Legal file retention requirements (typically 7-10 years post-matter closure in most jurisdictions) conflict directly with GDPR's right to erasure. A client who requests erasure of their data from a legal SaaS platform cannot override the law firm's professional retention obligations. Managing this conflict requires careful categorisation of what data is subject to which obligation.
Key Analysis
Professional retention obligations override GDPR erasure rights when retention is required by law — GDPR Article 17(3) explicitly acknowledges this.
Soft delete is not data destruction: a soft-deleted record is still present in the database and is discoverable in litigation.
Cloud provider subpoena responses can bypass your retention controls — the chain-of-custody requirement means your SaaS vendor must be included in your data management plan.
Risk Signals
Matter records soft-deleted in response to a GDPR erasure request — without verifying whether professional retention obligations apply.
No documented procedure for matter closing and archiving — leading to indefinite storage of all data.
Data stored with a cloud provider that has different retention and deletion guarantees than your own.
Action Items
Create a data categorisation policy: which data is subject to professional retention obligations, which is subject to GDPR erasure, and which is subject to both with the longer obligation winning.
Implement a matter closing workflow that triggers the appropriate retention/deletion action based on the data category.
Document the cloud provider's deletion guarantees in your GDPR Article 30 records and verify them annually.