AI Compliance for Solicitors
2026 Risk Assessment
The SRA has issued guidance on AI use in legal practice. GDPR applies to client data processed by AI tools. Legal professional privilege does not automatically extend to AI-generated content. Use this guide to close your gaps before a complaint or ICO investigation does it for you.
What the SRA says — in plain English
The SRA's updated guidance (2024) states that solicitors remain fully responsible for the accuracy of AI-assisted work. Firms must have policies covering which tools are used, how client data is protected, and how outputs are verified. The SRA has explicitly warned that it will investigate complaints where AI tools were used without adequate oversight. This sits on top of existing UK GDPR obligations — firms face dual regulatory risk from both the SRA and ICO.
10-Point Compliance Checklist
Tick each item your firm has addressed. Your progress updates automatically.
AI Tool Risk Assessment
Common tools used in legal practice — rated for compliance risk in a solicitor's context.
| Tool | Risk Level | Key Concern | Minimum Requirement |
|---|---|---|---|
| ChatGPT (free/Plus) for drafting | HIGH | Inputting client or matter information risks both a confidentiality breach and potential privilege waiver. No DPA for free/Plus tiers. | Prohibit use with any client or matter data. Enterprise tier only with signed DPA if required for generic drafting. |
| Grammarly (on privileged content) | HIGH | Pasting privileged legal advice or client correspondence into Grammarly sends that content to third-party servers — a potential privilege waiver and confidentiality breach. | Prohibit use on privileged content. Business plan DPA available for non-privileged drafts only. |
| Microsoft Copilot for M365 | MEDIUM | DPA via M365 agreement, but Copilot can access and summarise all documents in your tenant — including privileged files. Scope controls must be configured correctly. | Audit which files Copilot can access. Configure sensitivity labels on privileged documents. Verify EU data residency. |
| Harvey AI (legal-specific) | MEDIUM | Purpose-built for legal work with DPA available. Still processes matter content on external servers — privilege considerations apply. Review DPA carefully for data retention terms. | Sign DPA before use. Review data retention and deletion provisions. Document in your data register. |
| Clio AI features | MEDIUM | Legal practice management with DPA available. AI features process matter data including client details and billing. Review each AI feature's data handling separately. | Confirm Clio DPA covers AI features. Review data residency. Update your data register. |
| Kira Systems (contract review) | LOWER | Enterprise-grade contract AI with strong data controls. DPA available, data residency options. Privilege risk is lower as it reviews rather than drafts. | Review DPA. Confirm data residency. Document in your processing register. Client consent or DPA still required for their contract data. |
| Luminance (legal AI platform) | LOWER | UK-founded, purpose-built for law firms. Strong DPA, data residency options, and established audit trail. Lower baseline risk, but privilege considerations still apply. | Standard enterprise due diligence — sign DPA, confirm data location, document in register. |
Copyable AI Use Policy — Law Firms
Adapt this for your firm's handbook or client care letter. This is a starting point — not legal advice. Have your COLP review before adopting.
[Firm Name] AI Use Policy — Effective [Date] [Firm Name] operates an AI Use Policy consistent with SRA guidance on AI in legal services (2024) and our obligations under UK GDPR. APPROVED TOOLS: Only the following AI tools may be used in connection with client matters: [list approved tools]. Any other AI tool requires written approval from the COLP before use on client work. CONFIDENTIALITY: No client identity, matter reference, privileged content, or personal data relating to a client may be entered into any AI tool that does not have a signed Data Processing Agreement with this firm. Consumer-grade AI tools (free/Plus tiers of ChatGPT, Claude, Gemini, etc.) are prohibited for all client-related work. PRIVILEGE: Fee earners must not input content that is subject to legal professional privilege into third-party AI tools without explicit written guidance from the COLP confirming that doing so does not risk waiver. DISCLOSURE: Where AI has materially assisted in preparing advice, a document, or correspondence for a client, the fee earner must inform their supervising solicitor, who will determine whether client disclosure is appropriate. VERIFICATION: All AI-generated or AI-assisted content must be reviewed, verified for accuracy, and approved by a qualified solicitor before it is sent to a client, filed with a court, or submitted to any third party. BREACH: Any suspected breach — including accidental input of privileged content into an unapproved tool — must be reported to the COLP immediately. Breach may trigger ICO and/or SRA notification obligations. Policy reviewed: [Date] | Next review: [Date + 12 months] | COLP: [Name]
Regulatory Risk Reference
ICO — UK GDPR
£17.5m
Or 4% of global turnover. Confidentiality breach via AI tool = reportable data breach. 72-hour notification window.
SRA Disciplinary
Strike-off
SRA fines, suspensions, and strike-off are available sanctions for failure to uphold client confidentiality, including via AI misuse.
EU AI Act (Aug 2026)
€30m
Applies to firms serving EU clients. High-risk AI system provisions include automated legal document processing.
Not sure where your firm stands?
Get a free AI compliance assessment. We'll review your tool stack, identify your highest-risk exposures, and tell you exactly what to fix — at no cost.
No spam. We'll contact you once. Unsubscribe any time.