Private AI for solicitors UK: a practical guide for SRA-regulated practices

At a glance

• The SRA Code does not name AI, but the principles around client confidentiality, competence, and acting in the client's best interest apply directly to any third-party processor that handles client matter data.
• Cloud LLMs under a standard DPA are workable for some matters and structurally awkward for others. Privileged work, pre-filing IP work, and contentious matters under heavy confidentiality undertakings are the recurring difficult cases.
• Five workflows where local AI is workable today: attendance note generation from dictation, drafting client correspondence, document review and clause extraction, intake triage, and time-recording narrative generation.
• Two workflows where Hybrid mode is sometimes appropriate: long-document review above 100K tokens, and complex research where the marginal capability gain materially changes the answer.
• Cost framing for a 5-fee-earner firm: approximately GBP 4,500 to GBP 6,500 one-off plus GBP 500 to GBP 900 monthly retainer for the Practice tier, plus hardware at supplier cost.

Why this is a separate question for solicitors

Most UK businesses can roll out a cloud LLM under a standard Data Processing Agreement and the analysis ends there. For SRA-regulated practices it does not. The reason is a combination of three obligations that sit on top of UK GDPR and apply specifically to the practice of law.

Client confidence. A solicitor's duty of confidentiality to a client is wider and stricter than the data-protection equivalent. It applies to any information learnt in the course of acting, regardless of whether it is personal data, regardless of whether the client has consented to disclosure, and regardless of the practical risk of harm.

Competence. The SRA expects solicitors to maintain their competence, which in 2026 includes being able to make defensible decisions about the technology used in the practice. Deploying a cloud AI tool the firm cannot describe accurately to a client is a competence question, not just a compliance question.

Best interests. Acting in the client's best interest is the underlying principle that ties the others together. A firm that cheerfully sends instructed matter data to a third-party AI provider, where doing so was not commercially or technically necessary, is exposed to a difficult conversation with both client and regulator if anything goes wrong.

None of this rules out cloud AI for solicitors. It does mean that the cloud-route compliance overhead is higher than for an unregulated SME, and that for some types of matter the on-premises route is materially easier to defend. The article below describes where local AI is now workable, where it is not, and how the deployment fits inside an SRA-compliant practice.

The five workflows where local AI is workable today

For each workflow we describe what the assistant actually does, why it matters commercially, and the realistic time saving for a fee-earner using it daily.

1. Attendance note generation from dictation

The fee-earner records a short verbal summary at the end of a client meeting or phone call. The assistant transcribes the dictation, structures it as an attendance note in the firm's house format, populates the matter reference, and saves it to the firm's case management system through an MCP connector or API integration.

Why it matters: attendance notes are the slow, mandatory, low-glamour work of fee-earning. Time savings of 60% to 75% on attendance note creation are realistic, which for a fee-earner doing 8 to 12 chargeable client interactions a day adds up to material recovered hours.

Why local: dictated content includes client names, matter detail, and often privileged advice. Sending dictation to a cloud LLM is structurally a poor fit even where the DPA is in order.

2. Drafting client correspondence in the firm's house style

The fee-earner provides a structured brief (recipient, matter context, points to make, tone). The assistant produces a first-draft letter or email in the firm's established style, including standard opening and closing forms, salutation conventions, and the firm's preferred level of formality.

Why it matters: the first draft is where most time is spent. A first draft that requires light editing rather than rewriting saves 30% to 50% of correspondence time.

Why local: the brief includes client identifiers and matter detail. The local approach also lets the firm build accumulating institutional memory of preferred phrasings and client-specific protocols, which sits on the firm's hardware rather than in a third-party model.

3. Document review and clause extraction

The assistant reads a contract, lease, or other transactional document and produces a structured summary of key clauses, dates, parties, obligations, and unusual terms. For a fee-earner, this turns first-pass review from a 30-minute exercise into a 10-minute one.

Why it matters: document review is the workload most amenable to AI assistance and the workload where the time savings are most visible to fee-earners. A 50% to 70% reduction in first-pass review time is realistic for documents within the local model's context window.

Why local: contract content is client-confidential. The exception is where the document exceeds the local model's context window and Hybrid mode is appropriate; see below.

4. Intake triage

New enquiries arrive through email, phone, or web form. The assistant captures the initial information, runs a basic conflict check against the firm's existing client list, classifies the matter type, and produces a structured pre-call summary for the fee-earner who will do the actual intake call.

Why it matters: intake is administratively heavy and frequently displaces fee-earning time. A structured pre-call summary that the fee-earner can scan in 60 seconds before the call materially changes the productivity of the first conversation.

Why local: enquiries often include sensitive information disclosed before any client-confidence boundary has been formally established. Keeping the data local from first contact is the cleanest approach.

5. Time-recording narrative generation

The assistant reads the day's calendar entries and matter activity from case management, and produces first-draft time-recording narratives at end of day. The fee-earner reviews and confirms rather than composing from scratch.

Why it matters: time recording is universally disliked, universally late, and a recurring source of revenue leakage. A draft narrative that needs only review and confirmation typically recovers 15 to 25 minutes per fee-earner per day.

