AboutBlogBusiness First AIFounder FreedomBook a conversation

Creating a workable AI policy for UK law firms

May 18, 2026
A solicitor reviewing a printed document at a desk in a quiet office
TL;DR

UK law firms using AI without a written policy face exposure on three fronts: SRA professional obligations, UK GDPR data protection requirements, and professional indemnity risk. A workable policy for a 5-50 person practice covers approved tools, no-go zones, data categories, human-review requirements, and a review schedule. Starting with a six-to-eight-week pilot on low-risk tasks, backed by a three-person governance group, is faster and safer than waiting for a comprehensive framework.

Key takeaways

- The SRA expects firms to have policies and training covering AI use before deploying these tools; the absence of a written policy makes professional liability harder to defend after any incident. - UK GDPR requires a Data Protection Impact Assessment before deploying AI that processes personal data in high-risk contexts, such as client onboarding screening or AI-assisted HR decisions. - The 2024 High Court case in which 18 of 45 cited authorities were apparently AI-generated and fictitious is the clearest available benchmark for what can happen when AI output reaches a legal document without meaningful lawyer review. - A workable AI policy for a small practice covers six elements: approved tools, prohibited uses, permitted data categories, human-review requirements, escalation paths, and a quarterly review schedule. - A six-to-eight-week pilot on one or two low-risk tasks, with simple outcome metrics, is the fastest safe path to expanding AI use confidently across the practice.

A managing partner at a 12-person conveyancing firm found out, during a routine team meeting, that three fee-earners had been using ChatGPT to draft client letters for the past four months. Nothing had been agreed. Nothing was documented. Nobody had checked whether client details were entering a public system that stored prompts and could use them to train future models. The SRA had already published warnings about exactly this kind of uncontrolled use.

Getting ahead of that risk is achievable in weeks. A workable AI policy for a practice of 5 to 50 people is a focused document, a small governance group, and a short pilot.

What does a workable AI policy for a UK law firm actually include?

A workable AI policy for a 5-50 person practice covers six elements: approved tools, prohibited tools, permitted data categories for each tool, human-review requirements before any output reaches a client, an escalation path when something goes wrong, and a review schedule. The SRA has stated that use of AI does not reduce a solicitor’s professional obligations, and it expects firms to have both policies and training in place before deploying these tools.

The document itself can be three to six pages. Start with a risk appetite statement, something like: AI is used as a drafting and summarisation assistant only; no AI-generated legal advice letters leave the firm without partner review; no client-identifiable data enters any public tool. That short statement does most of the governance work.

Nominate an AI lead before writing a word of the policy. In a practice of this size, that is typically the managing partner, the COLP, or a senior partner with a risk brief. The ICO’s guidance on AI accountability requires that a named person owns the compliance decisions, not just the policy document.

The UK Government’s AI Playbook sets out ten principles for safe and responsible AI use that translate directly to a small professional-services firm, including using the right tool for the job, ensuring meaningful human control, and managing the AI lifecycle with documentation.

Why do law firms need one now rather than waiting for regulations to settle?

The SRA, ICO, NCSC, and professional indemnity insurers have each published AI risk guidance since 2023, without waiting for a single consolidated framework to arrive. In 2024, the English High Court considered a case involving an £89m claim in which 18 of 45 cited authorities were fictitious, apparently generated by an AI tool, and the presiding judge warned that lawyers misusing AI faced sanctions up to contempt proceedings.

The financial exposure carries real penalties. UK GDPR allows the ICO to fine up to £17.5 million, or 4% of worldwide annual turnover, for serious infringements including unlawful processing and security failures. Professional indemnity insurers, including Travelers, have begun issuing risk bulletins warning that unstructured AI use involving client data in public tools could affect coverage where firms have failed to follow basic risk management practice.

The legal tech consultancy 14OhFour has noted that many UK firms currently lack even basic AI policies covering which tools are permitted, how outputs should be verified, or what the documentation requirements are. That gap increases professional liability exposure. With the SRA, ICO, and insurers all publishing AI guidance now, an absence of policy is harder to justify after any incident.

