Legal Practice Notes

Complaints are an inherent business risk that cannot be eliminated. The SRA requires firms to maintain a complaints handling procedure, and it is also commercially prudent to ensure matters are managed and resolved effectively. Two essential elements of a robust procedure are: an external, client-facing complaints policy—see Precedent: External complaints policy—law firms an internal complaints handling procedure for receiving, logging, investigating and resolving concerns—see Precedent: Internal complaints handling procedure—law firms This How-to-guide delivers practical advice on implementing and sustaining complaints handling procedures, incorporating best practice from the Legal Ombudsman ( Le O). For regulatory obligations on complaint handling, see Practice Note: Complaints—law firms. There are separate How-to-guides covering: How to handle a complaint step by step—law firms How to manage complaints raising additional considerations—law firms How to handle a complaint referred to the Legal Ombudsman—law firms Key features of your internal complaints handling procedure The design of your internal procedure will depend on your...

This Practice Note contains guidance on assessing the risk of your organisation causing or contributing to an adverse human rights impact Human rights due diligence and risk assessment are not presently mandated by UK law; however, they remain a core element of the corporate responsibility to respect human rights under the UN Guiding Principles on Business and Human Rights ( UNGPs). Adopting these practices is also sound business sense, helping to safeguard an organisation against operational and reputational risks linked to causing or contributing to adverse human rights impacts. In addition, particular facets of the responsibility to respect human rights may already be required by domestic legislation, such as health and safety, non-discrimination, or environmental laws. The EU Corporate Sustainability Due Diligence Directive, Directive ( EU) 2024/1760 ( CSDDD), further introduces compulsory human rights and environmental due diligence obligations for the largest...

UK GDPR claim This Practice Note sets out advice on responding to a ‘ UK GDPR claim’. It refers to the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), as revised by the Data ( Use and Access) Act 2025 ( DUAA 2025), alongside the Data Protection Act 2018 ( DPA 2018). Claims falling within EU jurisdiction are governed by the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR). UK data protection legislation (notably Assimilated Regulation ( EU) 2016/679 ( UK GDPR)) originates to a great extent from EEA regimes and so rests on comparable principles, albeit with some granular divergences in its provisions. Moreover, in the UK, ‘assimilated law’ denotes retained EU law ( REUL) that continued to apply beyond the close of 2023, including the UK GDPR....

Law firms may fall within the consumer credit regime: by entering into a consumer credit agreement as a lender, eg in relation to their fees by carrying on ancillary consumer credit activities, such as debt adjusting This Practice Note outlines how the SRA’s consumer credit framework applies to law firms. It reflects the SRA's Consumer credit toolkit and the SRA’s requirements in the SRA Financial Services ( Scope) Rules and the SRA Financial Services ( Conduct of Business) Rules ( COB Rules). Who regulates consumer credit? Before 1 April 2014: consumer credit activities (including entering into consumer credit agreements) were overseen by the Office of Fair Trading ( OFT) law firms benefited from a group licence for consumer credit work issued by the OFT to the SRA and therefore did not need an individual licence to enter into consumer credit agreements with clients or engage in ancillary consumer credit...

This Practice Note contains a chronological list of substantive changes to our Client care letter—law firms and Terms of business—law firms Precedents 2024 January — Terms of business—law firms: Clause 16.3.4(d) revised to incorporate the Legal Ombudsman’s updated postal address... 2023 November — Client care letter—law firms: Section 2 on climate risk amended and section 5 enhanced with prompts to consider recoverability of costs and liability for any shortfall when giving costs information; references to clients paying privately also refreshed, reflecting Law Society guidance on climate risk and SRA expectations around shortfalls where costs from an opponent are insufficient... November — Terms of business—law firms: Optional wording inserted in clause 5.4 and the drafting note broadened to exclude climate‑risk and climate‑related legal issues, in line with the Law Society’s climate risk guidance... April — Terms of...

Numerous legal practices rely on general advice files, or ‘general files’, to log (and charge for) assorted ad hoc guidance for longstanding clients. They are administratively straightforward and favoured by fee earners, as there is no requirement to open a fresh matter for minor queries, reducing time and paperwork and associated administrative burdens. The SRA Standards and Regulations do not forbid the use of general files. How you arrange your file administration remains a decision for the firm. Nevertheless, general files present risks and, where they are adopted, they ought to be handled cautiously indeed. This Practice Note examines risks arising from law firms’ use of general files and outlines methods by which a firm can mitigate, and control, those risks. A single general file may evolve into a storehouse for varied advice and communications, from a brief telephone query, or...

