Blogs

online safety act and implications for law firms. Picture of courtesy of Tudum and is of Adolesence from Netflix.

Online Safety Act implications for Law Firm Compliance

Blogs, Data Protection, Legal Compliance, Regulatory Compliance, Risk Management /

Let’s talk about the Online Safety Act (the Act) – it’s a big deal for everyone operating in the UK’s digital space, and that includes law firms. Think of it as a landmark piece of legislation designed to create a safer online environment. 

Netflix’s Adolescence starkly portrays the vulnerability of young people to online manipulation and the erosion of their sense of self through excessive social media engagement, highlighting the very issues the Online Safety Act aims to address. The story is based around the family of a 13 year old boy and the fall out of a crime against a classmate that he commits. It’s just made viewing history with the stats of views still climbing. 

Ofcom’s “Enforcing the Online Safety Act” can be read HERE. The ICO has some guidance on this topic around online safety and GDPR too, which you can read HERE (10 step guide to sharing information to safeguard children), and another piece of guidance HERE (Children’s Code Strategy).

Our blog here will go over the UK’s Online Safety Act and its implications for law firms. The Act places responsibility on businesses, including law firms, to protect users from harmful and illegal content, especially children. 

Did you know that the Act lists over 130 ‘priority offences’, and tech firms “must assess and mitigate the risk of these occurring on their platforms”?

The priority offences can be split into 17 categories including fraud and financial offices, together with proceeds of crime. 

online safety act categories including proceeds of crime and financial crime

 

Essentially, the Act puts the onus on businesses, and that includes the business of running a law firm, to protect users from harmful and illegal content, with a particularly strong emphasis on safeguarding children. 

Of course the Act is inherently targeted at larger tech platforms.

Platforms must now act quickly to come into compliance with their legal duties, and our codes are designed to help them do that. But, make no mistake, any provider who fails to introduce the necessary protections can expect to face the full force of our enforcement action.

Suzanne Cater, Enforcement Director at Ofcom

 

The Act introduces a whole raft of legal requirements, especially for those services that allow users to interact or offer search functions. We’ll go into that in more detail later in the blog.

As you will no doubt be aware, the Act received Royal Assent back in October 2023, and various provisions are already in effect. So, this isn’t something on the horizon; it’s happening now. For us in the legal profession, we know non-compliance can lead to hefty fines. So, it’s absolutely crucial that you, as a law firm, understand the Act inside and out, and get to grips with your specific responsibilities under the new law. 

You’ll know that this Act is primarily to protect children online, but there has been a new Category 1 that’s been added since 2023, to protect adults too (self harm and suicide).

 

The definition of ‘appropriate measures’ for removing illegal content will really depend on the online service in question – what’s right for a social media platform with millions of users, won’t be the same for a small community forum.

Ali Hall, Online Safety Supervision Principal at Ofcom speaking to publisher Startups

 

We’d say to all readers of this article that their websites and social media platforms might need a look at, which we’ll highlight further down.

In the meantime, we suggest you look at your law firm for data protection, privacy, and risk management in any event. When was the last time you did this? Further to SRA’s ever evolving fining powers, and latest highlights such as this from Legal Futures “Director and law firm fined £50,000 for multiple compliance failures” it’s more important than ever to protect your clients and your reputation.

 

Data Protection and Privacy

The Act interacts with existing data protection laws, such as the UK GDPR. Law firms, which handle sensitive client data, must ensure their online practices comply with both sets of regulations.   

What does this mean for you? Time now to review and update privacy policies to reflect the Act’s requirements. 

It’s also time to implement robust security measures to protect client data online, if you haven’t already. 

Risk Management

The Act introduces new risks related to online content and conduct. This means that as a  law firm, you’ll need to assess these risks and implement appropriate mitigation strategies.   

What might this look like for your firm? Depending on your readership and clientele, you may need to develop policies and procedures for handling online safety issues. 

Again, depending on the size of your practice, you might have to provide training to staff on online safety best practices. We think this is a good idea in any event, so that you and your colleagues are aware of the Act in private lives too.

It’s recommended that there is ongoing monitoring of online activity for any potential risks.

It’s worth noting that Ofcom, the regulator in this regard, isn’t suggesting small businesses will be negatively affected, but essentially its regulatory requirements create a broader online safety environment that law firms must be aware of. While you’re not directly regulated by Ofcom, you must still ensure your online activities align with the Act’s goals and principles.

 

Who does the online safety act apply to?

 

Law firms that offer employment law, contract law, regulatory compliance and criminal law will want to proactively guide and advise their clients with updates.

Our Data Protection Compliance service is designed to make sure law firms can clearly identify the risk to the data they process and put in policies, procedures, and controls to protect it. You can build on the Act to this work thereafter.

Talking of the Act, law firms could do a risk assessment that implements any changes you think your firm need to look into:

  • Identifying Potential Risks: review the types of content hosted or shared on your website and social media (e.g., user-generated content, comments, videos).
  • Analyse the likelihood of illegal or harmful content being present or shared on the platform.
  • Assess existing content moderation practices and their effectiveness.
  • Review policies for user reporting and complaint handling.
  • Evaluate any automated tools used for detecting and removing harmful content.
  • Analyse Potential Gaps: identify areas where current measures may fall short, such as detecting newer forms of harmful content. Consider emerging risks as the online landscape evolves.
  • Compliance with Ofcom Guidance: ensure that your policies align with Ofcom’s codes of practice and that necessary reporting mechanisms are in place. Verify that terms and conditions are user-friendly and transparent.
  • Action Plan: develop a strategy to address gaps, such as improving moderation systems, updating user guidelines, or enhancing staff training.
  • Set measurable goals to regularly review and update the risk assessment.
  • Regular Review Process: create a process for periodic reassessment of risks, particularly after platform updates or regulatory changes.

Teal Compliance Risk Assessment is the perfect starting block for dovetailing to your firm’s requirements under the Act.

Websites and Social Media Platforms

 

We live and work in a digital age and your law firm’s website and social media could possibly need tweaking or monitoring.

Does your law firm’s website have interactive features like blog comment sections, forums, or user-generated content, they may need policies written for content moderation? The processes would incorporate removing illegal content (e.g., hate speech). Of course law firm websites won’t be the click of choice for children, but if there is a potential for moderate harmful content on the site, you need to think carefully. Also, do have clear terms of use that outline acceptable and unacceptable content. 

It’s worth taking the time to conduct your firm’s risk assessment for AML compliance at this time too.

Our website audit service provides a full and comprehensive review of your website, making sure it adheres to the SRA Regulations, so you could take advantage of aligning your website’s policies for these regulations as well as Ofcom’s.

