Skip to content
Gordon & Co Legal ServicesGordon & Co Legal Services

GDPR & Data Protection

We comply with the UK GDPR and the Data Protection Act 2018. This page summarises our governance, lawful bases for processing, security measures, retention, your rights and how to raise concerns.

Principles

  • Lawfulness, fairness and transparency
  • Purpose limitation and data minimisation
  • Accuracy and storage limitation
  • Integrity, confidentiality and accountability

Governance & Accountability

We operate a documented data protection framework including policies, risk assessments, Records of Processing Activities (RoPA), and supplier due diligence. We review policies at least annually and whenever material changes occur.

  • Data protection & information security policies
  • Access controls & least-privilege permissions
  • Change management and incident response plans
  • Annual reviews and management sign-off

Roles & Responsibilities

Controller: Gordon & Co Legal Services, 1st floor, Romer House, 132 Lewisham High Street, London, SE13 6EE, UK.

Data Protection Lead (DPL): info@gordoncolegal.com (for queries and rights requests). If we appoint a formal DPO, their details will be added here.

Staff have defined responsibilities for confidentiality, secure handling, accurate record-keeping and timely breach escalation.

Lawful Bases

We rely on the lawful bases most relevant to legal practice:

  • Contract: providing legal services under our retainer.
  • Legal obligation: regulatory duties (e.g., AML/CTF, record-keeping, reporting).
  • Legitimate interests: practice management, security, quality assurance and improvements, conflict checks.
  • Consent: only where required (e.g., analytics cookies, specific marketing).

Special Category & Criminal Data

Where necessary for a matter, we may process special category data (e.g., health) and criminal data with heightened safeguards. We typically rely on the legal claims condition and, where applicable, substantial public interest conditions under the DPA 2018.

Processors & Key Services

We use vetted service providers (processors) under written contracts that include data protection terms. Examples include case management (e.g., CLIO), secure email, cloud hosting and payment processing.

  • CLIO: used for case administration and document management with least-privilege access and encrypted transport.
  • Cloud hosting & email: for secure infrastructure and communications.
  • Payment providers: for fees and refunds.

We review suppliers periodically and whenever material changes arise (e.g., sub-processors, location, or scope).

Records of Processing & DPIAs

We maintain a Record of Processing Activities (RoPA) describing purposes, categories, recipients, retention, and safeguards. We conduct Data Protection Impact Assessments (DPIAs) for higher-risk processing—e.g., sensitive matters, large-scale data, new technologies or transfers outside the UK/EEA.

Retention

We retain matter files for set periods consistent with professional obligations and our retention policy. We securely dispose of data when no longer required.

Typical client files are retained for a number of years after closure; certain categories (e.g., children matters) may require longer retention. See Documents & Procedures for our current schedule.

Security

We implement layered security controls, access management and audit. CLIO integrations are configured with least-privilege access and transport encryption.

  • Encryption in transit; strong authentication and role-based access
  • Device hardening and patching; secure development & change control
  • Backups & continuity planning; vendor due diligence
  • Incident response runbooks and breach escalation

International Transfers

Data is usually stored in the UK/EEA. If transfer outside the UK/EEA is required, we rely on adequacy regulations or appropriate safeguards (e.g., standard contractual clauses) and assess additional measures where needed.

Your Rights

You may have rights of access, rectification, erasure, restriction, objection, and portability—subject to legal exemptions (e.g., legal professional privilege, court orders).

To exercise your rights, email info@gordoncolegal.com.

Subject Access Requests (SARs)

We respond without undue delay and within one month of verifying your identity. Complex requests may be extended by up to two months. We will explain any exemptions that apply (e.g., privilege, third-party data).

Data Breaches

We investigate and record all personal data incidents. Where required, we notify the ICO within 72 hours and, when appropriate, affected individuals without undue delay, including practical steps to reduce risk.

Website & Cookies

Our website uses strictly necessary cookies and, with your permission, optional cookies (functional/analytics). You can manage choices at any time via the floating “Privacy & Cookies” control. See the Cookies section in our Privacy Notice.

Training & Audits

All staff receive induction and periodic data protection training relevant to their roles. We conduct internal checks and supplier reviews to monitor ongoing compliance.

Contact & ICO

For data protection queries, contact info@gordoncolegal.com. If unresolved, you can complain to the ICO: ico.org.uk.

  • Controller: Gordon & Co Legal Services, 1st floor, Romer House, 132 Lewisham High Street, London, SE13 6EE
  • ICO Registration: 1234567
Last updated: 25/09/2025