GDPR and AI in UK law firms: what applies to your compliance data.

Who is the data controller?

The law firm is the data controller for client compliance data. An AI vendor that processes that data on the firm's instruction is a data processor under UK GDPR Article 4(8). This means the firm must have a written Data Processing Agreement (DPA) with the AI vendor before any client data is processed — this is a legal requirement, not a best-practice recommendation. The DPA must specify: the subject matter and duration of processing, the nature and purpose of processing, the type of personal data, the categories of data subjects, and the obligations and rights of the controller.

Practically, this means no AML AI vendor should process your client data without first providing a compliant DPA and allowing you to review it. We will provide ours before any pilot commences and will not process client data without a signed DPA in place.

Data residency and the sub-processor chain

UK GDPR restricts transfers of personal data outside the UK to countries without an adequacy decision unless specific safeguards apply. For AI compliance tools, the critical question is: where does the AI model run, and where is the data processed? Many AI vendors use US-hosted models (OpenAI, Google, Anthropic's direct API) — which means client data transits to the US, requiring reliance on the UK-US data bridge or standard contractual clauses. This is a permissible but more complex position to maintain.

We run AI inference via AWS Bedrock in eu-west-2 (London). Data does not transit to the US or to non-UK/EU infrastructure. Bedrock provides zero data retention (ZDR) by contract — prompts and outputs are not retained after the API call completes. Our DPA will reflect the full sub-processor chain: AWS (infrastructure + Bedrock), and any analytics tools we use. We publish our sub-processor list and update it 30 days before any new sub-processor is added.