We all need to look at our own social media channels to monitor any engagement for potentially harmful or illegal content. By this we mean you should:

  • monitor comments and interactions on any of your posts (and check with the scheduling tool provider of their policies if you use one); and 
  • have processes in place to remove or report inappropriate content;
  • Add to your terms of use or social media policies an outline about acceptable behaviour on your digital channels. This will back you up as a business and potentially protect you as you’ll be able to manage expectations and provide a basis for removing inappropriate content.  

Teal Compliance Recommendations

 

Reviewing Online Policies: Law firms should review their online policies and procedures to ensure they align with the Act’s requirements.   

Staff Training: Providing staff with training on online safety best practices is essential.

Monitoring Online Activity: Law firms should monitor their online activity for potential risks and take appropriate action.   

Staying Informed: Staying up-to-date on the Act’s implementation and Ofcom’s guidance is crucial.

In essence, the Online Safety Act reinforces the need for law firms to take their online responsibilities seriously. They must ensure their online activities are conducted in a safe and responsible manner, and that they comply with the evolving regulatory landscape.   

As pillars of our society, the legal profession simply has to adhere and align to regulations and rules to uphold the sanctity of our reputation. 

Thanks for reading and do get in touch with us if we can support your form with its AML compliance and risk management undertakings.

Team Teal

CONTACT US

 

TEAL SERVICES
TEAL TRACKER - never miss a key date again

Online Safety Act implications for Law Firm Compliance Read More »

Law Society Risk and Compliance Conference 2022 Teal Compliance Key Takeaways

Risk and Compliance March 2025 Key Takeaways

Anti-Money Laundering, Blogs, Compliance Training, Legal Compliance, Regulatory Compliance, Risk Management /

Eilish Cullen, Teal Compliance’s Head of the Partnerships and our Data Protection Subject Matter Expert attended the Law Society Risk and Compliance Conference on 12 March 2025, here are her takeaways.

As ever, the sector is shifting big time, and we all need to be ready for it – whether managing complex and evolving regulations, ensuring data security, adapting to the rise of AI, and navigating economic pressures, all while building a positive culture and driving new business.

So this is something we all need to keep a close eye on, especially for COLPs and MLROs as the challenges we in AML and risk management are facing is going to dramatically ramp up with more and more complexities to navigate.

Here are Amy Bell’s Handy Hints for those new to the role of COLP & MLRO – READ HERE

The agenda for the rest of the day looked like this, and each delegate was offered 2 out of the 4 workshops:

  • TED talk: Is the legal profession fit for the 21st century?
  • SRA: Regulatory priorities in a changing legal landscape 
  • Plenary 1: AI on trial This session delves into the risks and opportunities of AI in legal practice. 
  • Workshop A1:  Cybersecurity for small and medium-sized firms (run under Chatham House Rule)
  • Workshop A2: Social conflict and reputational risk 
  • Plenary 2: Economic crime concerns 
  • Workshop B1: Handling client money Post Axiom Ince the SRA proposes 
  • Workshop B2: Risk management 101 Essential risk management strategies and best practices for process mapping and policy development. 
  • Plenary 3: Code of conduct and culture What is your role as a compliance officer in shaping conduct and culture? 
  • Reputational risk in law: Defending your reputation Join Jacqueline McKenzie, human rights and immigration lawyer, for an insightful keynote on managing reputational risk. 

Eilish’s Key Takeaways:

Is the Legal Profession Fit For the 21st Century?

Kirin Kalsi, General Counsel, Compliance Officer and Data Protection Officer at E.ON UK, gave us a Ted Talk on the subject.

With the focus on law firms and their lawyers being focused on the billable hour and money, the potential for risk is high, to the client, to the reputation of the law firm, and of course to the law firm employees.

Kirin went on to talk about how the training of juniors/trainees hasn’t really changed in 20 years. The same methods are being used, but how do we come together as a legal sector to change that approach for training our new generation. 

From training new generations coming into the profession and how the culture of the sector as a whole, as well as firmwide, is key to long term growth. New entrants to the profession say work/life balance is really important, their outlook on what’s important is different and Kirin said that potentially the profession is still way behind on this. 

As attendees, we were asked is it within our power to change this? A conversation that I am taking back to the team at Teal and asking ourselves how we can support change.

As the Post Office Scandal, ‘Biggest Miscarriage of Justice’, is still very much in our front of minds, seeing Lee Castleton speak at various events, and knowing that 900 Post Masters were prosecuted, Kirin asked what can we learn from it in our risk and compliance efforts, both as consumers of law and of practitioners.

 

On a side note away from Kirin’s talk, the SRA confirmed it has more than 20 live investigations into solicitors and law firms who were working on behalf of the Post Office/Royal Mail Group. In a statement it says “We will take action where we find evidence that solicitors have fallen short of the standards the public expects”.

 

If you haven’t already read this, I urge you to:  Post Office Horizon Inquiry – human stories

 

The need to ‘speak up’ and remind ourselves of our professional obligations. Attendees were asked if we have carried out our own firm’s internal training/briefings when it came to ensuring there will never be another Post Office Scandal (in terms of aggressive litigation, dehumanisation, bullying). 

If you haven’t, then it’s time to have the conversation as to why we and/or our bosses feel it’s irrelevant?

It didn’t take long for the talk to turn to the use of AI and technology. As a profession we need to be forward thinking and proactive, especially when it increases efficiency and time. For example, our Teal Tracker, is built for efficiency and risk management. It’s accessible and easy to use. Amy Bell wrote this software and had it built specifically for the holes that appear in a firm’s AML compliance, data protection and regulatory processes. 

TEAL TRACKER – you can read more about our software by clicking on the link HERE.

The takeaways on the subject of AI from Kirin’s Ted Talk for me were that in 2025, lawyers and colleagues in firms are more efficient and self-sufficient, arguably due to the software firms currently have in place. 

As with technology and change, with AI there is an element of firms being both delighted at what AI can assist with in tandem with fear that it will replace their jobs.

There is still a concern regarding the reliability of AI (still in experimental phase) but the stark reality is that it is improving every day. We can’t afford to be dinosaurs.

When it comes to law firm risk and compliance, human risk has always been present (ask any insurer!), and therefore accuracy and reliability has always been a concern even without the use of AI.

All of us in the legal sector need to consider human risk -v- risk of AI getting it wrong.

Concern regarding whether a firm’s insurance covers the risk surrounding using AI – a reminder to firms to have that open conversation with their PII provider.


Regulatory Priorities in a Changing Legal Landscape (Aileen Armstrong, SRA) “We are Looking Forward

Aileen Armstrong, Executive Director, Strategy Innovation and External Affairs at the SRA, focused on their priorities when it came to client money, high volume claims, and governance & regulation of AI.

 

Client Money Consultation 

The SRA received hundreds of written responses from the legal profession on this as well as insights and opinions from their round table and focus groups.

In terms of alternatives to firms holding client money, some firms did agree that third party managed accounts (TPMAs) may present less risk

However, firms had concerns that using TPMAs could increase the risk of cyber crime due to the amount of funds in them. Costs of their use and visibility were also a key concern in this respect. Other firms thought that changes to the current regulations surrounding accountant reports should be strengthened, perhaps in favour of annual declarations.

The SRA knows that any change won’t happen immediately and no decisions have been made at present. An executive speaker for the SRA stated that it may be a case that a tech solution may be the answer, something which may not even be in existence yet. 

It’s a case of watching this space.

 

Handling Client Money - Residual Balances

handling client money

We talked to Karen Edwards, Head of Professional Development at the ILFM, who found the conversation on residual balances intriguing.

Jayne Willetts, solicitor advocate, said that there is likely to be tightening up by the SRA on the issue of residual balances in the form of warning notices or additional guidance notes, but in her view she didn’t think the SRA will amend the Accounts Rules.

If you need Residual Balance Training – look no further – CLICK HERE.

 

High Volume Consumer Claims

The SRA currently has 60 live cases regarding law firms on this issue. They have published 

guidance to consumers on this point, which you can READ HERE.

The SRA realise that these types of funding (no win no fee as an example) are a vital access to justice for so many, especially when other funding methods are not available. 

The flip side is that there simply has to be better consumer protection overall. There have been significant problems and failings in this area, namely unstable funding models, lack of supervision, how ‘no win no fee’ models are sold/marketed to clients, as well as cold-calling and failings surrounding ATE/keeping clients up to date.

The SRA however does recognise that there are many claims’ firms doing a grand job, but the continued risks to consumers must be monitored and controlled.

Governance & Regulation of AI

The SRA recognises the importance of innovation in general.  

In many ways we are still at the bottom of the hill however in terms of our understanding of this fast evolving landscape. In terms of what the SRA is doing in this area, it was said that it is producing guidance to help, whilst working with tech providers. The SRA is conscious that different firms/departments will have different AI needs. 

The regulator says it has also been working with the Law Society on legal tools and the need for regulation surrounding this.

 

Question to SRA:  What can the SRA do to win hearts and minds? 

Answer: They recognise that the regulator must play its part and it recognises the need to engage with the sector… “talking and hearing”. This is why they wanted to do the Client Money Consultation differently rather than just set out proposals. They wanted to look at all of the evidence.

Question to SRA:  Supervision. Is the SRA just concerned about supervision on high volume claims or in general? 

Answer: Obligation to supervise must happen across the board.

On a side point, I read a post from John Hyde, Reporter at the Law Society Gazette.

He reported that the SRA insisted, on his questioning, that no decisions had been made on the future of the client account. He went on with his opinion post saying when asked how much money is held in law firm client accounts, the response was that the SRA didn’t know off the top of their head right now.

Hyde said that given that it was fundamental to the whole topic of client accounts, he might have imagined that the figure would be a key one. He concluded his short LinkedIn post saying, 

“The SRA is acting without truly understanding the profession or acquiring sufficient evidence”.

 

Plenary 1: AI On Trial: Felix Zimmerman from Simmons & Simons (and others)

Felix specialises in negligence claims in firms, specifically surrounding AI use.

 

Conveyancing & Artificial Intelligence

The data came first in this talk. 

There were 1.2 million property transactions in the UK last year and an increase is anticipated. 

There is a drop in conveyancers so this means less people doing more work. The conveyancing industry has a reputation for doing things slowly. However, exciting for this area of property transactional law is development with the use of AI Agents to assist (multi models) which can control the mouse and key board, log into peoples inboxes, draft emails and then put them in their draft inbox ready for the staff member to check and send out. 

This is designed to improve efficiency, Teal Compliance will be keeping its ear and eyes open with regard to risk in this regard.

 

Litigation & AI

There is now the ability to look at pleadings and review the prospects of success, thus reducing fee earners time on this.

 

Compliance & AI

There is a plethora of data online Felix said, and reviewing all of this can take time. AML compliance, risk management etc, can cause frustration for everyone, with fee earners and lawyers who just want to get on with their own client work, as well as partner feedback explaining they are worried about their firm’s bottom line, time constraints, fees and the possible impact on client relations due to delays. 

All of these stresses around compliance can significantly impact job satisfaction.

         

Replacing Staff? 

The average demographic of junior lawyers is 30 years and up now. There are concerns that they might be replaced by AI. 

Ultimately, AI is being built to empower and assist with the “heavy lifting” in a law firm. It’s important for the legal sector as a whole to understand that AI should not be delegated tasks which are not appropriate for it, and that will negatively impact their clients and the firm’s reputation whilst keeping the insurer satisfied. 

The reality is that the next set of laptops being bought will have AI chips built into them, it’s a language model training tool.

It was suggested that if we are having to double check the work of AI assistance, is it worth it in the first place? 

Arguably yes, as it will still cut down a lot of time.

 

Question: Could firms face negligence claims for their failure to use AI?

Answer: Felix says yes potentially- for example in commercial litigation. ‘Relatively’ software is commonly used in these departments to review disclosure and can provide much better selection than any team of paralegals would.

Question: Environmental Consequences -v- Commitment to Net Zero. 

Answer: Yes, recognise that there is a big environmental impact regarding use of AI e.g. use of water coolers for hard drives.

Question: What Training Should Firms Put in Place for AI Safety? 

Answer: An overview of solutions, limitations etc.

 

Economic Crime Concerns.

The panel consisted of Colette Best (Kingsley Napley), Anita Clifford (Red Lion Chambers)  Andy Donovan (Vinci Works), Harriet Holmes (Thirdfort) and Nicola Kirby (Latham and Watkins).

The Dentons case was one of the first topics discussed. Let’s face it, it wasn’t a great result for the legal profession. HOWEVER, the saving grace is that it highlighted only serious breaches will result in the SDT getting involved.

The headline from the Law Society Gazette (article dated 11 March 2025) is:

“SRA overturns Dentons acquittal in AML case”

You can read the article written by Bianca Castro HERE. The judgment from the High Court, said the ‘only evaluation’ required by the SDT ‘was whether or not the firm had complied with regulation 14 of the MLRs 2007’.

 

Source of Funds (SOF) and Source of Wealth (SOW): 

There are no anticipated changes to the legislation for source of funds / source of wealth.

The legislation states get it from the source “where necessary” so we are left to look at the LSAG Guidance. 

SOW is needed where a client is a PEP or in high risk jurisdiction. The difficulty with SOF/SOW is that a lot of it is a judgement call, making it a tricky area. Similarly, the legal profession is using terms interchangeably, which isn’t helpful. 

Generally speaking, getting six months of documentation, as a starting point, but with the possibility of having to go back several years for higher risk areas. Teal and the team will update any changes and of course we always have updates and webinars on this subject.

The panel said that documenting decision making is important with decision making, information considered and action taken as a result.

 

Law Society’s 2025 focus on Risk and Compliance    

The Law Society outlined their Formal Response to the SRA Consultation on Client Money with the following points:

Government considerations were discussed including the question, should we dispose of Enhanced Due Diligence (EDD) for high risk jurisdictions i.e. make it more risk based? Should we have lower risk factors?

The SRA has said that sanctions need to be in FWRA, either within the AML one or a separate one. 

Trade sanctions should also be considered, especially if firms are at risk. 

The SRA is carrying out sanction visits on law firms it regulates. This is mostly following on from its earlier sanctions questionnaires. It’s usually a 1 day visit, with policies and interviews taking place. Do check with the SRA on this point if you have any concerns.

Accountants’ Reports – there was talk about asking firms to submit these every 3 years (at present law firms need to obtain an accountant’s report within six months of the end of each accounting period if they hold or receive client money; and this report should only be submitted to the SRA if it is qualified, meaning it identifies issues with compliance regarding client fund).

Enforcements – we should expect SRA enforcements to continue and don’t think the ‘change of guard (Paul Philip leaving) will change this!

 

SRA Thematic Review on AML Training October 2024 Findings:

There is a distinct and direct link between the quality of AML training and findings on files. Firms and the legal sector as a whole must move beyond “Tick-Box” training, something that Teal Compliance has been passionately focused on for a long time now.

The SRA is concerned that some firms treat AML training as a mere formality, rather than a crucial tool for preventing financial crime. The regulator stresses the need for training to be relevant, engaging, and tailored to the specific risks faced by each firm.

TEAL COMPLIANCE TRAINING – find out more of how our tailored, relevant and engaging training can support your law firm policies and procedures.

As mentioned a few times throughout the day, ‘Off the shelf’ training probably isn’t going to cut it. The SRA wants to see that the training is tailored to real life scenarios. AML training should be at the very least carried out annually.

It was said that there needs to be systems in place for when someone misses AML training, including seniors management and partners.

 In terms of specific training, there was a recommendation for training that is interactive such as ‘have a look at this” examples and “ who do you think is the beneficial owner?”’ i.e. pin the tail on the beneficial owner type of situation. Great to know that Teal Compliance is doing this and more in all our training sessions.

Someone came out with this statement, which I loved: “If it has a heart beat, train it’.

It was concluded that treating templates as a final solution is wholly inadequate. Use them as a base, yes, and then meticulously adapt them to your firm’s specific requirements. This is one of the themes we see at Teal Compliance, a firm’s assumption that a template is enough. It’s not.

Have a look at our Policy Review and Writing HERE.

Regarding ongoing monitoring, Harriet Holmes said there was a necessity to document ongoing monitoring, even if there have been no changes to client or matter risk, and to make sure everyone understood the tools and technology they are using. She pointed out that if you get alerts, look at them in a timely fashion and solve any issues as otherwise it leaves you and your firm exposed.

Have you downloaded your TEAL TRACKER?


Code of Conduct and Culture in Law Firms

This session had panel speakers, Paul Bennett (Partner at Bennett Briegal LLP), Clare Hughes-Williams (Partner at DAC Beachcroft), Pearl Mosses (Head of Regulatory Compliance at Setfords Law Ltd), and Elizabeth Rimmer (CEO at LawCare).

Between the above speakers, it was agreed that firms need to have strong HR support and buy in to the employees, not just their employers

Great leadership means leading by example, ensuring your team has trust in you, whilst having a transparent organisation that has the ability for staff to call out poor behaviour. HR and supportive teams must communicate throughout the firm what your culture is and embed it firmly. This should never be just a website policy saying how great you are with your culture and DEI, you have to show it through actions.

The following were suggested to manage risk as well as look after your staff and colleagues:

  • Anti-Bullying and Harassment training.
  • Performance reviews should be part of your culture.
  • Survey staff to find out what is the drive and motivations within your culture.

Elizabeth Rimmer, CEO of Lawcare, reminded us that the charity was there for everyone in the legal sector. It’s a place of confidentiality and no judgement. 

Lawcare has been in place since 1997 and 2024 was their busiest year apart from 2020 (lock down). 

The charity findings say that a review of your hierarchy behaviours could flag up some vital change requirements as they are seeing a culture in many firms on the premise that “it’s how things are done round here” which isn’t sustainable for retaining great staff or business growth.

With the topic of psychological safety at work, questions that you might ask yourself are:

  • Do you and your colleagues feel valued?
  • Is constructive criticism in place?
  • Is there a fear of raising mistakes (i.e., if I own up to a mistake, might I lose my job or be judged?)
  • How do we learn from this as a culture (when mistakes happen – because they will happen!)?
  • Is there a subtle blame culture?
  • What are our inherent risks that might hinder our staff’s mental health?
  • Is there a lack of supervision when it comes to bullying and harassment?

Overall, this was a really great session to bring the day to a close. · 

      

Eilish Cullen’s Conclusion of Risk & Compliance Conference Talks

For me, I found the conversations and topics around the evolving risk and compliance landscape to be as follows:

There is an increasing complexity of risk and compliance for law firms, not only traditional AML and regulatory risks, but also reputational risks, which are now receiving greater scrutiny.

The role of risk and compliance professionals is evolving to encompass a wider range of responsibilities.

When it came to culture and legal ethics it was very evident that the SRA is placing greater emphasis on firm culture and well-being. We know from speaking with our friends in insurance that this is a big factor for protecting firms against risks because having a strong moral and ethical culture is seen as essential for reducing errors and improving client outcomes.

Discussions also focused on the need to balance regulatory priorities with lawyers’ ability to advocate for their clients.

The conference underscored the insufficiency of generic compliance templates. Law firms must recognise this and develop tailored AML strategies to meet the demands of the current regulatory environment. 

If you’d like to chat with me directly or find out how my colleagues can support you, please 

do get in touch with me: eilish@tealcompliance.com or you can get hold of any of us HERE

Get in touch
TEAL SERVICES
TEAL TRACKER - never miss a key date again

Risk and Compliance March 2025 Key Takeaways Read More »

Handy Hints for those new to the role of a COLP and MLRO in a law firm

New to the role of COLP and MLRO?

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance, Risk Management /

Firstly, if you’re new to the role of a compliance officer in your law firm, congratulations! If you’re the MLRO or the COLP, which are key positions in a law firm, getting to grips with our Handy Hints will help you stay on top of regulatory expectations and best practices.

If you haven’t downloaded already, our Guide to Source of Wealth & Funds for Law Firm Compliance is a must have.

Here are some of our key tips, plus practical guidance written for you, if you’re new to the role in a law firm in England or Wales.

