## Read this first This article is general information for UK law firms considering AI-driven client intake. It is not legal advice and does not substitute for the judgment of your COLP, MLRO or the firm's SM&CR-accountable individuals. The SRA Standards & Regulations, UK GDPR, DPA 2018, LSA and ICO guidance all apply, and every firm's client mix and matter types are different. ## Confidentiality: the first-principle question SRA Principle 6 and Paragraph 6.3 of the Code of Conduct place a strict duty of confidentiality on solicitors. Any AI system touching client communication must honour that duty in practice — not just in a vendor's marketing copy. That means end-to-end encryption in transit and at rest, UK/EU data residency where at all possible, no vendor training on client data, and a contractual DPA naming the AI provider as processor with clear sub-processor disclosure. ## The no-training clause is non-negotiable The single most important contractual clause is a written no-training clause: your client data must not be used to train the vendor's or any upstream provider's foundation models, ever. Reputable AI vendors serving the UK legal market publish this explicitly. If a vendor cannot or will not sign a no-training clause, they should not be deployed on client-facing intake at a UK law firm. ## Data residency: UK-first, EU-acceptable, US-treat-carefully Wherever possible, client intake data should be processed and stored in the UK, with the EU as a permitted secondary location under adequacy. Any US-based sub-processing needs SCCs or the UK IDTA, and the transfer needs to be justifiable under the firm's DPIA. Firms handling particularly sensitive matter types (family, immigration, criminal, mental capacity) should keep processing UK-only where achievable. ## Conflicts, CDD and AML AI intake can trigger and structure the conflicts check, prompt for ID and address verification, and route CDD documentation into the firm's compliance workflow. It should not complete the CDD decision itself — that judgment belongs to the fee earner and MLRO. The distinction is important: automation makes CDD faster and more consistent, but the accountable decision remains human. ## Vulnerability and Consumer Duty-adjacent obligations Although the FCA Consumer Duty does not apply to solicitors, the SRA's expectations on protecting vulnerable clients are, in practice, similar. Any AI intake must detect vulnerability indicators — bereavement, coercion, cognitive difficulty, language barriers, ongoing threat — and escalate to human-only handling immediately, with the matter flagged. Our [AI for Solicitors and Law Firms](/solicitors) is built with vulnerability triggers co-defined with the firm's COLP. ## Retention and subject-access requests Every automated interaction should be logged to the matter with a timestamp, retained per the firm's data retention policy, and accessible on subject-access request within the statutory deadline. Well-built AI intake typically strengthens the firm's SAR position because everything is captured in a queryable log rather than scattered across notes and inboxes. ## Signposting and the LSA scope AI intake can politely disengage matters the firm cannot help with and signpost appropriately (LawWorks, Citizens Advice, specialist firms). It must not, however, hold itself out as providing reserved legal activities under s.12 LSA 2007. Message libraries should be co-written with the COLP to keep the line clean. ## Where to start The compliant AI intake stack is a Professional-tier deployment from £597/month — see [pricing](/pricing). Every rollout begins with a joint session with the firm's COLP, MLRO and DPO before a single message goes live. ## Book a free 30-minute AI audit We'll map exactly which parts of your current intake can be safely automated and which must remain human. [Book a Free AI Audit](/contact).