AboutBlogBusiness First AIFounder FreedomBook a conversation

Where UK law firms can use AI without creating risk

May 19, 2026
A solicitor at a desk in a small law firm office reviewing a draft on her laptop while a colleague at the next desk leans over to discuss it, paper file and pen on the desk, daylight through a window.
TL;DR

UK law firms can use AI safely today in marketing copy, internal know-how, document review and standard drafting, provided a fee-earner signs off every output and client data stays out of consumer chatbots. The SRA, ICO and NCSC do not ban AI, they expect firms to apply existing duties of competence, confidentiality and data protection to AI-enabled work.

Key takeaways

- The safest entry points for an SME firm are marketing copy, internal know-how summaries, standard drafting and supervised document review, with a fee-earner accountable for every output. - Pasting client data into a consumer chatbot is the single most common breach, and the ICO treats it as a UK GDPR matter requiring a DPIA and transfer assessment. - Predictive coding in e-disclosure has been judicially approved in England since Pyrrho Investments v MWB Property (2016) and is now a baseline expectation rather than a frontier use. - Productivity gains are real on specific tasks, around twenty to forty percent on contract first-drafting and summarisation, not across the whole practice. - Insurers are starting to ask about AI policies and training at renewal, which means the absence of a written policy is itself becoming a risk to your professional indemnity cover.

A managing partner of an eleven-person commercial firm asked me last week whether she could let her trainees keep using ChatGPT for first-draft client letters. She had heard the SRA had authorised an AI-only firm and worried she was falling behind. Her risk partner was worried about the opposite, that the same trainees were already pasting matter documents into a consumer chatbot with no policy in sight. Both partners were right to be uncertain. The question is not whether her firm can use AI, it is which uses sit on the safe side of the line the SRA, ICO and her professional indemnity insurer have drawn.

The honest answer is that quite a lot of useful work sits on the safe side, provided the firm chooses the use cases deliberately and a qualified fee-earner stays accountable for every output. The risk almost never lives in the tool, it lives in the data you feed it and the decisions you let it influence. What follows is a map of where UK law firms can genuinely get value from AI today without creating regulatory or insurance exposure, drawn from SRA, ICO and NCSC guidance, the named operators publicly using these tools, and the points where insurers have started asking sharper questions.

What does “low risk” AI use actually mean for a UK law firm?

Low risk means the use case sits inside the Principles and Codes the SRA already enforces, with no novel exposure created by the technology. The SRA’s 2023 discussion paper is clear, solicitors remain responsible for AI-assisted work and must maintain confidentiality, competence and supervision. A use case is low risk when client data stays controlled, a fee-earner signs off every output, and the firm can explain how the tool was used.

That definition rules out the cases that catch firms in the news. It rules out a partner letting a public chatbot draft an advice letter on a live matter. It rules out predictive coding running unsupervised on a privileged review set. It also rules out marketing claims that imply AI is doing legal work the firm has not actually authorised. The permitted surface is wider than many owner-operators assume.

Where can a small firm start without regulatory exposure?

The lowest-risk starting points are marketing copy, internal know-how, standard-document drafting on templated language, and supervised review on bulk disclosure sets. Clio’s UK guidance recommends this sequence for SME firms, and the SRA treats research, summarisation and drafting as legitimate AI uses provided lawyers verify the outputs. Each task involves no client data, or client data the firm already controls inside its DMS.

Marketing copy is the safest beachhead. Blog posts, newsletters, social posts and BD pitches can be drafted by a consumer tool because there is no client information in the prompt and the only review needed is editorial. Internal know-how is next. Summarising a recent judgment for the team, building a checklist for a procedure, drafting training notes from a transcript, these are all assistant-grade tasks where AI saves a fee-earner an hour and the worst-case error is an internal one a partner catches. Standard drafting moves up the sensitivity ladder, NDAs, engagement letters, routine correspondence on precedented matters, where the template lives in your DMS and AI adapts the language rather than rewriting the protective clauses.

E-disclosure and due diligence sit slightly higher again, but the technology has been in the courts for nearly a decade. Predictive coding was endorsed by Mr Justice Master Matthews in Pyrrho Investments v MWB Property in 2016, and major firms including Slaughter and May and Herbert Smith Freehills have been running it through Relativity, Reveal and Kira ever since. The judicial position is settled, AI ranks and tags documents while humans decide relevance and privilege.

Where do firms actually trip up?

The single most common breach is staff pasting client data into a public chatbot. The ICO treats this as a UK GDPR matter that needs a documented lawful basis, a DPIA where processing is high risk, and a transfer assessment for personal data going to a non-UK LLM. The NCSC’s 2024 guidance on public generative AI is explicit, consumer tools should not receive sensitive data without clear controls and DLP in place.

Samsung’s 2023 internal ChatGPT ban after staff leaked source code is the cautionary example UK regulators reach for when explaining the same point to law firms. The second pattern is letting AI act as decision-maker rather than assistant. The Mata v Avianca sanctions in the US, where a lawyer filed a brief containing fabricated citations from ChatGPT, sits in every SRA and Law Society warning paper. The third pattern is firms marketing AI as a shortcut. SRA publicity rules apply, you cannot imply AI is delivering legal judgment when a fee-earner is still doing the work.

What does the practical baseline look like for an SME practice?

A five to fifty person UK firm needs five things, a written AI use policy, a register naming approved tools and use cases, defined no-go data categories, mandatory sign-off on every output, and short training so the team knows the rules. None of this needs a chief AI officer or a governance platform. A partner owns the policy, the COLP keeps the register current, fee-earners take an hour of training a year.

