London law firms face two constraints when deploying AI that most other sectors do not: solicitor-client privilege and strict UK GDPR obligations around client personal data. These constraints do not prevent AI deployment. They define the architecture that makes AI deployment safe. The five approaches in this guide are being used by London law firms in 2025 and 2026 in ways that their data protection officers and SRA compliance teams have approved. Each approach is designed around the constraint, not in spite of it.
Solicitor-client privilege means that client communications and case information cannot be shared with third parties without client consent. Sending client data to an external AI API (OpenAI, Anthropic, Google) creates a third-party disclosure that may breach privilege and UK GDPR simultaneously unless appropriate agreements are in place. The practical implication: any AI system processing client-identifiable information must either run on infrastructure the firm controls, operate under a DPA that prohibits the AI provider from accessing the data, or process only anonymised or aggregated information.
UK GDPR's data minimisation and purpose limitation principles require that client personal data is processed only for the purpose for which it was collected and only to the extent necessary for that purpose. Using client data to train a general AI model (even an internal one) goes beyond the purpose of providing legal services. AI systems that process client data must not use that data to improve models that serve other clients or other purposes.
Several London firms with sufficient IT capability are running open-source LLMs (Llama 3, Mistral, Qwen) on their own infrastructure. The model runs on servers the firm controls. Client data never leaves the firm's network. No third-party DPA required. No privilege disclosure. This approach requires GPU infrastructure (approximately £3,000 to £12,000 per month in cloud GPU costs or a one-time investment of £40,000 to £150,000 in on-premise hardware) and technical capability to deploy and maintain the model. For firms with existing IT infrastructure and an IT team, this is the most privacy-preserving approach available and provides full control over how the model is used.
Legal research tasks that do not involve client-identifiable information can use any AI tool without GDPR or privilege concerns. Researching case law precedents, regulatory updates, drafting template documents, or analysing legislation does not inherently involve client data. London firms use ChatGPT, Claude, and Gemini extensively for these tasks on standard business plans, because the research content is not client-identifiable.
The practice management discipline required: clear internal policies about what information solicitors may and may not paste into external AI tools. Case names, client names, identifying transaction details, and any information that could identify a client must not enter an external AI interface without client consent and appropriate DPAs. Research questions should be framed in general terms: what is the legal position on X in English law rather than my client, [Name], is involved in X and I need to know.
Microsoft Azure OpenAI Service and Amazon Bedrock offer enterprise agreements under which the AI provider contractually commits to not using customer data for model training, to processing within defined geographic boundaries (UK and EU data residency available), and to meeting GDPR data processor requirements. These agreements enable London firms to use GPT-4 and Claude through enterprise channels with GDPR-compliant data processing in place.
Several City law firms with existing Microsoft Enterprise Agreements are using Azure OpenAI for internal document drafting, contract review, and research tools, with client data processed under the Azure DPA with UK data residency. The model does not retain or learn from the data. The firm's data remains within the Azure UK data region. This approach provides access to top-tier AI capability with acceptable data governance for the majority of legal AI use cases.
For contract review workflows where the AI analysis needs to process the contract content but does not need to identify the parties, anonymisation before processing is a practical approach. The original contract is held securely. A version with party names, identifying details, and specific financial figures replaced with placeholders is sent to the AI for clause analysis, risk identification, and drafting suggestions. The AI output references the placeholders. The solicitor applies the analysis to the original document, filling in the real details at the final stage.
This approach reduces GDPR risk significantly (the data sent to the AI is not personal data in its anonymised form) while preserving the full value of AI clause analysis. It adds a step but is manageable in most contract review workflows and acceptable to most data protection officers reviewing the process.
Some London firms include AI processing disclosure in their client engagement letters, obtaining informed consent for the use of AI tools in the delivery of services. With explicit client consent to AI processing, the GDPR lawful basis is established and the disclosure obligation is met. This approach is transparent, builds client trust in AI-forward firms, and provides a clear legal basis for processing. It requires updating engagement letter templates and client care information, and some clients may decline, requiring a human-only service option.
With appropriate controls: yes, for anonymised or non-client-identifiable work. Without controls: using ChatGPT's standard plan for client work involving client-identifiable information creates GDPR and privilege risk. Use a business plan with a DPA, anonymise client information before processing, or use an enterprise API arrangement with data residency guarantees. Brief all fee earners on what may and may not be submitted to external AI tools.
AI-generated content reviewed and approved by a qualified solicitor before delivery to a client is covered under standard professional indemnity insurance, because the solicitor takes responsibility for the advice. AI-generated content delivered to a client without solicitor review may not be covered. The solicitor's professional responsibility cannot be delegated to an AI system under SRA standards. Review your PII policy terms for AI-specific exclusions and discuss with your insurer before deploying client-facing AI.
To explore AI deployment for your legal practice with appropriate data governance built in, see our AI and Machine Learning Solutions service.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