1. Understand Your Core Responsibilities

As MLRO, your primary duties include:

  • Receiving and assessing Suspicious Activity Reports (SARs) from staff
  • Deciding whether to report suspicions to the National Crime Agency (NCA)
  • Keeping a clear and auditable record of decisions
  • Ensuring compliance with the Money Laundering Regulations 2017 (as amended)
  • Keeping up-to-date with Sanctions Regimes (especially in light of post-Brexit UK sanctions)

As COLP, your duties include:

  • Ensuring compliance with the SRA Code of Conduct and SRA Principles
  • Reporting serious compliance breaches to the SRA
  • Acting as the firm’s ‘whistleblower’ for misconduct

If you don’t already have a TOOLKIT then you can get hold of our TEAL TRACKER HERE which will get you off to a great start.

five star testimonial for Teal Compliance

2. Keep on Top of Key Legislation & Guidance

Some key documents and sources you must be familiar with:

  • The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended)
  • Proceeds of Crime Act 2002 (POCA) – especially on offences like failure to report and tipping off
  • SRA’s Anti-Money Laundering (AML) Guidance
  • Legal Sector Affinity Group (LSAG) AML Guidance – this is tailored for law firms
  • Sanctions and Financial Crime Guidance from the Office of Financial Sanctions Implementation (OFSI)

3. Risk Assessment & Client Due Diligence (CDD)

  • Ensure your firm-wide AML risk assessment is up-to-date
  • Make sure your firm is risk-based – i.e., clients, transactions, and matters are assessed for risk at the outset and on an ongoing basis
  • Implement proper Know Your Client (KYC) checks – ID verification, beneficial ownership checks, source of funds/wealth assessments
  • Make use of electronic verification tools, but don’t rely on them alone
  • High-risk clients (PEPs, high-net-worth individuals, complex structures) require enhanced due diligence (EDD)
  • Have a clear matter risk assessment process that all fee-earners follow

4. SARs & Internal Reporting

  • Train staff on how to spot red flags (e.g., unusual payments, urgent last minute changes in payments, complex company structures, reluctance to provide information)
  • Have a clear SAR reporting process – encourage staff to report suspicions internally first (to you as MLRO)

If you file a SAR to the NCA, remember:

  • You mustn’t tip off the client
  • You may need a Defence Against Money Laundering (DAML) before proceeding with a transaction
  • Keep a clear record of why you did/didn’t report

 

HOW WE CAN SOLVE YOUR COMPLIANCE HEADACHES

 

  • AML SORTED Programme (for medium to large sized law firms) CLICK HERE
  • AML SORTED Programme (for small law firms) CLICK HERE
  • Regulatory SORTED Programme (for medium to large sized law firms) CLICK HERE
  • Regulatory SORTED for Small Firms Programme (for small law firms) CLICK HERE

5. Training & Staff Engagement

  • Provide regular AML training for all fee-earners and staff
  • Training should be practical – use real-life examples of risks in legal work
  • Ensure all new joiners get AML training as part of induction
  • Encourage an open culture where staff feel comfortable raising concerns

6. Staying Compliant with the SRA

  • Be prepared for SRA AML Audits – they’ve increased spot checks on firms
  • Ensure your Policies, Controls, and Procedures (PCPs) are documented and kept up-to-date
  • If you’re ever unsure about an issue, document your reasoning before making a decision
  • Keep a register of AML breaches and near-misses
  • Attend their Compliance Conference each year

AML AUDITS WITH TEAL COMPLIANCE

 

7. Managing Stress & Your Own Risk

  • Keep an audit trail of key AML decisions – this protects you if questioned by the regulator
  • Use external resources and networks – join MLRO/COLP forums for peer support
  • If in doubt, seek external legal or compliance advice rather than making risky decisions alone
  • LawCare is the legal sector’s charity, supporting us in our roles in law firms. Their helplines are confidential, if you’re struggling with stress please contact them. They’re excellent and all the volunteers on the helplines have either worked in law, or still do, i.e. they “get it”.

READ THIS ARTICLE FOR FURTHER INSIGHTS

House purchase source of funds and wealth due diligence for AML compliance

Need Help?

Did you know that Teal provides specialist training to both COLPs and MLROs? If you want to find out more, simply GET IN TOUCH HERE.

SORTED Programmes just for you!
TEAL TRACKER
Get in touch
Streathers Solicitors testimonial and review for Teal Compliance

New to the role of COLP and MLRO? Read More »

How to master the tricky world of source of funds and wealth

How to Master the Tricky World of the Source of Funds and Wealth

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance, Risk Management /

AML compliance can feel like walking a tightrope, right? Especially when it comes to a client’s source of funds and wealth. It’s a balancing act: you need to be flexible enough to handle all sorts of clients, but you also need a rock-solid strategy for managing risk. 

At Teal Compliance we hear that it can be hard to have the conversation around source of funds and source of wealth with a well paying existing client, or those who have a high net worth. 

If you haven’t downloaded already, our Guide to Source of Wealth & Funds for Law Firm Compliance is a must have.

Here are my thoughts on how law firms should nail the risk-based approach to source of funds and wealth verification, keeping you compliant without slowing things down.

Step 1: Build Your Risk-Assessment Toolkit

Think of your clients and transactions like a deck of cards – some are higher risk than others. Maybe you’ve got clients from countries with shaky AML rules, or maybe their business structure is a bit of a maze. 

Whatever the reason, I suggest you begin by categorising them.

Once you’ve sorted them, decide what level of due diligence each category needs. Basic checks for some, the full nine yards for others. And don’t forget to keep your toolkit updated! Regulations change, the market shifts, and new risks pop up all the time.

If you don’t already have a TOOLKIT then you can get hold of our TEAL TRACKER HERE which will get you off to a great start.

Step 2: Set Clear Rules for High-Risk Transactions

Certain transactions, like residential conveyancing (a classic money laundering route as you will know) and corporate acquisitions, just scream “high risk.” For these, you need clear, standardised policies. 

Within your AML Policy, you should spell out exactly what you consider is acceptable proof of source of funds and wealth. For example, if funds are coming from somewhere from a sale being handled by another law firm you may want your fee earners to get a completion statement from the law firm along with a bank statement from the client to show the funds being deposited. You should also build flexibility into your policy too because what happens when a transaction throws you a curveball? Your policy should tell you how to handle it.

Our SORTED Programmes can help you spot the gaps in your compliance and fix them.

Step 3: Train Your Team – Make Them Risk Detectives!

Handling High-Risk Transactions

Your team needs to be sharp when it comes to risk. I can’t emphasise enough how your training should be FIRMWIDE. 

From your MLROs and COLPS to your receptionists, each one should be able to spot risk at the start a new client onboarding process and a new transaction, whilst keeping an eye on it during ongoing monitoring, and double-check everything whilst having the confidence to ask for help or back up if they need it. No fear culture is seriously important.

And here’s my pro tip: document everything. Why did they assess the risk the way they did? Write it down. It not only protects your firm but also shows you’re serious about compliance. Your PII firm will appreciate your documented communications and it will help should you ever get a visit from your regulator.

 

HOW WE CAN SOLVE YOUR COMPLIANCE HEADACHES

 

  • AML SORTED Programme (for medium to large sized law firms) CLICK HERE
  • AML SORTED Programme (for small law firms) CLICK HERE
  • Regulatory SORTED Programme (for medium to large sized law firms) CLICK HERE
  • Regulatory SORTED for Small Firms Programme (for small law firms) CLICK HERE

The UK Bank Account Myth: Don't Get Caught Out!

Let’s bust a myth that’s been doing the rounds for way too long: just because money’s in a UK bank account doesn’t mean it’s clean. Big banks have been in hot water for money laundering, so don’t assume anything.

 

Myth #1: UK Bank Account = Clean Money

Nope. Even the most reputable banks can have dirty money flowing through them. Just because it’s in a UK account doesn’t automatically make it legit.

  • Action: Always do your own due diligence on the source of funds, no matter where they’re held. Trace the money back to its origin and make sure the client’s story matches the documents.

Myth #2: The Bank’s Already Checked It

Maybe the bank did file a Suspicious Activity Report (SAR), but they might still have to release the funds. It doesn’t mean you’re off the hook.

  • Action: Treat every transaction like it’s brand new. Even if a bank has cleared the funds, your firm needs to verify the source and make sure everything is AML-compliant.

Bottom Line: Don’t fall for the UK bank account myth! It’s a trap. By understanding the limitations of relying on bank checks and doing your own thorough due diligence, you can keep your firm safe.

House purchase source of funds and wealth due diligence for AML compliance

In conclusion....

If you find you are procrastinating from having that awkward conversation with a client (or indeed that well paying existing or high net worth client) about having to do some comprehensive checks as to where their funds are coming from, you can simply blame it on legislation! Come what may, you, as a solicitor, compliance officer, CILEx lawyer, paralegal, Senior Partner…have to adhere to the AML regulations by performing comprehensive checks to authenticate identities, proof of address, and source of funds and wealth. 

Would you rather have a short, possibly tricky conversation with a client, or potentially face a serious consequence (no one wants a huge fine or go to prison). 

As an example, if you are a conveyancer, you have to follow the rules to make sure the money used to buy a property isn’t from the proceeds of crime. It’s not just about ticking boxes for your law firm, you have to be smart and proactive in the fight against financial crime. 

Let’s be honest, nobody wants their firm involved in money laundering. That’s where risk assessments come in. They’re like a health check for your business, helping you identify potential vulnerabilities so you can take action. By understanding the risks, you can put smart controls in place and keep things running smoothly (and legally!).

It’s never too late to get compliant, and it’s definitely never too early to begin the process.

You can email me directly, or any of my team to find out how Teal can help support you, your reputation and your clients.

Please remember that Teal Compliance is your go-to AML and Risk Management Partner and we have a variety of packages available to support you, your colleagues and of course, your clients!

To find out more, click HERE and come what may, we look forward to supporting you soon.

SORTED: Compliance Services 

Training and Education

Ask Teal: Consultation Services

Legal Compliance Audit

Policy Review & Writing Services

Website Audit Services

Teal Tracker

Let us support you, your team and your clients.

Ask Teal
Get in touch
TEAL TRACKER

How to Master the Tricky World of the Source of Funds and Wealth Read More »

Someone reading and taking notes

Understanding the Anti-Money Laundering Definition of ‘Suspicion’

Anti-Money Laundering, Blogs, Legal Compliance /

When it comes to anti-money laundering (AML) regulations, one term that often baffles legal practitioners is ‘suspicion’. Understanding its nuances is crucial for compliance officers to navigate the complex landscape of AML requirements in the UK.

In this blog post, we’ll delve into the anti-money laundering definition of suspicion, exploring its interpretation by the courts, its implications for compliance, and practical considerations for identifying and reporting suspicious activities.

Anti-money laundering definition of ‘suspicion’

When it comes to the anti-money laundering definition of suspicion there are several things to note. 

1. The evolution of suspicion: From undefined term to crucial concept

Over the years, there have been notable developments in legislation and regulations concerning the interpretation of ‘suspicion’ within the context of anti-money laundering (AML) efforts. While the term remains undefined in statutory law or regulatory frameworks, judicial precedents and industry guidance have played a crucial role in shaping its interpretation and application.

2. Understanding the Law Commission's insights on Suspicious Activity Reports

One significant development is the Law Commission’s review and recommendations regarding Suspicious Activity Reports (SARs) regime. In June 2019, following a consultation that began in 2018, the Law Commission published its findings and recommendations, acknowledging the complexity and vagueness surrounding the concept of suspicion.

3. Navigating the ambiguity of suspicion

The report highlighted that the current test for suspicion is often misunderstood and not properly applied by reporters, resulting in a high volume of poor-quality SARs. Despite these challenges, the Law Commission declined to recommend providing a statutory definition of suspicion. Instead, it recommended that the Secretary of State should publish guidance on suspicion and that there should be a prescribed form for the making of SARs.

Additionally, the Law Commission proposed the establishment of an Advisory Board to review the reporting threshold and consider whether it should be increased after conducting further research on the quality of disclosures under the current regime.

4. Implications for compliance

These recommendations reflect ongoing efforts to enhance the effectiveness and efficiency of AML regulations while addressing the challenges associated with interpreting and applying the concept of suspicion. Compliance officers and legal practitioners must stay abreast of these regulatory developments and incorporate them into their compliance strategies to ensure adherence to AML requirements and mitigate the risk of financial crime.

Understanding suspicion within AML

The concept of ‘suspicion’ lies at the heart of AML legislation, compelling lawyers to report any inkling of potential money laundering by their clients. Understanding this fundamental aspect is critical for compliance officers to fulfil their obligations effectively within the anti-money laundering definition.

1. Subjectivity in interpretation

However, despite its pivotal role, the term remains undefined in statutory law or regulatory frameworks. Instead, the courts have been tasked with deciphering its meaning, leading to a subjective and evolving understanding. This lack of a concrete definition underscores the complexity surrounding suspicion within the context of AML compliance.

2. Judicial precedents

In the landmark case of R v Da Silva, the courts established pivotal insights into the nature of suspicion. It was explained that suspicion involves more than a vague feeling of unease but doesn’t necessitate a clear or firmly grounded belief. Rather, it requires a genuine consideration that there exists a possibility, more than fanciful, of illicit activities. This interpretation emphasises the nuanced and contextual nature of suspicion, urging practitioners to exercise judgement in their assessments.