On the tools side, a typical baseline looks like this. Marketing and internal use runs on Microsoft 365 Copilot configured to your tenant, with no cross-tenant data leakage. Legal research uses a subscription tool with a content licence, Lexis Plus AI or Westlaw with generative features, rather than a general-purpose chatbot. Document review and e-disclosure use a vetted platform such as Relativity, Reveal or Kira, hosted in the UK or EEA, with a UK GDPR-compliant data processing agreement signed. Practice management AI features inside Clio, PracticeEvolve or your DMS are switched on once you have run a DPIA on what they change about your data flows.

Productivity gains are real but specific. Early-adopter firms report twenty to forty percent time savings on contract first-drafting and summarisation tasks, not across the whole practice. A firm that promises clients a thirty percent fee reduction because it has bought a Copilot licence is overclaiming. A firm that uses AI to redirect three or four hours per fee-earner per week to higher-value work is being accurate.

What should a partner ask before approving any new AI tool?

Five questions, in this order. What data does the tool process, where is it hosted, and will the supplier sign a UK GDPR-compliant DPA. What is the use case, who is accountable, and how will sign-off be evidenced. What training does the team need. What does our PI insurer need at renewal. What is the off-ramp if the supplier changes its model or hits regulatory trouble.

If any of those questions does not have a clear answer, the tool is not yet ready for deployment. The discipline is not complicated, it is the same risk management partners already apply to outsourcing, to cloud migration and to lateral hires. AI is not a new category of decision, it is a new instance of an old one.

If you want a peer review of where your firm sits on this map, book a conversation.

Sources

- Solicitors Regulation Authority (2023). Innovation, technology and legal services, discussion paper. Confirms that AI use is permitted under the existing Principles and Codes, with solicitors remaining accountable for outputs. https://www.sra.org.uk/sra/research-publications/innovation-technology-legal-services/ - Information Commissioner's Office (2024). Guidance on AI and data protection. Sets out UK GDPR expectations for AI processing of personal data, including DPIAs and transfer assessments. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/ - Thomson Reuters Institute (2024). Future of Professionals report, UK legal segment. The 87 percent UK legal expectation of high impact from AI within five years and the corporate-versus-private-practice adoption gap. https://www.thomsonreuters.com/en-us/posts/legal/uk-lawyers/ - National Cyber Security Centre (2024). Using public generative AI safely. Practical controls for staff use of public LLMs, including data-loss prevention and terms-of-service review. https://www.ncsc.gov.uk/guidance/using-public-generative-ai-safely - Law Society of England and Wales (2024). Large language models and generative AI in legal services. Position on AI as assistant rather than source of truth, with hallucination case studies. https://www.lawsociety.org.uk/topics/research/large-language-models-and-generative-ai-in-legal-services - England and Wales High Court (2016). Pyrrho Investments Ltd v MWB Property Ltd, EWHC 256 (Ch). The first English judgment endorsing predictive coding for disclosure review. https://www.bailii.org/ew/cases/EWHC/Ch/2016/256.html - Reuters (2023). Allen and Overy rolls out ChatGPT-style legal bot. The Harvey pilot across 3,500 lawyers and 43 offices with firm-wide governance. https://www.reuters.com/legal/legalindustry/law-firm-allen-overy-rolls-out-chatgpt-style-legal-bot-2023-02-15/ - Clio (2024). AI for lawyers, UK guide. Practical adoption sequence for SME firms starting with marketing and operational use. https://www.clio.com/uk/resources/ai-for-lawyers/ - European Union (2024). Regulation (EU) 2024/1689, the AI Act. Risk-classification rules that apply to UK firms with EU-facing work or EU-provided tools. https://eur-lex.europa.eu/eli/reg/2024/1689/oj - Solicitors Regulation Authority (2024). SRA Code of Conduct for Solicitors. The competence, confidentiality and publicity duties that AI use must satisfy. https://www.sra.org.uk/solicitors/standards-regulations/code-conduct-solicitors/

Frequently asked questions

Can a small UK law firm use ChatGPT for client work without breaching SRA rules?

Only with controls in place. The SRA expects confidentiality, competence and supervision, and the ICO treats client data sent to a public chatbot as a regulated processing activity that usually needs a DPIA and transfer safeguards. A firm can use ChatGPT for marketing copy, internal training notes and anonymised first drafts, provided written policies exist, fee-earners review every output and identifiable client information never leaves a vetted environment.

Is AI-assisted document review accepted by the English courts?

Yes, within limits. Predictive coding was endorsed by the High Court in Pyrrho Investments v MWB Property (2016) and has been used in major disclosure exercises ever since. The court treats AI as a review aid that ranks and tags documents, while humans decide relevance and privilege. Firms using it should document the technology, the training process and the quality-control steps in case the protocol is challenged.

What is the single biggest AI risk for a five to fifty person law firm right now?

Unsanctioned use of public chatbots with client data. Staff pasting matter documents into ChatGPT or Gemini without a policy, supplier assessment or client consent can breach UK GDPR and SRA confidentiality duties at once. The fix is a written AI policy that names the approved tools, the no-go data categories and the sign-off process, plus short training so the team actually knows what the rules are.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Business owner at a desk reviewing options on a laptop in a small office with natural light

How to choose the right AI setup for a 20-person business

Choosing between a lean SaaS AI stack and a custom build is the first real AI decision a 20-person owner-managed business faces, and the three questions that settle it.

A person reviewing data on a laptop at a workbench in a manufacturing workshop with machinery in the background

Choosing AI for small and mid-sized manufacturers: a decision guide

A practical guide for owner-managed manufacturers on choosing between off-the-shelf and bespoke AI, the key questions to ask, and what it costs to get the decision wrong.

Accountant reviewing documents at a desk with a laptop open and papers arranged nearby

Choosing AI for accountancy firms and practices

For UK accountancy practices choosing AI: which type fits your situation, what each one costs to get wrong, and what to ask any vendor before you sign.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd