Elaine Pasini, Head of Communications at ILFM
By Elaine Pasini, Head of Communications, at Legal Futures Associate Institute of Legal Finance & Management (ILFM)
Artificial Intelligence (AI) is currently not regulated per se. However, the government is fully aware that the UK requires change for regulators to strengthen AI leadership, and it published its response to the AI Regulations White Paper consultation on 6 February 2024.
Currently law firms need to consider various existing legal obligations when developing and using AI. Whether this is in your own firm or using third-party providers to help manage a practice.
The government’s recent white paper confirms that there is no plan to give responsibility for AI governance to a new single regulator but that existing sector-specific regulators will be supported and empowered to produce and implement context-specific approaches that suit the way AI is used in their sector.
The framework outlines five principles to guide and inform regulators to keep in mind when it comes to innovation and safety:
- Safety, security and robustness.
- Appropriate transparency and explainability.
- Fairness.
- Accountability and governance.
- Contestability and redress.
Regulated law firms in the UK should be aligned to the SRA’s rules and codes of conduct of course, whilst adhering to the ICO’s Data Protection laws. So, whilst there is currently no specific legislation around AI regulations in the UK, legal practice managers, compliance officers and owners know about the following:
Principles-Based Framework: The UK has established a principles-based, pro-innovation regulatory framework for AI, which is a framework intended to support regulators to interpret and apply the five principles mentioned above (from the government’s white paper). What this means for law firms is that it’s worthwhile attending legal tech events and keeping up to date with your software provider’s policies.
The ILFM Spring Conference will have a range of speakers and sponsors from the SRA, insurers, website designers, practice management, accountants, and compliance specialists who will be able to impart their knowledge in this field.
GDPR and Data Protection: if your law firm operates inside the UK, you need to comply with the Data Protection Act 2018 (DPA 2018). The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR1. If you are unsure about your firm’s GDPR speaking to a specialist consultant, such as The Business Tamer.
The Information Commissioner’s Office (ICO) published a Memorandum of Understanding and laying out a framework for collaboration, cooperation and information sharing between itself and the Equality and Human Rights Commission (“the EHRC”). It was published in February 2023 to enhance the effectiveness of its respective functions relating to the emerging use of artificial intelligence and digital technology.
The ICO has a handy toolkit for firms to look at their controls and policies when using AI in their practice. Practical steps to reduce risk include:
- Conduct Data Protection Impact Assessments (DPIA) for professing what is likely to result in high risk to individuals. High risk definition from ICO being a higher threshold, either because the harm is more likely, or because the potential harm is more severe, or a combination of the two.
- Assign technical and operational roles and responsibilities and provide clear direction and support on the use of AI systems and the application of data protection law.
- Document each purpose for using personal data at each stage of the AI lifecycle, assess whether they are compatible with the originally defined purpose, and schedule reviews to reassess your purposes and whether they remain compatible.
- Document an assessment of the different ways your AI system could result in unfairness, which should include appropriate technical and organisational measures you will use to mitigate or manage those risks on a continual basis.
- Act when systems default to possible excessive and irrelevant collection of personal data. To comply with GPDR you must document the data you will collect to train the AI system and assess whether it is accurate, adequate, relevant, and limited to your purpose(s).
- Discrimination: Individuals suffering discriminatory outcomes caused by an AI system mean that there will be unlawful decisions being made about them, meaning they could miss out on economic or social benefits. Best to assess, document, and maintain an index of data sources or features that should not be processed when making decisions about individuals because of direct or indirect discrimination.
- Bias: You should consider whether your law firm needs to process additional data to conduct your bias analysis and whether you need to create labels for data you already hold or whether you need to collect more data. This may include special category/protected characteristic data.
- Monitoring systems: Attacks on AI systems are caused by poor security practices. Consequently, individuals have their personal data subject to data breaches leading to potential financial losses and/or fraud. Make sure your policies and controls are always in use to detect and correct security vulnerabilities.
Sole practitioners and SMEs can use the ICO’s checklist HERE.
In summary with data protection and AI, the ICO looks at the above framework as well as the principles and requirements, data sharing, and security principles, including personal data breaches, encryption, ransomware, and passwords.
Judith Andrews, from the Business Tamer said to the ILFM,
“The four key pieces of legislation that all SMEs really need to be aware of are the Data Protection Act 2018, UK GDPR, PECR (Privacy and Electronic Communications Regulations) and the new one, currently going through Parliament: The Data Protection and Digital information Bill V2 – expected to come into law this year.”
“For AI, I recently attended a DMA webinar on this covering changes across Europe. AI will have a fundamental impact on industry and marketing and there are new opportunities and core risks. The UK Government’s view is that the existing regulatory framework is sufficient, at the moment, to allow the development of AI technologies as well as building trust in the technology so people will use it.”
One for the Regulators such as the SRA to keep their eyes on is the guidance published from The Department for Science, Innovation and Technology, which outlines a range of considerations for regulators as they develop tools and guidance to implement these voluntary principles as follows:
Voluntary Principles: The principles are voluntary and how they are considered is ultimately at a regulator’s discretion . This means that law firms should be aware of these principles and consider how they might be applied in their own use of AI.
Regulations: The regulatory framework is to be applied by regulators in each sector, meaning law firms should work with and stick to any sector-specific regulations that might apply to them.
Continuous Development: The guidance is intended to be developed and expanded over time so law firms and their compliance officers, legal accounting teams, practice managers, and IT department should keep a close eye on any changes or updates to the guidance.
Although the above principles are voluntary, now’s the time for law firms to consider how they can observe and evolve with them in their use of AI to ensure ethical and responsible use.
The Legal Services Board (LSB) responded to the white paper and if you would like to read their reply, you can do so HERE.
In summary
Here’s the ILFM’s quick rundown of regulations that firms should align to:
- Data Protection Act 2018.
- General Data Protection Regulation (GDPR) – keep on top of the Information Commissioner’s Office updates.
- Financial Conduct Authority (FCA) Guidelines.
There are also some publications we think are useful to read, such as:
- Bank of England’s Discussion Paper on AI (on the use of AI in financial services); and
- UK Government’s AI Strategy (white paper on its approach to AI regulation).
Engage with suppliers of tech and AI, track your policies and controls, and keep an eye out for ILFM forums and webinars.