Where do the real governance gaps appear in practice?

A frequently cited gap in legal practices is using public AI tools without controlling what data enters them. Consumer-grade tools may store prompts and use them for model training. A fee-earner who pastes a client matter summary into a public tool to speed up a letter has potentially triggered a data protection issue, without realising it. The NCSC has been explicit about this risk since publishing its guidance on generative AI in 2023.

A second gap is the absence of clearly defined no-go zones. Without an explicit prohibition on AI-generated citations entering court documents without verification, or AI-produced advice letters going out without partner review, individual fee-earners are left to judge for themselves. The High Court incident demonstrates where that leads.

The third gap is running AI as a purely operational or IT project without compliance input. Deploying a tool that handles client data without involving the COLP, COFA, or data protection officer means the firm’s accountability chain is broken before anything has gone wrong. Both the SRA’s supervision standards and the ICO’s accountability guidance require that someone with authority over risk is part of the decision.

UK firms with EU-facing work face an additional consideration. The EU AI Act, agreed in 2024, classifies some AI used in legal services as high-risk and requires risk management, data governance, and human oversight. Firms serving EU clients may need to map their AI uses against those categories regardless of where the firm itself is regulated.

When should you expand AI use and when should you hold back?

Start with low-risk, internal tasks and run a short pilot before extending the policy across the whole practice. The UK Government AI Playbook recommends short, focused sprints with lightweight feedback mechanisms, and legal sector guidance from Gowling WLG describes this as the “assistant zone”: first-draft writing, document summarisation, clause drafting from playbooks, and internal research notes, all with a named lawyer reviewing and signing off the output.

A six-to-eight-week pilot with five to ten users and a 60-90 minute training session works well. Cover three things in the training: approved prompts and workflows, what users must verify before any output leaves the firm, and what they must never enter into the tools. SRA guidance on supervision and competence applies here; the standard for AI-assisted work is the same as for any delegated task.

Track three simple metrics over the pilot period: the average time to produce a first draft, the number of material corrections per AI-assisted document, and any incidents such as hallucinated citations or near-misses on data handling. Use those to decide whether to expand the rollout, change tools, or tighten controls.

Hold back on: any use involving unsupervised legal advice, automated decision-making affecting clients, or client-identifiable data in a public tool without a DPIA completed. These sit outside the assistant zone and carry a risk profile that a policy statement alone cannot manage.

What sits alongside the policy itself?

An AI policy is the governance layer, but three complementary steps make it work in practice. A Data Protection Impact Assessment is required under UK GDPR before deploying AI that processes personal data in high-risk contexts, such as client onboarding screening or AI-assisted HR decisions. Updated confidentiality and IT policies must explicitly prohibit copying client documents into unapproved tools.

Vendor contracts for any managed cloud AI service also need data-processing agreements confirming that client data will not be used for model training.

A small AI working group makes the governance arrangement concrete. Three roles cover the ground: a partner or owner for policy authority, a fee-earner who uses AI tools regularly, and someone from operations, IT, or risk. This mirrors the structure that 14OhFour reports in practices where AI adoption has held. The group does not need to meet weekly; monthly for the first six months, then quarterly once the pilot has settled.

The NCSC recommends strong authentication for AI platforms, restricted admin access, and monitoring logs for unusual access or data export. For many small practices, these requirements are already met by existing IT security arrangements, with AI systems added to the same access-control scope.

Plan for quarterly policy reviews during the first year. Both the SRA and ICO continue to update their guidance as tools and use cases develop. A policy written in 2024 may need revision by 2026, and a scheduled review is easier to defend to regulators than a document that was produced once and never revisited.

