Regulation & Compliance




Lincoln, Watts & Leeding (LWL) is a Data Controller who processes personal data and special categories of data, which we will refer to as personal information.

At LWL we understand the importance of data protection compliance, we know that excellent data protection practice is not only necessary to meet our legal obligations but it is also essential to meet our obligations to the individuals whose personal information we process and the clients we serve.

We have built a strong data protection programme supported by robust information security standards to ensure we use personal information lawfully and responsibly and that we afford it the necessary safeguards whilst it is in our possession.  Our data protection programme enables us to provide the highest assurances to the individuals whose information we process and to our clients when processing personal information as part of our services we provide.

LWL always respects privacy of the individuals whose personal information we process, we will always ensure that it is only used for specified and lawful purposes as provided for under the General Data Protection Regulation (GDPR) and any other UK legislation subsequently enacted that may relate to, replace or supersede GDPR.

Key Terms

  • We, us, our – Lincoln, Watts & Leeding
  • Personal data - any information relating to an identified or identifiable individual
  • Special categories - personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic and biometric data, data concerning health, sex life or sexual orientation
  • Processing - any action or operation including collecting, recording, viewing, accessing, analysing, assessing, sharing, disclosing, retaining and disposing of personal data
  • Data Controller - the person or organisation who determines the purpose and means of processing personal data
  • Data Processor - the person or organisation who processes personal data on behalf of a Data Controller
  • Data Subject - the person to whom the personal data relates


Legal Services

Lincoln, Watts & Leeding is a law firm.  We work with large number of customers, across a range of sectors in England & Wales.  The legal services we provide help our customers to reduce the time and money spent on resolving disputes, on property transactions, on commercial, probate and private client work whilst offering a practical and solutions driven approach.

The legal services we provide to our customers require that we process of variety of personal information where necessary for:

  • the purpose of, or in connection with, any legal proceedings (including prospective proceedings)
  • the purpose of obtaining legal advice, or
  • the purposes of establishing, exercising or defending legal rights.

The types and volumes of personal information and the manner in which we process it varies between the different sectors that we operate – more information on the sectors we operate in can be seen on the OUR SERVICES page of our website.

Our approach is to only process the minimum personal information necessary in a responsible and proportionate manner in order to preserve the rights of data subjects and achieve the best outcome for our customers.

Compliance with legal obligations

We may need to process personal information where necessary to comply with professional, legal and regulatory obligations that apply to our business, for example, those under health and safety regulations or rules issued by the Solicitors Regulation Authority (SRA) and the Information Commissioners Office (ICO). That processing may include gathering and providing personal information as required by or relating to audits, enquiries or investigations by regulatory bodies.

Marketing and promotion

We may process personal information to carry out a range of marketing and promotional activities about the services we offer to current, former and prospective clients and customers, to provide legal updates and to send invitations to events we are holding or involved in.

Our marketing activities include:

  • sending promotional materials by email and post regarding the legal services LWL offer and about news, articles and other publications that relate to the work we do
  • hosting and participating in events that relate to the services LWL offer

We will always ensure any personal information we hold for marketing purposes is stored securely and is not shared with any other person without the individuals awareness and permission – for attending events we may need to share some personal information with carefully selected third parties in order to manage attendance, in which case we ensure that individuals are informed in advance and that those third parties keep the information secure and use it for these purposes only.

We will only hold personal information for marketing purposes for as long the individual wishes to receive marketing from us.  We offer individuals the opportunity to unsubscribe and opt out from marketing at any point and will remove their details from our marketing lists where they wish for us to do so.

If you are currently receiving marketing from LWL and no longer wish to do so you can let us know by contacting:

Data Protection Officer

Lincoln, Watts & Leeding

4 Novar Road




Prevention and detection of fraud

We may also process personal information where it is necessary for the prevention and detection of fraud, including fraudulent insurance claims and we may share information with other agencies for such purposes.

Other business functions

We also process personal information in order to effectively manage our business activities including statistical analysis to support our practices in relation to financial performance, client base, work type or other efficiency measures and to maintain our accounts and records.  As an employer we also process personal information about our partners and staff to help us support, develop and manage them.


