Skip to content
clerk&

GDPR & Compliance · 10 min read

GDPR for the clerk's room: what's actually required

An honest read of what GDPR requires of a barristers' or solicitors' clerk's room, with the corner-cuts called out.

GDPR has been the law of the land in Ireland for nearly eight years. Compliance in clerks' rooms remains uneven — partly because the regulation is dense, partly because there's been little plain-English guidance aimed at the Bar and small firms specifically. Here's an honest read of what's actually required.

Who is the controller?

At the Irish bar, each individual barrister is a self-employed practitioner and the data controller for their own client matters. The clerk's room acts on counsel's instructions and is, depending on structure, either a joint controller (for shared infrastructure) or a processor (for counsel-specific data).

In solicitors' firms, the firm is the controller. The legal secretary or clerk acts within the firm's structure.

What you must do, regardless of size

  1. Maintain a record of processing activities (Article 30). For a small practice, this is a one-page document listing what data you hold, where it's held, why, and for how long.
  2. Have a lawful basis for processing. For client matters, this is normally contract performance (Article 6(1)(b)) — supplemented by a balancing test for legitimate interests where relevant.
  3. Implement appropriate technical and organisational measures (Article 32). Encryption, access control, backups, audit logs. "Appropriate" is proportionate to your size, but "none" is never appropriate.
  4. Have a process for data subject requests (Articles 12–22). One page. Email address. 30-day response target.
  5. Notify the DPC within 72 hours of a notifiable breach (Article 33).

Where AI tools complicate things

Any AI tool you use that processes client data is a sub-processor. That triggers two requirements:

  • A Data Processing Agreement (Article 28) — between you and the AI vendor. This isn't optional and isn't replaced by a tick-box terms of service.
  • A clear understanding of where the AI vendor is processing the data. If it's outside the EU (most US-based AI vendors), you need Standard Contractual Clauses and a transfer impact assessment.

The shortest path to compliance is to use an AI vendor whose entire stack is EU-region — including the model itself. clerk& runs inference in Sweden for this reason: the model and the data both stay in the EU, and there's no transfer to the US to assess. Specific sub-processors are listed in our privacy policy.

Where most practices cut corners (don't)

  • Using consumer messaging apps for client material. WhatsApp is not appropriate for sending a brief, no matter how convenient.
  • Personal email for practice correspondence. Outlook personal accounts and gmail are not appropriate for matter material.
  • Shared logins on the practice system. Every clerk and every counsel needs an individual account with their own audit trail.
  • No DPA with the dictation vendor. If your vendor can't return a signed Article 28 DPA within a week, you have a problem.

None of this is exotic. All of it is required. A practice that's done a half-day of work on it is ahead of most.

Newer

Dragon Legal vs modern voice-to-document

Older

Citations, neutral citations, and Latin: what AI dictation gets right

Put your AI clerk to work.

Free 14-day trial. No credit card. Five-minute setup. Whether you’re a sole practitioner or running a busy clerk’s room, clerk& earns its keep on the first fee note.

Start free trialTalk to us