Sources

- SRA (2024). Use of technology guidance. Sets out SRA expectations on AI use, competence, supervision, and professional obligations for solicitors. https://www.sra.org.uk/solicitors/guidance/use-of-technology/ - ICO (2023). Guidance on AI and data protection. Comprehensive ICO guidance covering legal bases, fairness, DPIAs, and accountability obligations when AI processes personal data. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/ - UK Government (2024). Artificial Intelligence Playbook for the UK Government. Sets out 10 core principles for safe and responsible AI use, including human oversight, lifecycle management, and right-tool discipline. https://assets.publishing.service.gov.uk/media/67aca2f7e400ae62338324bd/AI_Playbook_for_the_UK_Government__12_02_.pdf - NCSC (2023). Using public generative AI safely. Advises against entering sensitive or client-confidential information into public tools; recommends authentication, access control, and log monitoring. https://www.ncsc.gov.uk/guidance/use-of-public-generative-ai - ICO (2023). How do we do a DPIA? Guidance on when DPIAs are mandatory and how to complete them for AI deployments involving personal data. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-impact-assessments/how-do-we-do-a-dpia/ - ICO (2023). Accountability and governance in AI. Sets out roles, documentation, and risk management requirements for organisations deploying AI systems. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/accountability-and-governance/ - Gowling WLG (2026). A practical playbook for generative AI in legal practice. Legal sector guidance on assistant-zone use cases, lawyer-in-the-loop workflows, and verification requirements. https://gowlingwlg.com/en/insights-resources/articles/2026/a-practical-playbook-for-generative-ai-in-legal-practice - 14OhFour (2024). AI implementation for law firms: a practical guide. UK legal operations consultancy guidance on governance gaps, permitted-tool policies, and documentation requirements. https://14ohfour.co.uk/insights/ai-implementation-for-law-firms-a-practical-guide/ - Travelers (2024). Artificial intelligence and professional indemnity risk for law firms. PI insurer risk bulletin on how unstructured AI use involving client data can affect coverage. https://www.travelers.co.uk/news-and-articles/artificial-intelligence-and-professional-indemnity-risk-for-law-firms - EUR-Lex (2024). Regulation of the European Parliament and of the Council on Artificial Intelligence (AI Act). Classifies AI systems used in legal services as high-risk, requiring risk management, data governance, and human oversight obligations. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2021:206:FIN

Frequently asked questions

Does the SRA require UK law firms to have an AI policy?

The SRA has not mandated a specific AI policy document, but its guidance makes clear that using AI tools without appropriate policies, training, and supervision can breach core duties of competence and client confidentiality. A written policy is the clearest way to demonstrate that the firm has considered how AI is used and who is accountable when something goes wrong.

What data protection steps are mandatory when a UK law firm deploys AI?

Under UK GDPR, firms must complete a Data Protection Impact Assessment before deploying AI that processes personal data in high-risk contexts, including client onboarding screening or AI-assisted HR decisions. The ICO expects data minimisation, purpose limitation in vendor contracts, and clear accountability records. Consumer-grade AI tools should not receive client-identifiable data without these safeguards in place.

How long does it take to build a basic AI policy for a small law firm?

A usable first draft covering permitted tools, data handling rules, human-review requirements, and an escalation path can be produced in two to three weeks with a small working group. The UK Government AI Playbook and ICO accountability framework provide usable checklists rather than requiring you to start from scratch. Plan for a six-to-eight-week pilot on one or two low-risk use cases before extending the policy across the practice.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Business owner at a desk reviewing options on a laptop in a small office with natural light

How to choose the right AI setup for a 20-person business

Choosing between a lean SaaS AI stack and a custom build is the first real AI decision a 20-person owner-managed business faces, and the three questions that settle it.

A person reviewing data on a laptop at a workbench in a manufacturing workshop with machinery in the background

Choosing AI for small and mid-sized manufacturers: a decision guide

A practical guide for owner-managed manufacturers on choosing between off-the-shelf and bespoke AI, the key questions to ask, and what it costs to get the decision wrong.

Accountant reviewing documents at a desk with a laptop open and papers arranged nearby

Choosing AI for accountancy firms and practices

For UK accountancy practices choosing AI: which type fits your situation, what each one costs to get wrong, and what to ask any vendor before you sign.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd