Even law firms violate the GDPR
You must do your due diligence. Just because you engage a reputable business, does not mean that they know what they are doing.
For example, a Danish law firm was recently fined by the Danish Data Protection Authority for lacking basic security measures, which eventually led to a data breach (link).
Image from Wix.