Legal Practice Notes

Legitimate interests assessment under the UK GDPR Under the UK General Data Protection Regulation ( UK GDPR), you may process personal data where doing so is necessary to pursue the controller’s or a third party’s legitimate interests, unless those interests are outweighed by the data subject’s interests or their fundamental rights and freedoms that demand protection of personal data, particularly where the data subject is a child... A balancing exercise is therefore essential: your legitimate interests must be weighed against the data subject’s interests, rights and freedoms—see Precedents: Legitimate interests assessment—data processing—short form and Legitimate interests assessment—data processing... The result of that balancing test will, in large part, decide whether legitimate interests can be relied upon as a lawful ground for processing personal data... This Practice Note sets out guidance on conducting a legitimate interests assessment under the UK GDPR. It is drawn from the UK GDPR,...

ARCHIVED : This Practice Note has been archived and is not maintained. Lawyers and the businesses they counsel must grasp their exposure to sanctions in order to craft and roll out a robust compliance plan. However, the contours of sanctions compliance shifted after the UK’s choice to exit the EU. Up to 11 pm on 31 December 2020 (the end of the implementation period), the bulk of the UK’s sanctions regimes derived from the EU, via EU regulations that applied directly in Member States; criminal offences and licensing arrangements were then put in place by UK regulations under the European Communities Act 1972. Domestically, UK sanctions were confined to (very unusually) freezing orders under the Anti- Terrorism, Crime and Security Act 2001 ( ACSA 2001), transactional measures directed under the Counter Terrorism Act 2008 ( CTA 2008), and...

This Practice Note distils case studies and Q& As issued by the Law Society within its Criminal Finances Act 2017 guidance about the offence of failing to prevent the facilitation of tax evasion. It is designed for law firms. The Law Society’s Criminal Finances Act 2017 guidance was approved by the chancellor on 21 November 2018; however, that approval does not extend to the accompanying questions and scenarios, which are summarised in this Practice Note... The failure-to-prevent facilitation of tax evasion offences Under the Criminal Finances Act 2017 ( CFA 2017), there are two possible offences, determined by whether the evaded tax is payable in the UK or in another jurisdiction. Each offence involves three key stages, all of which must be present for criminal liability to arise. For further detail, see Practice Note: Failure to prevent facilitation of tax...

The Criminal Finances Act 2017 ( CFA 2017) created a corporate offence for failing to stop the facilitation of tax evasion, effective from 30 September 2017. Government guidance was also released, outlining expectations for compliance frameworks. That guidance should be applied proportionately and on a risk-based footing, reflecting your organisation’s size, nature and complexity. A small entity and a large multinational may adopt the principles in very different ways: what is reasonable for a small business in a low-risk sector could be entirely unreasonable for a large business operating in a high-risk sector. Application should be tailored to organisational scale, sector, and operational complexity as contemplated within the government guidance issued. The Law Society also issued a practice note, Criminal Finances Act 2017, for law firms, which the chancellor approved on 21 November 2018. The Law Society states that the chancellor considers this...

This Practice Note offers guidance on the regulatory obligation to carry out a firm-wide risk assessment ( FWRA) under the Money Laundering, Terrorist Financing and Transfer of Funds ( Information on the Payer) Regulations 2017 ( MLR 2017), SI 2017/692, as amended. There is no single correct approach to completing an FWRA—what matters is being thorough. Consider what you do, and equally, what you do not do. However diligent your FWRA or however well-suited your controls, some offenders may still manage to misuse your practice for criminal ends. A detailed and documented FWRA, alongside written records of decisions taken on particular clients and matters, will allow you to account for your choices and actions to law enforcement bodies and your supervisory authority. Do you have to conduct a risk assessment? If the MLR 2017 apply to your firm, you must take...

Legal professional privilege ( LPP) shields documents from disclosure to third parties, including government agencies, regulators and claimants in civil proceedings. It is vital to safeguard LPP wherever possible when carrying out internal investigations. For guidance on preserving privilege in the criminal context, see Practice Note: Maintaining privilege during criminal investigations. Types of legal professional privilege There are two types of LPP in England and Wales: Legal advice privilege Covers confidential written or oral communications between a lawyer and their client where the dominant purpose is to obtain or provide legal advice, together with related documents. Advice from an in-house lawyer is protected if given in the proper legal context and confined to the legal element of their function (ie genuinely for the purpose of giving or receiving legal advice). It will not apply where the subject matter...