Why local: time entries include matter and client detail. Local processing also avoids any question of fee-earner activity data leaving the firm.

The two workflows where Hybrid mode is sometimes appropriate

1. Long-document review above the local model's context window

Local open-weight models in mid-2026 typically support context windows of 32K to 200K tokens depending on the variant. For genuinely long documents, full case bundles, or multi-document due diligence sets, the local model may not be the right tool.

Hybrid mode handles this by routing the long-context analysis to a cloud LLM with a 1 million token context window, by default the Claude API at AWS Bedrock UK South or EU Ireland for residency. The routing is documented in writing, the data classes permitted to be sent are bounded, and the firm's hybrid policy reflects the analysis.

This is a real exception, not a default. For most solicitor work, the local model handles the document. We use Hybrid for the genuinely long-document cases and for nothing else.

2. Complex legal research where the marginal capability gain matters

For straightforward research over established law and the firm's own precedent library, the local model is workable. For complex multi-jurisdictional questions, novel legal arguments, or research across very large external databases, the gap to cloud frontier capability is wider and may matter commercially.

Hybrid mode allows the firm to run routine research locally and selectively escalate the complex cases to cloud, with the routing policy documented and the data sent to cloud restricted to public-record material rather than client-specific content.

UK GDPR and DPIA implications

The DPIA position differs materially between local-only and Hybrid mode. The headline points:

Local-only mode is structurally easier to document under UK GDPR. There is no third-party processor in the chain, no third-country transfer, and no cross-border data flow. The firm is the sole data controller and the only processor of personal data. The DPIA covers the device security posture, access controls, and the agent's authorised tool surface; it does not need to address third-country transfer at all.

Hybrid mode reintroduces the standard cloud-AI DPIA analysis for the data classes that may be routed upstream. The analysis covers:

• The cloud provider's role as a processor (joint controller analysis applies in some configurations).
• The third-country transfer question, post-Schrems II, including any reliance on the UK-US Data Bridge or Standard Contractual Clauses.
• The data classes permitted to be routed and the routing rules.
• The retention and deletion regime applied to cloud-routed prompts.
• Any subject-rights implications from cloud routing.

For an SRA-regulated firm, the additional point worth making explicit: the DPIA is a UK GDPR document, not a client-confidence document. Even where the DPIA shows the cloud route is GDPR-compliant, the firm separately needs to consider whether the route is consistent with its client-confidence obligations under the SRA Code. These are two questions with overlapping but not identical answers.

A practical DPIA checklist for the local AI deployment

The following is a starting checklist for a Private AI Concierge DPIA in a UK solicitor practice. It is not legal advice; it is the technical structure of the document.

• Description of the on-premises hardware and its physical location.
• Description of the agent framework and inference engine, with the licence and CVE posture.
• Inventory of the channels and tools the agent has access to (email, calendar, case management, document repository).
• List of the named skills the assistant runs and the data classes each skill touches.
• Hybrid policy where Hybrid mode is enabled, including the data classes permitted to be routed and the cloud endpoint.
• Access controls covering the device, the agent, and the channels.
• Backup and recovery process.
• Incident response plan, including the trigger conditions for disabling the agent in an emergency.
• Review schedule (we recommend quarterly) covering the security posture, the skill set, and the hybrid policy.

Cost framing for a UK solicitor practice

The Private AI Concierge service is published at three tier bands. For solicitors specifically, the typical fits are:

Practice profile	Tier	One-off	Monthly retainer	Hardware
Sole practitioner	Solo	From GBP 2,500	From GBP 250	Mac mini M4 Pro at supplier cost
2 to 10 fee-earners	Practice	From GBP 4,500	From GBP 500	Mac mini M4 Pro at supplier cost
10+ fee-earners or multi-site	Chambers	From GBP 8,000	From GBP 900	Mac Studio M4 Max at supplier cost

Pricing is published at tier-band level on the Private AI Concierge service page. Final scope and quote follow the workflow design sprint in Stage 2 of the engagement. Hardware is invoiced separately at supplier cost; we do not earn margin on the device.

Where this is not the right answer

Three points worth being explicit about. Private AI Concierge is not the right service for:

• Firms whose data sensitivity already permits a cloud LLM rollout under a standard DPA. Claude Implementation is the appropriate service line.
• Firms whose AI use is principally code-related rather than document-related. The capability gap on complex code generation favours cloud frontier models.
• Firms unwilling to commit to ongoing retainer custodianship of the local stack. Self-managed open-source AI deployments tend to drift out of date inside the first quarter and become a security liability rather than an asset.

Where to start

If you are evaluating an on-premises AI assistant for an SRA-regulated practice, the next step is a free 30-minute scoping call. We work through the workload mix, the matter types, the case management system, and the regulatory overlay against your specific practice, and recommend a deployment route.

The scoping conversation also covers the question of whether AI assistance is the right answer at all for your practice in 2026. We are not in the business of selling local AI to firms whose business problem is better solved by something else.

The relevant service page is Private AI Concierge. The companion articles on local AI vs cloud AI, UK GDPR for AI assistants, and the technical stack cover the supporting questions in more depth.