We always aim to use the minimum personal information necessary to support the business activities and functions we carry out. Where those activities and functions require the processing of personal information it may include:

  • Individual details - name, address (including proof of address), other contact details (e.g. email and telephone numbers), gender, marital status, date and place of birth, nationality, employer, job title and employment history, and in some instances family details, including their relationship to you
  • Identification details - identification numbers issued by government bodies or agencies, including your national insurance number, passport number, tax identification number and driving licence number
  • Financial information - bank account or payment card details, income, expenditure, tax records, credit history, credit score and other financial information
  • Anti-fraud data – sanctions, penalties, judgments, criminal offences and other information received from various anti-fraud databases
  • Previous and current claims - information about previous and current claims, which may include data relating to your health, criminal convictions, or other special categories of personal data and in some cases, surveillance reports
  • Special categories of personal data - certain categories of personal data which have additional protection under the GDPR including data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric, or data concerning sex life or sexual orientation

Who we process personal information about

The categories of individuals we process personal information about include:

  • clients
  • other solicitors and lawyers
  • claimants, their family and close associates
  • witnesses
  • advisers, consultants, professional experts
  • suppliers and service providers
  • our employees
  • enquirers


We sometimes need to share the personal information we process with third parties outside of LWL.  Below is a description of the types of third party organisations we may need to share the personal information we process with for one or more purposes:

  • claimants and their family, associates, representatives
  • clients
  • current, past or prospective employers
  • educators and examining bodies
  • healthcare professionals
  • business associates
  • trade associations and professional bodies
  • suppliers and service providers
  • social and welfare organisations
  • employment and recruitment agencies
  • ombudsman and regulatory authorities
  • financial organisation
  • credit reference agencies
  • private investigators
  • debt collection and tracing agencies
  • courts and tribunals
  • central government

Whenever we share personal information we take great care to ensure it is done through the most secure and appropriate means possible so that it is afforded the necessary safeguards to prevent it from accidental loss or unauthorised access.


We implement a proactive approach to retention and disposal of personal information whereby it is retained for the minimum period necessary and only where there is a legitimate reason or lawful basis to do so.  We have Records Management and Data Cleansing policies that set out the processes we follow to manage retention and disposal of personal information and they define the periods for which personal information is retained.  The retention periods we apply have been determined based on a combination of legal obligations and legitimate business activities and the criteria we use to determine retention periods include:

  • for as long as is necessary to support our legitimate business activities
  • for as long as is necessary to deal with enquiries you may make to us
  • for as long as is necessary to defend legal claims that may be brought against LWL or our clients
  • for as long as is necessary to ensure we meet our legal and regulatory obligations


We will only ever process personal information where we have a genuine need and lawful basis to do so.  The lawful processing conditions we generally rely on to process personal information are set out below

For personal data:

  • the data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • the processing is necessary for compliance with a legal obligation
  • the processing is necessary for the purposes of LWL’s legitimate interests or those of our clients (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child)

For special categories of data:

  • the data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes
  • the processing relates to personal data which are manifestly made public by the data subject
  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

There may be circumstances where we rely on different lawful processing conditions to those set out above, where this is the case and where required to do so we will inform you of this in any privacy notices we provide.


We recognise and respect the importance and sensitivity of personal information and so we take great care to make sure we use and handle it responsibly and we afford it the necessary safeguards whilst it is in our possession.  To achieve this we have implemented a range of organisational and technical measures to protect and safeguard personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to make sure we meet our obligations.

Organisational measures we implement include but are not limited to: Data Protection; Information Security; Access Control; Acceptable Use; Information Classification and Data Handling; Information Exchange and Clear Desk and Clear Screen policies and procedures.  These set the requirements and standards to be adhered to and implemented by all partners and staff with regards to access, use, handling and exchange of personal data. We also provide regular information security and data protection training and awareness for all our partners and staff and undertake system monitoring, audits, risk assessments and inspections.

Technical measures we implement to ensure the security of personal data include but are not limited to: secure data exchange methods; user access controls; secure electronic data storage facilities; secure document storage and disposal; firewalls; antivirus software and regular system vulnerability and penetration testing.


LWL’s offices are located within England and the personal information we process is held in those offices or within data centres that are located within the UK.

From time to time however and in certain sectors we operate there are instances where transfer of personal information outside of the European Economic Area (EEA) is necessary. Where the need for an international transfer of personal information arises, we ensure it is done so using secure methods that offer sufficient assurances and guarantees that the information is afforded the necessary safeguards to prevent it from accidental or unlawful loss, disclosure, access, alteration or destruction.  We will also ensure that where necessary our clients and the data subjects whose information is to be transferred are notified in advance and informed of the safeguards we will take to ensure the security of their information.

The transfer process itself will include establishing and ensuring that there is a legal basis for the transfer to take place and that the receiving party and country within which they reside offers an adequate level of protection for the rights and freedoms of data subjects through methods including:

  • obtaining the informed and explicit consent of the data subject for the transfer to take place;
  • where the transfer is necessary for the establishment, exercise or defence of legal claims;
  • using the services of third parties based within counties that have been approved by the European Commission as providing adequate safeguards, or, companies based within the US whom subscribe to the EU-US Privacy Shield scheme;
  • conducting our own adequacy assessments against the receiving party to ensure they can offer sufficient assurances, protections and legal mechanism to uphold the rights and freedoms of data subjects;
  • implementing contracts with the receiving party, within which will be defined terms and conditions (based on the model clauses), which impose upon the party obligations and responsibilities with regards to processing of the personal information.


