Skip to main content
Lester Aldridge Logo
Call Us Now Arrow Right 0344 967 0793
Home Data Protection Policy

Data Protection Policy

Call us now 

0344 967 0793
Back to top

Data Protection Policy

At Lester Aldridge LLP (“LA”), we know how important data protection is to our clients. Solicitors have always been bound by a strict duty of confidentiality to their clients. We keep our systems and procedures under regular review to ensure we protect your data.

This policy explains our approach to handling, storing and transferring the personal data you provide to us so you can be confident that we apply appropriate measures to the protection of your personal data.

What information do we collect?

LA collects personal data about you in line with our Privacy Notice.

LA will only collect and hold information or disclose it to someone else if we have a lawful basis to do so. If you are a client, LA will explain the basis in the privacy notice that we will send to you with our letter of engagement. The privacy notice published on our website covers LA’s interaction with different types of data subjects.

The data protection principles

LA is obliged to process all personal data in accordance with the data protection principles set out in the UK General Data Protection Regulation. This means that when we collect your personal data we will:

  • process it lawfully, fairly and transparently and for a legitimate reason – we will tell you why we are collecting it and what we are going to do with it. We will not do anything more with the data beyond this. We provide this information in our website privacy & cookies policy and in our privacy notice;
  • use it to provide you with legal advice and services;
  • make sure the data we collect is adequate, relevant and is limited to what is necessary;
  • do what is reasonable to keep it up-to-date. If it is inaccurate, outdated or wrong, we will correct it or delete it. If you think the data is wrong, please tell us;
  • only store it for as long as we need it. We will tell you how long we will keep it after your matter has been completed and in the privacy notice;
  • keep it confidential, secure and available; and
  • only transfer it to countries outside the United Kingdom (“UK”) in line with data protection laws.

Our website

Our website does not collect location data or other data that can identify you by name unless you input data in order to allow us to contact you. If you register for an event, we can track your location to assist us in assessing the effectiveness of our communications using tools such as Google Analytics.

We also track our email traffic (but not its content) to allow us to evaluate our relationships with organisations. Our website privacy & cookies policy provides further information about how we obtain and use data through our website. We will update our website privacy & cookies policy if we change the way in which we collect and use personal data through our website.

Data subject rights

LA has policies and procedures in place to deal with any rights exercised by data subjects. Data subject rights are set out in our privacy notice.

Data breaches

LA has policies and procedures in place to deal with any data breaches that are reported. We keep internal records and have a process in place to notify the ICO, if necessary and data subjects, if applicable.

Information security

We are required to implement appropriate technical and organisational measures to ensure a level of security for personal data that is proportionate to the risk.

Overview

LA maintains a vigilant focus on security through the use of dedicated information security personnel, deployment of technical controls, and adherence to relevant industry standards and frameworks. LA is in a continual security evaluation and review process and is always improving controls, processes and technical systems in a layered security environment. This guide provides a non-technical overview of LA’s information security management practices, processes, and controls. LA’s information security and risk management activities are designed to ensure the confidentiality, integrity, and availability of LA and its clients’ information.

Organisational and security policies

LA’s information security management practices, as defined by our policies, standards and procedures, have been implemented in accordance with recognised information security best practices. We are ISO27001:2022 compliant. ISO27001 is an international standard for information security, cybersecurity and privacy protection. Being compliant to this standard enables us to demonstrate that we have an information security management system in place. An information security risk management framework is used to identify, assess, and evaluate information-related risks along with the selection and implementation of related technical, physical, and administrative controls.

Our information security processes and control documents are reviewed annually and approved by management. We have policies which provide guidance to our people of acceptable uses of our systems and equipment and how to report any information security incidents or data breaches.

Our people and training

Our people are subject to onboarding checks and sign up to confidentiality agreements as part of the recruitment process. On commencement of employment, they undergo an induction training program which includes data protection and information security.

Our people undergo regular mandatory training on information security and data protection, as well as relevant technical processes to classify, store, and reproduce sensitive documents, spreadsheets, and legal filings. This training includes the legal, ethical, and contractual importance of protecting private and sensitive client data and personal data.

LA deems all data received or produced on our client matters as confidential and electronic records are subject to appropriate security and access control profiles. Hardcopy records are scanned into the system. All client records are indexed within LA’s records management/case management systems and labelled appropriately.

Users are required to maintain the confidentiality of their personal passwords which must meet complexity requirements. Access to applications is security controlled and restricted by need.

Physical and environmental security

The buildings we occupy are monitored by CCTV and have perimeter security controls. Our offices have intruder and fire alarms in place.

We have contractor controls in place for when contractors work at our offices. Visitors are escorted at all times and are subject to visitor controls within our offices. All our offices have access controls for authorised personnel. Sensitive areas within our offices (e.g. comms rooms) are off-limits to all but authorised personnel.

Areas where client data is stored, electronically transmitted, or processed are protected by fire detection and suppression, electronic water leak detection, and temperature and humidity controls. Access to secured areas is controlled via a security badge system.

We maintain UPS and generator back-up power supplies as well as secondary communication channels.

Operations security

Documented policies and procedures for information technology operations are maintained, including a formal change management process. All our devices (workstations, laptops) employ endpoint antivirus protection. Access to our system is subject to multi factor authentication. Regular data snapshots, as well as daily full backups, are replicated to our Disaster Recovery Centre.

Communications security

To ensure network protection, LA has implemented a multi-layered defence-in-depth strategy using the latest preventive and detective controls. The network perimeter is secured through firewalls that monitor and control connections into and out of the network as well as the availability of services therein.

IT supplier relationships

We evaluate prospective suppliers based on our requirements. Risks associated with the use of any IT supplier for our critical operations are fully analysed and assessed and prior to instructing any (vendor), we enter into confidentiality agreements with them as appropriate. All due diligence records created when establishing the (vendor) relationship are maintained.

Information security incident management

A centralised and secured architecture provides the foundation for our Business Continuity Plan and Disaster Recovery strategy which aims to allow us to continue to serve our clients in the event of a disaster or other business interruption.

We have both a Business Continuity Plan which covers all our offices and a separate IT Disaster Recovery Plan that is part of our overall Business Continuity Plan. LA’s business recovery strategy includes systems and procedures that allow us to prevent and mitigate potential interruption in our ability to deliver services to clients, such as emergency communication systems and local emergency teams.

Business continuity and disaster recovery reviews are conducted on an annual basis to check prioritisation of continuity, recovery, and resumption activities based on defined objects like recovery time objective and recovery point objective.

Compliance

LA has an internal team that advises us on current and upcoming legal and regulatory requirements and who monitors our compliance with our legal and regulatory obligations.

Additionally, we undergo external and internal audits to check and maintain compliance with business and industry requirements. Audit results relating to data protection will be summarised in internal reports to our Data Protection Committee to continually improve our practices and strategies.

Latest News

SRA Intervention: SMQ Legal Services LLP

The Solicitors Regulation Authority has closed down the practice of SMQ Legal Services LLP. This happened on 9th January 2026. Lester Aldridge is helping the SRA with the closure.

Read more

Enquire now

Make an enquiry