One of the biggest questions it seems that firms are asking themselves is on what basis can we use legitimate interest for processing personal data?  The answer is not straightforward, but the guidance provided by the ICO is incredibly helpful on this subject.  Firstly you must have a legal basis for processing data for every type of data processing you do.  For example if you process data in the course of the work you do to help someone with their will then this needs a legal basis definition which is separate to your justification for processing their data to send them information about changes in legislation relating to trusts and estates.  However you might argue that it's in the client's best interests to receive the legal update to enable them to change their will if necessary.  For me the "up-side" of GDPR is it makes firms truly think about what they are doing with their data and if the data they hold is really necessary.