Under data protection laws individuals have a number of rights that enable them to control when and how their personal information is used, and, to allow them to hold organisations accountable for use of their information.

If you believe LWL processes your personal information and you wish to exercise any of your rights under GDPR, such as gaining access to the information we hold about you, where you believe the information may be incorrect, inaccurate or incomplete, where you wish to restrict or object to processing, or, if you are dissatisfied with the way in which LWL has used your information in any way you can report the matter to our Data Protection Officer using the following contact details:

Data Protection

Lincoln, Watts & Leeding

4 Novar Road




You also have the right to refer any concerns you may have regarding LWL’s use of your information to the Information Commissioners Office (ICO) - more information can be found by visiting the ICO’s website at:


  • Right to be informed: this provides individuals with the right to be told about when and how their personal data is used now and in the future.
  • Right of access: this enables individuals to gain access to and be given a copy of the personal information that we hold about them. You can request access to information that may be held about you by BLM at any time, there will be no charge for this but we may need to see proof of your identification before we can provide you with access. To make a request for your personal information you can contact us using the details provided above. You may not be entitled to see all the information held about you if an exemption applies. Examples of exemptions include information that: is about another person; may prejudice our regulatory work; is subject to legal privilege. If an exemption applies we will explain the reason for it will tell you if we have removed any information from what we send you.
  • Right to erasure (aka right to be forgotten):this enables individuals to request that we erase the personal information we hold about them. We implement a proactive approach to retention and disposal of personal information whereby it is retained for the minimum period necessary and only where there is a lawful basis to do so. However, you may request that we erase any personal information we hold about you at any time, to do so you can contact us using the details provided above.
  • Right to rectification: this enables individuals to have any incorrect, inaccurate or incomplete personal information corrected, or, ‘rectified’. Our quality assurance processes aim to ensure the personal information we hold is as accurate and up to date as possible, however if you believe that any information we hold about you is incorrect or incomplete then please let us know using the contact details above and we will make every effort to rectify it.
  • Right to restrict:this enables individuals to restrict an organisation from processing their personal information for certain purposes and in certain ways. Should you have any concerns over how BLM may be using your personal information then please let us know using the contact details above. Where we are required to restrict our use of personal information as prescribed by Article 18 of GDPR we will do so at the very earliest opportunity and we’ll also inform any third parties we may have shared information with to do so too.
  • Right to object: this enables individuals to object to their personal information being processed in certain ways and in certain circumstances where the conditions set out in the regulation apply. Where we receive an objection, any processing based on the conditions shall cease unless a relevant exception applies, most relevantly where processing is necessary for the establishment, exercise or defence of legal claims.
  • Right to portability:this gives individuals a right to have their personal information transferred or ‘ported’ to another organisation in a reusable electronic format. The conditions in which the right to data portability applies as prescribed in the GDPR generally do not apply to the processing undertaken by BLM. However, where we have the functionality and capability to provide personal information in an electronic, structured and commonly used machine readable format we will endeavour to do so in the event that we receive such a request.
  • Rights related to automated decision making:we currently do not operate any practices or processes that constitute automated decision making as defined within the GDPR. Should we develop any automated decision making capabilities in the future we will ensure that they comply with the requirements of the regulation and that we implement suitable safeguards to protect the rights and freedoms of data subjects.



We use Google Analytics software to collect information about how our visitors browse and visit our site.  We use the information to compile reports and to help us to improve our service. The Google Analytics cookies collect information anonymously, including the number of visitors to our site, where visitors originated from and the links they click within the site.  No personal information is collected or stored (for example your name or address) so this information cannot be used to identify who you are. Click here:

[] for an overview of privacy from Google.

Name              Purpose                                                                                                                   Expiration time

_ga                  Used to distinguish users, incl. number of visitors and if you’ve visited before.                  2 years                                               

_gid                 Used to distinguish users, incl. number of visitors and if you’ve visited before.                  24 hours                       

_gat                 Used to manage the rate at which page view requests are sent to the analytics server.    10 minutes                       



You may see a pop-up cookies message when you first visit A cookie is used to log that you have seen this message, so that it doesn’t show again.

Name              Purpose                                                                                                                 Expiration time

Cookiepolicy   This cookie is used to hide the cookies information banner when you have seen it.          No expiry set                       


Change cookie settings for this website

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit or

To opt out of being tracked by Google Analytics across all websites visit

Comments or queries this website

If you have any comments about using this site, then please e-mail


Technology and data privacy best practice are continuously developing.  We therefore reserve the right to revise this Privacy Statement at any time.  If this Privacy Statement changes in any way, we will place an updated version on this page.  Regularly reviewing this page ensures you are always aware of what information we collect, how we use it and under what circumstances we may share it with other parties.