3. Navigating the fine line

This subjective nature of suspicion poses challenges for compliance officers, who must navigate a fine line between vigilance and unfounded accusations. Balancing the necessity to report potential risks, with the need to avoid unjustified allegations, demands a careful approach. Practitioners must weigh available evidence and related factors carefully, ensuring that their suspicions are grounded in reasonable assessments rather than unfounded assumptions.

Reasonable grounds for suspicion in AML

Moreover, the law introduces the concept of ‘reasonable grounds’ for suspicion, raising questions about the necessary mental element for compliance within the anti-money laundering definition.

1. The case of R v Sally Lane & John Letts

The case of R v Sally Lane & John Letts serves as a helpful precedent in understanding the significance of reasonable grounds for suspicion. This landmark case underscored that while actual suspicion isn’t mandatory for culpability, objective evidence providing reasonable grounds for suspicion is sufficient to establish guilt.

2. Compliance implications

The distinction between actual suspicion and reasonable grounds for suspicion emphasises the importance of judgement and diligence in assessing potential risks of money laundering activities. Compliance officers must meticulously evaluate available evidence, ensuring that suspicions are grounded in objective indicators rather than subjective assumptions. By adopting a thorough and evidence-based approach, practitioners can uphold the integrity of AML compliance efforts and effectively mitigate risks within their law firms.

Identifying suspicious activities

Recognising suspicious activities is essential for compliance officers tasked with reporting obligations within the anti-money laundering definition.

Understanding the indicators of potential money laundering is paramount for effective risk mitigation. Several warning signs may signal illicit activities, including:

1. Transactions lacking economic rationale

Transactions that lack a clear economic purpose or appear disconnected from the client’s legitimate business activities should raise red flags. Compliance officers should scrutinise such transactions carefully to assess their legitimacy and potential for money laundering.

2. Unusual client behaviours

Unusual behaviours shown by clients, such as reluctance to provide information or engaging in atypical transaction patterns, may indicate attempts to conceal illicit activities. Compliance officers should remain vigilant and investigate further when encountering such behaviours.

3. Use of offshore accounts without justification

The use of offshore accounts or structures without legitimate business reasons can be indicative of attempts to evade regulatory scrutiny and launder illicit funds. Compliance officers must thoroughly examine the rationale behind offshore transactions and assess their compliance with anti-money laundering regulations.

4. Adhering to industry guidance

Familiarising yourself with industry guidance and best practices is crucial for the effective identification of suspicious activities. Compliance officers should stay updated on regulatory developments and leverage industry resources to enhance their understanding of money laundering risks and mitigate strategies. This is why compliance training is so important!

Document certification considerations

In addition to understanding suspicion within the anti-money laundering definition, compliance officers must also scrutinise clients’ identification documents carefully, and consider the following:

1. Certifier’s reputation and identifiability

Certifying documents requires careful consideration of the certifier’s reputation and identifiability. Compliance officers must ensure that certifiers are reputable professionals or individuals in positions of trust, such as solicitors, bankers, or notaries.  It’s essential to verify the certifier’s credentials and confirm their ability to accurately assess and certify documents.

2. Competency in document inspection

Compliance officers must ascertain the certifier’s competency in document inspection. Certifiers should possess the necessary skills and expertise to recognise authentic documents and identify any discrepancies or signs of tampering. Thorough training and ongoing professional development are essential to ensure that certifiers can fulfil their responsibilities effectively.

3. Verifying document authenticity

Verifying the authenticity of client identification documents is paramount to keeping the integrity of due diligence processes. Compliance officers should implement robust procedures to verify the authenticity of documents, such as conducting background checks, verifying references, and cross-referencing information with reliable sources. Any suspicions about document authenticity should be investigated promptly and thoroughly.

4. Confirming true likeness

Confirming true likeness, especially for documents containing photographs, is crucial to prevent identity fraud and misrepresentation. Compliance officers must ensure that the individual depicted in the photograph matches the identity of the client presenting the document. This verification process helps mitigate the risk of identity theft and ensures the accuracy and integrity of client identification procedures.

Get in touch

At Teal, we’re here to support your journey towards compliance that works.

We understand that compliance can be a daunting word, but it’s also the key to unlocking your firm’s full potential.

 

Our experts at Teal Compliance are here to help. Get in touch today to explore tailored solutions and ensure your firm stays ahead of regulatory requirements,

Get in touch

Understanding the Anti-Money Laundering Definition of ‘Suspicion’ Read More »

Laptop with the Teal Tracker's Root Cause Analysis Process on screen

The Teal Tracker’s New Feature: Root Cause Analysis Process

Audit, Blogs, Legal Compliance, Risk Management /

The Teal ‘Root Cause Analysis Process’, or ‘RCAP’, is a new, groundbreaking feature of the Teal Tracker. Here we explain what it does, how it works and how it can benefit you. 

What does the Root Cause Analysis Process do?

The Root Cause Analysis Process forms part of the Incident Management module in the Teal Tracker, and is a yet another example of how law firms can use their compliance data to help reduce the future risk of claims, complaints and breaches.

At its core, it assists in identifying trends and reducing incidents through identification, analysis and learning, which will in turn protect clients, the firm and the team.

How does the Root Cause Analysis Process work, and how is AI involved?

The RCAP feature uses AI to assist firms in identifying root causes of issues or near misses. It forms part of the Teal Tracker’s Incident Management module, whereby firms can analyse incidents to drill down to root cause.

As with all our new features in the Teal Tracker, we’ve extensively asked our law firm partners how they would best like to see this work in practice, so its design is simple and intuitive.

Teal Tracker subscribers are invited to carry out a Root Cause Analysis Process using the ‘five whys’ methodology principle, which is a standard engineering concept developed way back in the 1950’s for Toyota’s production line. It is, at its core, really simple. The principle is that if you ask ‘why’ something went wrong five times, you’ll likely drill down to arrive at the core answer.

But the Teal RCAP combines this tried and tested practice with AI to generate the next response to each of the ‘five whys’ questions and to confirm the root causes and their weightings. This smartly assists users in drilling to the key root cause or causes, and skillfully assists law firms in getting to the true root cause and the granular detail of issues.

This is then automatically exported to the Teal Tracker’s management reports functionality. In turn, this allows trend analysis to be systematically identified in detail, and reflected back to the firm to ensure they can both learn and improve in the key areas they really need to focus on.

Why has Teal integrated AI into the Root Cause Analysis Process?

Teal has integrated generative AI into the solution so that AI can smartly create the next drill down question to ultimately display what has actually happened and its cause. This means users have smart options to drill down into the issues and figure out what precisely occurred and what contributed to each particular problem.