FORTHCOMING CHANGE: This Practice Note sets out the law as it currently stands, though elements could be affected by the Digital Omnibus proposals released on 19 November 2025 under the European Commission’s ‘simplification’ agenda. For details, see Practice Note: EU Digital Omnibus—tracker. It introduces the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), and the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR). The UK data protection law collection and the EU data protection law collection compile further core guidance on these regimes and are recommended starting points for research. In brief, data protection law across the EEA (the EU together with Iceland, Norway and Liechtenstein) and the UK aims to ensure that information about living individuals (‘personal data’) is treated fairly and responsibly. To that end, both EEA and UK data protection laws impose...

Practice Note This Practice Note sets out, in pragmatic terms, how to identify and assess sources of funds and wealth under the Money Laundering, Terrorist Financing and Transfer of Funds ( Information on the Payer) Regulations 2017 ( MLR 2017), SI 2017/692, as amended. It offers particulars and suggestions on the kinds of documents and information you may wish to obtain from clients, warning signs to watch for, and the actions to take if you have concerns. The guidance is of general application, with specific direction for firms supervised for anti-money laundering ( AML) purposes by the SRA. If you are not a law firm and/or the SRA is not your AML supervisor, you should verify whether additional or varied requirements apply to your sector and whether your regulatory body imposes any extra, sector-specific obligations regarding sources of funds and wealth. There is no...

You are required to implement suitable technical and organisational controls to guard against unauthorised or unlawful processing, as well as accidental loss or damage to personal data. Security incidents are not solely IT-based; mistakes by people pose a major risk too. Whatever the cause, losing confidential information can have serious consequences for your firm: Misplacing your own data may hinder completion of tasks and heighten the likelihood of error and omission claims Compromising clients’ data can cost you clients and harm your standing, and any breach of confidentiality is liable to hit your bottom line The Information Commissioner’s Office ( ICO) can levy substantial penalties under the data protection framework Practice Note This Practice Note looks at practical measures you can adopt to enhance and sustain information and data security. See also Precedent: Information security review, which includes links to other...

Practice Note This Practice Note outlines your duties regarding enhanced due diligence ( EDD) and clarifies its practical implications for you. It aligns with the Money Laundering, Terrorist Financing and Transfer of Funds ( Information on the Payer) Regulations 2017 ( MLR 2017), SI 2017/692, as amended......

As automation and workflow tools become embedded in lawyers’ daily work, organisations are increasingly recognising the gains they deliver, including: higher productivity greater efficiency and shorter timescales operational efficiency and cost savings improved data and management information enhanced risk visibility and the ability to manage it faster speed to market—eg the capacity to shorten sales cycles New ways of working affect people as well as processes, and securing buy-in from the immediate team and the wider business is essential to project success. This depends on thoroughly analysing current processes to understand how workflows can be refined. Crucially, the business must be ready to embrace innovation—effective change management is vital. For more on change management, see subtopic: Managing change. This Practice Note examines automating contracting and contract lifecycle management, addressing: what contract lifecycle management is; the challenges of contracts and how to tackle them; the advantages of contract management solutions; the benefits of...

This Practice Note outlines the principal aspects of Assimilated Regulation ( EU) 2016/679, the UK General Data Protection Regulation ( UK GDPR) and the Data Protection Act 2018 ( DPA 2018), drawing out issues of particular interest to employment lawyers and directing readers to more in‑depth guidance and other supporting materials. It reflects the provisions of the Data ( Use and Access) Act 2025 ( DUAA 2025) that are in force as at 5 February 2026 (see Practice Note: Data ( Use and Access) Act 2025—employment implications). Revised guidance from the Information Commissioner’s Office ( ICO) is still awaited. Assimilated law refers to EU‑derived legislation that continues to apply after the end of 2023. For further detail, see Practice Note: Assimilated law. This Practice Note also cites case law from the Court of Justice of the European Union ( CJEU). For guidance on...

This Practice Note considers the various lawful and specific conditions for processing personal data and special category data in the employment context, under Assimilated Regulation ( EU) 2016/679, UK General Data Protection Regulation ( UK GDPR) and Data Protection Act 2018 ( DPA 2018). It also reflects provisions in the Data ( Use and Access) Act 2025 ( DUAA 2025), effective as at 5 February 2026 (see Practice Note: Data ( Use and Access) Act 2025—employment implications). Updated guidance from the Information Commissioner’s Office ( ICO) is still awaited currently in this area. For broader guidance on workplace data protection matters, see Practice Note: The UK GDPR and DPA 2018: key data protection issues for employment lawyers. Taken together, Assimilated Regulation ( EU) 2016/679, UK GDPR and the DPA 2018 constitute the UK GDPR regime. ‘ Assimilated law’ describes EU-derived...

This material examines the UK GDPR framework, with legislative references to Assimilated Regulation ( EU) 2016/679 and the UK General Data Protection Regulation ( UK GDPR), unless expressly indicated otherwise. It also reflects the Data ( Use and Access) Act 2025 ( DUAA 2025) (see Practice Note: Data ( Use and Access) Act 2025—employment implications). Employers will typically need to process—collect, use and record—information about an individual’s health (health information) in various contexts. Before processing health information relating to a current or prospective employee or worker, the employer must assess whether the processing is lawful under Assimilated Regulation ( EU) 2016/679, UK GDPR and the Data Protection Act 2018 ( DPA 2018). In addition to the issues explored in this Practice Note, the employer should also consider: if the employer intends to obtain a medical report from an...

