The General Data Protection Regulations effective from 25 May 2018


The GDPR was introduced to unify all EU member states’ approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It will protect EU citizens from organisations using their data irresponsibly and puts them in charge of what information is shared, where and how it’s shared.
Even though the UK is due to leave Europe in the next 12 months, it will still apply to all businesses handling EU residents’ data, effectively replacing the Data Protection Act 1998 and comes into force from 25 May 2018.

When I set up my practice, I established a data protection policy which forms part of many policies that ensure my practice is managed and structured in accordance with professional standards. Now that the GDPR is due to come into force my privacy policy has been rewritten so that I follow best practices to comply with the GDPR. I understand the significance of the higher standards demanded of all organisations that collect and use personal data and take my obligations very seriously.
Bajaria Solicitors is a solicitor’s firm regulated by the Solicitors Regulation Authority. It is owned entirely by Smita Bajaria who the sole Director of the Firm is. Smita can be contacted at the email address above.

    1. Data Controller
      The data controller for the Firm is Smita Bajaria.

      Bajaria Solicitors have no employees but do use contractors. The Firm’s accountants, bookkeeper, website designer and IT support team have agreed to comply with GDPR requirements.

    2. Data Processors
      LEAP provides the Firm’s case management system.

      OCS-UK IT Limited provides us with IT support.

      M4WA Limited is responsible for our website.

    3. We must ensure that as our client you can:
      • Find out about what data we collect
      • What we do with that data
      • What you can ask us to do with your data
      • How we share your data with third parties
      • How do we prevent data breaches and what happens if there is a data breach
    4. What data do we collect and why?
      We collect, use and share data primarily in the exercise of our functions as a solicitors’ practice. We are regulated by the Solicitors Regulation Authority.

      Personal data is defined in the GDPR as any information relating to an identified or identifiable natural person. This can include obvious data like your name but also one or more identifiers such as the physical, mental, or cultural or social identity of that person.

      Special category data includes data revealing your race or ethnic origin, political opinions, religious or philosophical beliefs, and biometric data, data concerning health or your sexual orientation.

      We need this information about you to allow us to work on your case and in line with the instructions that you provide.

      We use cookies on our website;

      • Cookies are small text files that can be used by websites to make a user’s experience more efficient. Our service providers use cookies and those cookies may be stored on your computer when you visit our website.
      • We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies.
    5. How do we store your data?
      We are under a duty to keep personal data and information confidential. This means we take all steps to keep it secure, use it fairly and ensure that data protection safeguards are in place. We use secure portals and encryption tools when necessary to make sure that data transit is protected.
    6. How can you request a copy of your data?
      You can email to request a copy of your personal data.
    7. How can you request that your data is deleted?
      You can email to request data deletion. We can delete as much of your data as we are permitted to.

      In some cases, we are not required to provide you with information we hold about you. Where this is the case, we will let you know.

      As a private paying client, we cannot delete all your personal data for a period of seven years because we are obliged by law to retain payment information for that period for tax and VAT purposes.

    8. How can you request that your data is rectified?
      You are entitled to have your records amended if the personal data we hold is inaccurate or incomplete. You can email
    9. How you can object to the processing of your information?
      You are entitled to object to the processing of your personal data. You can email with your objections and we will stop processing unless we can show compelling legitimate grounds for continuing the processing which overrides your interests.
    10. When do we provide your personal data to others?
      We may disclose your personal data to our suppliers or contractors in so far as reasonably necessary for the conduct of your case.

      In addition to the specific disclosures of personal data set out in this Section 3, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person.

    11. What happens if there is a personal data breach?
      Our systems operate to prevent data breaches. This also includes provision to prevent accidental or unlawful destruction of data. We have encryption of personal data, procedures to ensure ongoing confidentiality and procedures that allow us to have access to personal data in the event of a technical incident.

      We also ensure that all data is held securely so that it is protected against unauthorised or illegal use and against accidental loss, destruction or damage.

      The practice is a registered member of the Information Commissioners Office (ICO). The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO and in some cases to individuals. We are required to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. For example, where it could lead to discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. This would also apply where a breach is likely to result in a high risk to the rights and freedoms of individuals which would require us to notify those concerned directly. This will be explained in plain language so that you understand the type of breach that has occurred.

      The data controller must report breaches to the ICO within 72 hours after becoming aware of such a breach.

      Our data processors also have a duty to notify the data controller without undue delay after becoming aware of a personal data breach. All our data processors notify us without delay and in writing on becoming aware of any data breach in respect of personal data. If we identify a vulnerability, then we need to report the same to them via a secure email address.

      We may from time to time send you information that we think might be of interest to you. If you do not wish to receive that information, please notify our office in writing. Your consent is required.