucial to evaluate whether the intended processing is necessary and is a reasonable means of achieving the identified legitimate interest.

3. Balance against individual rights

The interests of the affected individuals must be weighed against the identified legitimate interest. If the data processing could significantly impact the individuals' rights and freedoms, alternative lawful bases should be considered.

This approach ensures lawyers remain vigilant about the privacy rights of the individuals involved, while they pursue their or their clients’ interests.

Consent to share personal data

Consent is another significant aspect of the GDPR. It must be freely given, specific, informed and unambiguous.

Lawyers often face challenges in obtaining consent, especially in contentious legal matters where clients may require investigations involving sensitive personal data.

In practical terms, consent should be sought when:

the controller law firm needs to process new personal data not covered by the initial instructions
sharing information with a third party (such as a client) is necessary, particularly after identifying an individual in a trace or locate scenario that is not otherwise exempt

If consent is not provided, the controller law firm must refrain from further processing the personal data, including sharing it with the client.

This highlights the need for clear communication and documentation when seeking consent from individuals, as well as the importance of respecting their decisions regarding their data.

Minimising risks through code membership

The Association of British Investigators has developed a UK GDPR Code of Conduct for Investigative and Litigation Support Services.

This was approved by the Information Commissioner’s Office (ICO) in October 2024, under article 40(5).

It creates the opportunity for investigative service providers to be measured against the good practice guidance set out in the code, and assessed by an independent United Kingdom Accreditation Service (UKAS)-accredited and ICO-approved monitoring body.

Code members will be trained and are required to adhere to established guidelines that promote compliance with data protection law, including:

conducting thorough legitimate interest assessments (LIAs) to ensure that data processing is justified and documented
conducting data protection impact assessments (DPIAs) when processing is likely to pose a high risk to individuals' rights and freedoms
maintaining accountability through documented procedures and regular training on data protection principles

This means law firms can significantly mitigate the risks associated with data processing by selecting a code member as their preferred investigations and litigation support service provider.

This type of collaboration not only enhances compliance but also builds trust with clients and stakeholders – ultimately leading to more effective and responsible legal practices.

Save to bookmark

Business management

GDPR

Partner information

The Association of British Investigators (ABI) is the UK’s leading authority on the investigation industry, with a history dating back to 1913.

As a national and international platform, ABI represents professionals providing investigation and litigation support services to legal firms, private clients and corporations.

I want to know more

The Association of British Investigators (ABI) is a partner of the Law Society. It is the UK’s leading authority on the investigation industry.

Find out more about the ABI and the benefits of using ABI members.

The cybercriminal ecosystem: evolution and extortion

By Mitigo

The ecosystem in which cybercriminals operate is constantly changing, with cybercrime becoming ever-more sophisticated. Law Society partner Mitigo explores the risks.