OrdoLux

27 Nov 2025 · Compliance

Data Privacy & Confidentiality When Using AI in UK Law Firms

Photo: Compliance and legal AI for UK solicitors – Data Privacy & Confidentiality When Using AI in UK Law Firms.

A practical, UK-centric approach to lawful, confidential AI use under UK GDPR and professional duties.

When solicitors talk about AI, the conversation usually turns quickly to data privacy and confidentiality. Quite right: you are trusted with sensitive client information, and the idea of “sending it to a black box” is uncomfortable.

The good news is that you already know most of the principles you need. UK GDPR, the common law duty of confidentiality and SRA obligations give you a clear starting point. The challenge is translating them into practical rules for modern AI tools.

This article sets out a UK‑centric, principle‑first approach you can use to decide:

  • when a given AI tool or workflow is acceptable;
  • what red lines you want to adopt as a firm; and
  • what controls you need around the tools you do approve.

Step 1: Map what data you’re actually using

Before you worry about vendors or model names, start with your own data.

  • Client confidential information – anything relating to a client’s affairs that isn’t in the public domain.
  • Personal data – any information relating to an identified or identifiable person (clients, opponents, witnesses, staff).
  • Special category data – health information, racial/ethnic origin, political opinions, religious beliefs, etc.
  • Criminal offence data – allegations, charges, convictions.

Ask for each proposed AI use case:

  • What categories of data are involved?
  • Do they include special category or criminal offence data?
  • Is there a way to reduce or anonymise what we send?

Often, a surprising amount of value can be obtained from:

  • prompts that use abstracted or anonymised facts; and
  • working with internal precedents rather than live client documents.

Step 2: Understand where the data is going

Next, look at the data flows.

  • Is the tool a consumer web app, or is it an enterprise / law‑firm‑grade service?
  • Where is data stored (UK, EEA, elsewhere) and under what contractual terms?
  • Who can access it – just your firm, or also the provider’s staff, sub‑processors and potentially other customers?

From a GDPR and confidentiality perspective, you want:

  • a clear data processing agreement or equivalent, not just marketing pages;
  • clarity on whether prompts and outputs are used to train public models; and
  • comfort about location of processing (or appropriate safeguards if it’s outside the UK/EEA).

If the provider cannot answer basic questions about these points, that is a red flag for solicitor use.

Step 3: Apply core GDPR principles to AI use

You don’t need a special “AI GDPR”; the existing principles still work. In particular:

Lawfulness, fairness and transparency

  • Identify your lawful basis for processing (often performance of a contract, legal obligation or legitimate interests).
  • Be clear in your client care documents about the types of technology you use in delivering services.
  • Avoid surprise: clients should not feel that their data has been used in a way they would not reasonably expect.

Purpose limitation and data minimisation

  • Use AI in ways that are compatible with your original purposes for collecting the data (eg, providing legal services, managing the client relationship).
  • Share no more data than is reasonably necessary for the task at hand – don’t paste an entire brief when you only need help with a single clause.

Security and integrity

  • Ensure the provider offers appropriate technical and organisational security measures (encryption, access controls, logging, incident response).
  • Think about access within your own firm – who can trigger AI tasks, and with what safeguards?

Step 4: Protect confidentiality and privilege

Confidentiality and privilege are related to, but distinct from, GDPR.

Key questions include:

  • Does using this tool risk waiving privilege, for example by sharing material with a third party in circumstances that are not genuinely confidential?
  • Could data be accessed by people who are not within the client’s confidentiality “circle” (including support staff or sub‑processors with broad rights of access)?
  • Are you comfortable that, if challenged, you could explain why the arrangement preserves confidentiality?

Many firms adopt simple red lines such as:

  • No use of unsanctioned public chatbots for live client matters.
  • No uploading of entire bundles, pleadings or due diligence sets to external tools unless specifically assessed and approved.
  • Preference for tools that:
    • are designed for professional services use; and
    • clearly treat the firm as the controller and themselves as the processor for the relevant data.

Step 5: Design practical controls for everyday work

Once you have your principles and red lines, translate them into concrete, everyday controls.

Examples:

  • Allowed tools list. Maintain a short list of AI tools that:

    • have been technically and legally reviewed; and
    • are configured in a way you’re comfortable with (eg, tenant‑isolated models, UK/EU hosting where appropriate).

  • Template prompts and patterns. Provide examples of:

    • safe ways to structure prompts without dumping unnecessary client data; and
    • redaction patterns for sensitive information that genuinely needs to be removed.

  • File‑based safeguards. Ensure outputs are:

    • saved into the matter file; and
    • clearly labelled as AI‑assisted, so everyone understands their status.

  • Escalation routes. Make it easy for people to ask, “Is it OK to use AI for this?” without feeling foolish.

Step 6: Use DPIAs where risk is higher

For higher‑risk uses – for example, training models on large volumes of client data or using AI to make or inform important decisions about individuals – a Data Protection Impact Assessment (DPIA) is usually sensible and sometimes mandatory.

A DPIA in this context might cover:

  • the precise nature and scope of the processing;
  • categories of data subjects and data;
  • potential impacts on the rights and freedoms of individuals;
  • mitigations (technical, contractual and organisational); and
  • a decision on whether to proceed and on what terms.

Even where a DPIA is not strictly required, thinking in this structured way helps you spot risks early.

How a case management system can help

A lot of what makes AI safe from a privacy and confidentiality perspective is boring plumbing:

  • knowing which matter each AI‑assisted output belongs to;
  • keeping an audit trail of who did what, when; and
  • ensuring staff default to approved tools rather than random websites.

Systems like OrdoLux aim to:

  • bring AI assistance inside the matter workspace rather than off to the side;
  • integrate with providers that offer appropriate contractual and technical safeguards; and
  • make it easier to demonstrate, if challenged, that you have thought carefully about how client data flows.

So instead of each fee‑earner improvising their own setup, you can guide AI use through the same system that already controls documents, emails and tasks.

This article is general information for practitioners — not legal advice.

Looking for legal case management software?

OrdoLux is legal case management software for UK solicitors, designed to make matter management, documents, time recording and AI assistance feel like one joined‑up system. Learn more about OrdoLux’s legal case management software.

Further reading

← Back to the blog

Explore related guides