Among business people, lawyers often carry a reputation for risk aversion. In-house and compliance counsel cannot be excessively cautious—they must recognise risk, determine where it lies and respond proportionately. If they do not, they risk becoming a needless barrier within the organisation, blocking sound commercial plans and estranging themselves from colleagues... In-house lawyers and compliance specialists handle legal and regulatory risk every day. To maximise your contribution, you should also take part in assessing and managing your organisation’s non-legal risks. This Practice Note offers guidance on identifying and evaluating risk across the business. Managing risk is not a single task—it is an ongoing discipline, illustrated below... This Practice Note covers the following stages from the lifecycle: establish the organisation's risk appetite—see Precedent: Risk appetite statement gather risk information from internal stakeholders—see Precedent: Risk questionnaire review available risk information to identify...

This Practice Note sets out essential guidance for firms on unbundled legal advice services. Related guidance is available as follows: Practice Note on Unbundled advocacy and litigation services Overarching Practice Note on What to consider when offering unbundled services Practice Note: Separate business and unbundling legal services 2019 for situations involving a separate business When resources are stretched, running a matter without a lawyer and seeking legal input only when required helps a client manage costs and stick to a budget. Unbundling may make it possible for a client to obtain legal advice that would otherwise be beyond reach. Even limited involvement from a solicitor can improve prospects compared with a client handling everything alone. What are unbundled legal services? An unbundled service typically involves delivering discrete, limited-scope legal advice and assistance to a client acting in person. For...

The gender pay gap reporting obligations are set out in the following pieces of legislation: Equality Act 2010 ( Gender Pay Gap Information) Regulations 2017 ( Private Sector Regulations), SI 2017/172, which apply to the private and voluntary sector and to public sector employers not covered by the public sector regulations Equality Act 2010 ( Specific Duties and Public Authorities) Regulations 2017 ( Public Sector Regulations), SI 2017/353, which apply to most public sector employers This Practice Note offers a summary of the essential points employers should know about both sets of regulations (together called in this Practice Note the Regulations) and considers their provisions in greater detail. The main emphasis is on how the gender pay gap reporting duties operate for private and voluntary sector employers, while also outlining the distinctions that apply to gender pay gap reporting by public...

Legal professional privilege ( LPP) This Practice Note examines legal professional privilege, which comprises legal advice privilege and litigation privilege. It sets out the criteria applicable to both categories, including the confidentiality of communications, the dominant purpose and legal context of the material over which privilege is claimed, and the identity of any recipients copied into the correspondence. It explains, for the purposes of asserting privilege, what is meant by client, legal adviser, legal advice and anticipated litigation. It also addresses recognised exceptions, notably the iniquity exception (where fraud or crime is in play), and situations where statute displaces privilege. The treatment of copy documents, and of documents that are collated, selected or extracted, together with translations, is considered. Practical pointers are provided. In this Note, legal professional privilege (often shortened to ‘privilege’) is used as a collective label for legal advice...

Cyber risk, like any other corporate exposure, demands careful management and should be treated as a high‑priority concern for the internal compliance or legal team. It is a business issue to be addressed within an overarching information governance, risk management and crime prevention framework, and must not be left solely to the IT department. This Practice Note covers: the landscape around cybercrime (i.e. why it should be on your radar) the threats cybercrime poses to commercial organisations, and principal vulnerabilities This Practice Note reflects information security and breach notification obligations in the General Data Protection Regulation ( UK GDPR), Assimilated Regulation ( EU) 2016/679, but is not intended to address specialist sector‑specific requirements in the: Network and Information Systems Regulations 2018 ( NIS Regulations), SI 2018/506 Privacy and Electronic Communications ( EC Directive) Regulations 2003 ( PECR 2003), SI...

The Consumer Contracts ( Information, Cancellation and Additional Charges) Regulations 2013 ( Consumer Contracts Regs 2013), SI 2013/3134 apply when you agree a retainer with a consumer client you have not met, commonly termed a distance contract. This Practice Note outlines: when the regulations are engaged in relation to distance contracts when your client has cancellation rights, and how to meet the regulatory requirements The Consumer Contracts Regs 2013 also extend to situations where you meet the client away from your office before entering into a retainer (often called an off‑premises contract). For further detail, see Practice Note: Off–premises contracts—law firms. The flowchart below will help you determine whether: the regulations apply at all and, if so which parts of the regulations you must follow, ie provisions for off‑premises or distance...

How does an in-house lawyer measure the performance of their external law firms? Paul Gilbert sets out some objectives, metrics and examples of incentives. Paul Gilbert outlines objectives, metrics, plus illustrative examples of incentives also......