The Ministry of Justice ( Mo J) guidance for commercial organisations on preventing bribery is centred on six principles. These are not prescriptive; they are intended to be flexible and focused on outcomes. Bribery prevention procedures should be proportionate to the level of risk the organisation faces. Accordingly, the measures adopted to deliver an organisation’s anti-bribery policies ought to be designed to: mitigate identified risks, and prevent deliberate unethical conduct by associated persons Communicating policies and procedures to staff at every level, and providing training on their practical use, is a vital element. This is reinforced by Mo J principle 5 on Communication (including training). This Practice Note outlines ways to train staff and raise awareness of anti-bribery and corruption issues. Top-level commitment A consistent theme in the Mo J guidance is the importance of commitment from the top. Effective leadership in...

Delegation sits at the heart of managing and developing your team—many abilities cannot be mastered through theory alone. Colleagues must adapt and put that knowledge to work in the ‘real world’ with your expert support; that is where delegation plays its part. This practice note covers: assessing the task and the person using a skills matrix the phases of delegation building capability through gradual delegation troubleshooting common delegation situations tracking delegated work Considering the task and the person For smaller, everyday assignments you may not need to follow every stage in this practice note; but when you are delegating to grow teams, or wrestling with a particular problem, it is reassuring to check you have addressed everything. First, consider the task’s complexity alongside the individual’s capability—are they suitably matched? Things to consider around the task Things to consider around the...

In recent years, there has been mounting pressure on the government to introduce further legislation on economic crime to deter criminals from laundering money in the UK. The conflict in Ukraine triggered the Economic Crime ( Transparency and Enforcement) Act 2022 ( EC( TE) A 2022), forming part of the UK government’s response. The government expedited the Bill’s passage through Parliament, with all stages completed in five Parliamentary sitting days. EC( TE) A 2022 is intended to stop the UK property market being used to store, hide or launder criminal proceeds and wealth, to improve transparency over the ultimate owners of properties and assets in the UK, and to make it simpler for enforcement bodies to dispossess owners of unlawfully obtained assets. This is supported by separate provisions that make it easier to designate persons and organisations under sanctions pursuant to the Sanctions and Anti- Money...

This Practice Note is aimed at solicitors, including those working in‑house, and law firms regulated by the SRA. It sets out the information‑sharing provisions (statutory protection for breach of confidentiality) introduced by sections 188 and 189 of the Economic Crime and Corporate Transparency Act 2023 ( ECCTA 2023). The measures enable relevant businesses to share information with each other for the purposes of preventing, investigating and detecting economic crime, and also allow sharing through a third‑party intermediary. For the statutory protection to apply, a number of conditions must be satisfied. Under ECCTA 2023, Schedule 11 defines economic crime and includes: money laundering terrorist financing bribery sanctions evasion tax evasion market abuse fraud Background to the ECCTA 2023 information sharing measures The government recognised that businesses regulated for anti‑money laundering ( AML) purposes wishing to share client...

FORTHCOMING CHANGE: The Crime and Policing Act 2026, which obtained Royal Assent on 29 April 2026, supplants the ‘senior manager’ attribution regime for specified economic crimes set out in the Economic Crime and Corporate Transparency Act 2023 ( ECCTA 2023), disapplying sections 196 to 198 and Schedule 12. Section 250 of the Crime and Policing Act 2026 broadens criminal responsibility to bodies corporate and partnerships where a senior manager, operating within the actual or ostensible scope of their authority, is involved, taking the regime beyond the catalogue of offences in ECCTA 2023 to cover the commission of any offence. It commences on 29 June 2026. This material will be checked and revised as necessary when that provision takes effect. The Economic Crime and Corporate Transparency Act 2023 ( ECCTA 2023) received Royal Assent on 26 October 2023. It is designed to bolster the UK’s...

The Data ( Use and Access) Act 2025 ( DUAA 2025) obtained Royal Assent on 19 June 2025. It revises elements of the UK General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), the Data Protection Act 2018 ( DPA 2018), and the Privacy and Electronic Communications ( EC Directive) Regulations 2003 ( PECR 2003), SI 2003/2426. This Practice Note sets out the compliance consequences for private sector commercial organisations in the UK. DUAA 2025 both clarifies the domestic data protection regime and introduces added flexibility in several areas. If your organisation already follows UK data protection and e Privacy requirements, only limited updates to your compliance procedures should be needed. Which amendments are in force? The table below sets out the implementation timetable: Data subject requests — Yes: clarification of the searches needed for DSAR responses took effect on 19 June 2025 (and is...