The Solicitors Regulation Authority doesn't publish a technical IT checklist, but the SRA Standards and Regulations - and the Code of Conduct for Firms - place clear duties on your practice. Client confidentiality, competent service, effective supervision and accurate records all have an IT dimension, and the Legal Ombudsman and ICO increasingly treat weak controls as regulatory failings rather than bad luck.
If you're reviewing IT support for your firm, this is the ground it needs to cover.
Client confidentiality has to be enforced by systems, not policies
Confidentiality is Principle 6 of the SRA Standards. A written policy is the starting point - the real test is whether your systems make breaches unlikely. That means role-based access to matters, least-privilege permissions in SharePoint or your DMS, multi-factor authentication on every account, and encryption of data at rest and in transit as standard.
Fee-earners shouldn't be able to see matters they aren't working on. Support staff should have access scoped to what their role requires. And when someone leaves, offboarding should revoke every credential the same day.
Data protection means UK GDPR, the DPA 2018 and the DUA Bill
The regulatory picture is layered. UK GDPR and the Data Protection Act 2018 already require lawful bases, retention limits, subject access response and breach notification within 72 hours. The Data (Use and Access) Bill (DUA Bill) adds new expectations around automated decision-making and international transfers that many firms will need to review.
Good IT support for law firms translates this into practice: retention rules that actually expire files, DLP policies that stop client data leaving via personal email or USB, and audit logs that let you answer a subject access request or a regulator quickly rather than in a panic.
Audit trails are your defence when something goes wrong
The SRA and the Legal Ombudsman look at what you can prove, not what you intended. Microsoft Purview, Defender and the Microsoft 365 audit log can capture who accessed which matter, when files were shared externally, when a mailbox rule was created and when sign-ins looked suspicious. Firms without those logs enabled - or with logs no-one has ever queried - are working blind.
Supervision extends to the tools your fee-earners use
Rule 3 of the Code of Conduct for Firms requires effective supervision. Shadow IT - a fee-earner using a personal Dropbox to share a bundle, or a paralegal running unapproved AI tools over client data - undermines that. A managed IT partner should be surfacing this, blocking risky data flows and giving you visibility of what's actually in use across the firm.
Business continuity is a client-outcome question
If your case management system is down for a day, that's not just an IT issue - it's a service issue you may have to explain to clients and, potentially, the SRA. Tested backups, documented recovery time objectives and a cyber incident playbook are baseline for a modern firm, not a nice-to-have.
Where to start
Most firms don't need to rebuild from scratch - they need an honest gap analysis against SRA duties, UK GDPR and the Microsoft security controls they're already paying for inside their Microsoft 365 licences. From there it's usually a 90-day roadmap: identity and access first, then data protection controls, then monitoring and incident response.
See how our IT support for law firms works, or get in touch to talk through where your firm currently sits.