It will give the firm much more useful and intelligent data on which to make decisions or to deploy resource. This will assist in better use of budgets for training or capacity as well as ultimately reducing the number of claims, complaints and breaches that occur.

How is the Root Cause Analysis Process working in practice?

Teal has been trialling the solution in full, in live environments for some time and it’s working extremely well. That’s why we’re now proud to be able to roll-out this groundbreaking feature to all our Teal Tracker law firm partners. 

Want to know more about the Teal Tracker?

At Teal, we’re here to support your journey towards compliance that works. Our compliance technology platform, Teal Tracker, is the solution to your compliance issues, ensuring you, your firm and your clients are safe. 

To find out more about the Teal Tracker, or to book a demo, contact our team today!

Get in touch

The Teal Tracker’s New Feature: Root Cause Analysis Process Read More »

Someone going through paperwork on a desk with others

Demystifying the role of a DPO: What is a Data Protection Officer?

Blogs, Data Protection, Legal Compliance /

At Teal, we’re often asked questions about whether law firms need a Data Protection Officer (DPO). In this blog, we’ll answer the question ‘what is a Data Protection Officer?’ and go through what the guidance says, when a DPO must be appointed, who can be a DPO, and the crucial role they play in ensuring GDPR compliance.

What is a Data Protection Officer (DPO)?

The primary responsibility of a Data Protection Officer is to inform and advise the organisation and staff on GDPR compliance. This comprehensive role encompasses monitoring compliance, raising awareness, training staff, conducting internal audits, and serving as the initial point of contact for supervisory authorities and individuals affected by data processing. The DPO takes centre stage in adopting a risk-based approach, concentrating on high-risk activities and actively participating from the earliest stages in decision-making processes.

Additionally, it’s important to emphasise that a DPO extends beyond their immediate responsibilities. Although not directly accountable for overall compliance – a duty retained by the data controller or processor – the DPO undeniably assumes a key role in the oversight of the implementation of the data protection strategy. Their invaluable contribution becomes instrumental in ensuring the organisation fulfils its data protection obligations, thereby setting up a solid foundation for a robust and compliant approach.

What the guidance says about DPOs

Under the GDPR, the appointment of a Data Protection Officer (DPO) is a nuanced decision. Some organisations find it mandatory, while others may opt for a voluntary appointment or decide it’s unnecessary. The WP29 guidance, which replaced the European Data Protection Supervisor, advises organisations to document internal analyses to determine DPO necessity. The default assumption is that a DPO is needed unless proven otherwise. This commitment to GDPR compliance places specific obligations on the appointed DPO.

GDPR requirements

GDPR outlines scenarios requiring a DPO, including when an organisation is a public authority, engages in regular monitoring of individuals, or processes large-scale special data categories. The flexibility of sharing a DPO between organisations and the possibility of an existing employee taking on the role highlights the pragmatic approach of GDPR.

The Data Protection Bill

The Data Protection Bill seamlessly incorporates GDPR into UK legislation, addressing general processing and the Law Enforcement Directive. While not all businesses are obligated to appoint a DPO, adhering to best practices suggests appointing someone solely responsible for data privacy matters. 

Embracing the GDPR principles of privacy by design, having a dedicated data protection champion within your business is considered essential. This strategic move aligns with the evolving legal landscape, emphasising proactive measures for privacy and data protection.

When must a Data Protection Officer be appointed?

Under the GDPR, a DPO must be appointed if the organisation is a public authority, engages in large-scale monitoring of individuals, or processes large-scale special categories of data or data related to criminal convictions.

The definition of ‘large scale’ isn’t outlined, but the guidelines say you should consider the following factors:

  • The number of data subjects concerned
  • The volume of personal data being processed
  • The range of different data items being processed
  • The geographical extent of the activity
  • The duration or permanence of the processing activity

Should you decide not to appoint a DPO, GDPR requires organisations to maintain records of their processes and any data breaches. Ensuring your business has adequate staff and resources is crucial to effectively fulfil its obligations under the GDPR.

Who can and can't be a Data Protection Officer?

The GDPR stance on appointing a DPO centres on their ability, experience, and knowledge of data protection law. While the regulations don’t suggest specific credentials, they stress that these qualifications should align with the type of processing undertaken, considering the necessary level of protection of personal data. A DPO having familiarity with your industry, sector, and the intricacies of your data protection needs enhances their effectiveness.

Opting for an external DPO is a strategic move to avoid potential conflict issues. This approach proves invaluable when an internal candidate isn’t readily available within your business to undertake the role.

The WP29 guidance offers valuable insights into individuals within a firm who are ill-suited for the DPO role due to potential conflicts of interest. This includes high-ranking positions like:

  • Chief Executive Officer
  • Chief Operating Officer
  • Chief Financial Officer
  • Head of Marketing
  • Head of Human Resources
  • Head of IT

Lesser senior roles may also pose conflicts if they involve deciding the purpose and means of processing.

For law firms, the Compliance Officer for Legal Practices (COLP) may be a suitable DPO, depending on their other responsibilities. The GDPR ensures DPOs receive the necessary support, maintain independence, and enjoy protected employment status, shielding them from unjust actions for performing their duties.

Law firms and Data Protection Officers

According to insights from the Law Society, the consensus is that most law firms might not require the appointment of a Data Protection Officer (DPO), because they typically don’t engage in systematic monitoring of data subjects on a large scale. This viewpoint was first outlined in a March 2018 article and then recapped in August 2019 “Appoint a Data Protection Officer (DPO)”.

Exceptions arise when law firms handle special categories of data, such as health, ethnicity, political or religious beliefs, trade union membership, or the sexual orientation of their clients. In such cases, especially if processing occurs on a large scale, the consideration for a mandatory DPO appointment gains significance.

Opting for a voluntary DPO appointment can be beneficial, particularly when uncertainty exists. Seeking specialist advice is advisable for firms lacking expertise in data protection. Law firms are encouraged to keep a concise record of their decision-making process.

The decision to appoint a Data Protection Officer (DPO) is important, but regardless of your choice, promoting awareness amongst all staff about the individual handling data protection matters is crucial. This person, whether a DPO or another designated individual, should have a direct line to top-level management.

It’s important to clarify that, if appointed, a DPO isn’t directly responsible for overall compliance – that responsibility lies with the data controller or processor. Nevertheless, the DPO, along with other appointees, plays a key role in overseeing the implementation of the data protection strategy and fulfilling the organisation’s obligations.

Get in touch

At Teal, we’re here to support your journey towards compliance that works.

We understand that compliance can be a daunting word, but it’s also the key to unlocking your firm’s full potential.

Get in touch with our experts to find out how we can help with data protection compliance.

Get in touch

Demystifying the role of a DPO: What is a Data Protection Officer? Read More »