When Kate delivers training or auditing services to law firms, they can rest assured that Kate has experienced law firms from the inside and understands how they work. For those being trained Kate can speak from experience of legal work as well as drawing on her experience of having trained and supervised a number of lawyers.

Kate’s knowledge of ICO practice and experience in handling complaints to the ICO, allow her to identify the main risks during a data protection audit and allow her to bring her training alive.



During her time as Head of Information Law at Stone King LLP, Kate led a team of information lawyers across the education, charity and commercial teams, meaning that she has practical experience of the types of issues that arise in the context of legal work.

It is not realistic for every lawyer to have a detailed knowledge of the GDPR and how it fits with the Data Protection Act 2018 but lawyers ought to know enough to spot data protection compliance issues when they arise and there is potential for negligence if they do not have at least a basic knowledge.

Kate’s role at Stone King involved training and supervising a number of lawyers, including training several from scratch as well as delivering training for clients and feedback was very good.

Training is best discussed in advance so that it can be tailored to the firms’ needs but below you can see some generic guidance on the type of training available.

Kate Grimley Evans

Managing Director

Contact Kate

Examples of the type of training available:

General overview of how data protection works

Format: Presentation followed by questions

Target audience: lawyers with little knowledge of data protection who want a basic understanding so that they can spot data protection issues arising in the course of their work

Content: An explanation of how the GDPR and Data Protection Act fit together and the main themes. This is designed to give a lawyer a basic understanding so that they know when to involve a data protection specialist.

Time allocation: 1.5 to 2 hours

Intensive Data Protection training

Format: Designed to be delivered to an individual lawyer or small group of 2 or 3. A larger group would be possible but a smaller group is likely to be more beneficial to the individual lawyers.

Target audience: lawyers who need a reasonable amount of knowledge for their day to day work

Content: This training can start at beginner level with guidance on how to find the necessary resources or be more advanced for those lawyers who have a working knowledge and perhaps would like to talk through some practical problems which come up day to day.

Time allocation: 2 hours

The GDPR ‘accountability principle’ means that regular auditing of compliance, both internal and external is an expectation.

Two levels of service available

The Basic Audit Package

This is designed to be a pragmatic solution for law firms who do not want the full audit package or who would like an interim audit. It is designed to be a cost effective way of identifying issues and therefore improving compliance. It is the best option for a firm which wants an overview.

This involves:

Around 2-2.5 hours sitting with the COLP (or other suitable contact) to look at what is in place already.

Some further review of documentation as agreed.

A detailed report with recommendations which can be presented to the Partnership Board.

The Full Audit Package

The full audit is always a bespoke offering, following discussion with the COLP (or other contact). A larger firm with multiple offices is likely to benefit from us visiting more than one office to see how well the stipulated data protection practices are implemented in practice. A typical full audit would include:

A meeting with the COLP (or other contact) to discuss the GDPR implementation to date:

A series of interviews with staff, individually or in groups, across as many offices as agreed.

Document review to the level agreed.

A full detailed report with recommendations which can be presented to the Partnership Board as required. Typically, we would attend the meeting to present our findings and answer any questions arising.

Note that this audit does not include a review of IT security which we consider requires particular IT expertise. It will, however, flag IT issues which may be problematic where they are within our knowledge and expertise.