Legal Privilege and Data Subject Access Requests: Clearing Up the Expiry Myth

Many UK organisations mistakenly believe that legal professional privilege (LPP) ends once a legal case concludes. In reality, LPP continues to apply under the UK GDPR and the Data Protection Act 2018. This blog unpacks that misconception and explains how LPP remains a critical exemption in handling Subject Access Requests (SARs)—even after a case is closed.

Why This Matters

Subject Access Requests (SARs) are becoming more frequent—and more complex. As organisations strive to meet transparency requirements under UK GDPR, one common pitfall is mishandling legally privileged material. Too often, teams assume LPP has an expiry date. It doesn’t. And treating it otherwise can result in unintended and costly disclosures.

LPP Doesn’t Expire

Legal Professional Privilege isn’t tied to the lifecycle of a legal matter—it attaches to the content of the communication itself. Once LPP is established, it remains in force unless:

• The client waives it, or

• A court compels disclosure (which is rare).

This principle was reinforced in R (Morgan Grenfell & Co Ltd) v Special Commissioner of Income Tax [2002], which established LPP as a core legal right, not a temporary measure.

Who Controls Privilege?

Only the client can waive privilege—not the lawyer, not the organisation, and not even internal stakeholders. This was made clear in Parry-Jones v Law Society [1969], confirming that privilege is sacrosanct unless specifically waived by the client.

In exceptional cases, courts may override this privilege—but these scenarios are rare and typically tied to matters of public interest or fraud.

No “Sunset Clause” Exists

There’s a persistent myth that LPP has a time limit. It doesn’t.
Cases like Three Rivers District Council v Bank of England (No 6) [2004] and Prudential plc v Special Commissioner of Income Tax [2013] confirm that privilege doesn’t fade with time. As long as the communication remains confidential, privilege persists—whether the legal issue ended last month or last decade.

What Businesses Need to Watch For

LPP can be lost if:

• The communication becomes public

• It’s shared too broadly within the organisation

• It’s mistakenly disclosed during a SAR response

Even a minor slip—like improper redaction—can amount to an unintentional waiver.

Avoiding Mistakes with Smart Tech

Determining which documents fall under LPP is tricky—especially at scale. That’s where DSAR.ai comes in.
By automating SAR workflows, DSAR.ai helps legal and compliance teams:

• Identify LPP-protected content accurately

• Apply exemptions properly

• Prevent accidental disclosure

• Streamline review and redaction

With DSAR.ai, your team stays compliant and in control—even when deadlines are tight and data volumes are high.

Key Takeaway

LPP doesn’t expire. And misunderstanding that can lead to serious compliance risks.
Organisations should review their SAR response processes and leverage tools like DSAR.ai to protect what matters most: their clients, their reputation, and their legal integrity.