The UK’s domestic sanctions framework is underpinned by the Sanctions and Anti-money Laundering Act 2018 ( SAMLA 2018) together with regulations made under it. For further detail, see Practice Notes: The UK sanctions framework under SAMLA 2018 and International sanctions—an introduction. Licences to disapply financial sanctions prohibitions The Office of Financial Sanctions Implementation ( OFSI), part of HM Treasury, can issue a licence (written authorisation) to set aside financial sanctions prohibitions for an activity that would otherwise be barred. The authority to grant licences arises within the individual sanctions regimes, so lawyers advising on licences and exemptions must consult the specific sanctions regulations relevant to their matter. Any individual or organisation wishing to undertake conduct restricted by UK financial sanctions (including UN financial sanctions that apply in the UK) may apply for a licence. Under the SAMLA 2018 framework, general licences have become a more common...

Mitigating the risk You should establish procedures requiring staff to disclose (usually to the nominated officer) any knowledge or suspicion concerning: money laundering, terrorist financing or proliferation financing sanctions breaches fraud tax evasion bribery and corruption organised crime See further section: Mitigating the risk. The nominated officer is, in specified situations, obliged to relay that knowledge or suspicion to the National Crime Agency ( NCA) by submitting a suspicious activity report ( SAR), or, depending on the report’s character, to another authority via suitable routes. The NCA assigns SARs to trained financial crime investigators for further enquiries. Intelligence derived from SARs may then be passed by the NCA to other law enforcement or government agencies ( LEAs), which may require additional information. Where LEAs seek more material following a SAR, it will generally be obtained through enforcement action, usually by way of a production order. This How-to guide offers direction on...

Employees are required to escalate money laundering and terrorist financing concerns to your nominated officer, who is then obliged, under the Proceeds of Crime Act 2002 ( POCA 2002) and the Terrorism Act 2000 ( TA 2000), to notify the National Crime Agency ( NCA) of any knowledge or suspicion of money laundering or terrorist financing via a suspicious activity report ( SAR). The NCA assigns SARs to financial investigation officers for further inquiry. Intelligence derived from SARs may then be shared by the NCA with other law enforcement or government agencies, which may request additional material. Where further detail is needed after a SAR, it can be obtained through enforcement measures (typically a production order) under POCA 2002. Although you must adhere to any court order, you are also under a duty to protect your client’s...

Safeguarding confidential information sits at the heart of your client relationship, both as a legal obligation and a matter of professional conduct. That obligation does not lapse when the retainer ends and continues even after a client’s death. When deciding if you may act where confidentiality is engaged, weigh four core questions: what counts as material confidential information what constitutes an adverse interest what the common law recognises as effective safeguards what amounts to informed consent This Practice Note addresses material confidential information and adverse interests. For the remaining topics, consult Practice Notes: Informed consent—law firm confidentiality and Safeguards and information barriers. The duty of confidentiality— SRA requirements You must preserve the confidentiality of clients’ affairs unless: disclosure is required or permitted by law, or the client consents For wider guidance on the general duty and on how...

Risk assessment Government guidance outlines what procedures commercial organisations should adopt to stop those linked to them committing fraud offences, framing this around six core principles. Chief among these is the second—‘ Risk assessment’—which confirms you ought to take a risk-based approach to tackling fraud risks. The failure to prevent fraud offence represents one dimension of fraud risk management: the danger that an associated person commits a fraud offence that advantages your business or your clients. You must also factor in the risk of fraud where your own business is targeted as the victim. The positive here is that the measures you implement to address each perspective on risk will usually be identical or closely aligned. Your fraud risk management procedures should be proportionate to the particular fraud risks you encounter, so the starting point is to identify those risks....

The Economic Crime and Corporate Transparency Act 2023 ( ECCTA 2023) created a corporate offence of failing to prevent fraud, effective from 1 September 2025. This Practice Note is directed at commercial organisations, including law firms. It outlines the key features of the failure to prevent fraud offence brought in by ECCTA 2023. It explains the government’s expectations for procedures organisations should implement to deter fraud and the ensuing compliance implications. Not putting such measures in place may leave the organisation exposed to criminal offences. Organisations should also reflect on how to avoid becoming victims of fraud. Although the failure to prevent fraud offence addresses a distinct strand of fraud prevention, the risk management actions and preventative controls adopted by commercial organisations are likely to be much the same. Accordingly, this Practice Note addresses both strands of fraud risk...

Risk assessment underpins every compliance programme. Managing fraud risk is complex. Commercial organisations must look at fraud from two viewpoints: (1) fraud by or for the organisation, engaging the failure to prevent fraud offence, and (2) the organisation being defrauded. In reality, the preventative measures for both are largely the same, so you are unlikely to run two separate assessments or keep duplicate policies. This Practice Note and the related Precedents therefore treat both together, while noting they are not identical. What are the risks we are assessing? Risk assessing fraud is two-pronged: Committing the failure to prevent fraud offence Staff and agents committing fraud for your organisation and/or customers. The risk of your organisation being a victim of fraud A...