The Data Use & Access Act (DUAA) has brought in a right for people to people to complain to the controller; controllers can stop the clock to clarify the request where this is reasonably required; and there is a requirement to make reasonable and proportionate searches.
If someone considers that you've infringed data protection legislation because of the way you've handled their personal information (or the personal information of someone they're acting on behalf of), they can complain to you. These measures come into force on 19th June 2026.
Get ready!
How to prepare to handle data protection complaints: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/how-do-we-prepare-to-handle-data-protection-complaints/
What to do when you receive a complaint: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/what-do-we-do-when-we-receive-a-complaint/
What to do after you have finished your investigation: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/what-do-we-do-after-we-ve-finished-our-investigation/
How the ICO deals with complaints: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/how-does-the-ico-deal-with-complaints/
Data Protecetion Help
Let us know if you need help. Fill in the form below.
The ICO issued in December 2025 revised guidance on Rights of Access. This is commonly referred to a 'Subject Access. It gives people the right to obtain a copy of their personal information from you, as well as other supplementary information.
Here is a link to the updated guidance: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/ It has been updated to take into account changes brought in by the Data Use & Access Act (DUAA). How organisations handle subject access requests is the ICO's most complained about issue.
Help Dealing with a Subject Access Request (SAR)
We can help you navigate what you should do and how you might liaise with the ICO. Fill in the form below and we will be intouch!
Big change. The OFSI Consolidated List of Asset Freeze Targets is closing on 28th January 2026 and will no longer be updated. The only updated list for you to check will be the UK Sanctions List: https://www.gov.uk/government/publications/the-uk-sanctions-list. Here's a link to the article about this: https://www.gov.uk/guidance/moving-to-a-single-list-for-uk-sanctions-designations-28-january-2026 Make sure you update your paperwork and educate staff – so they don’t search against the old redundant list.
For Help with Sanctions Compliance
Sanctions Policy Documents & FWRA Review
Sanctions Regime - Independent Compliance Audit
The judgement in the Mazur case focused on who may conduct litigation – a reserved activity. Many litigation departments use paralegals to do a lot of the work. The judgment caused some concern. Here is the link to the SRA’s guidance in the light of this judgment in case you missed it: SRA | Mazur and conducting litigation | Solicitors Regulation Authority
The MOJ has just published a consultation paper on this proposal. Deadline for submitting responses is 9th February 2026.
They are clearly look at where they can raise money to improve the Justice System. There can be little disagreement that it needs to be improved. Currently interest earned on Client Account (not Separate Designated Accounts) is often taken by solicitors firms and put into the pot of income for the firm. Interest earned on Separate Designated Client Accounts is sent to clients. The MOJ is proposing that banks pay direct to HMRC a) 75% of the interest earned on the general Client Accounts and b) 50% of the interest earned on the Separate Designated Accounts. We will have to see if this goes through. We think that a) will and there is a good chance that b) will as well.
There will be regulatory and contractual issues to be surmounted. The SRA (and any other regulators concerned) will have to give guidance. How quickly this happens is anyone's guess, but we suspect the government will want to get on with this ASAP so that the effects of an improcved justice system will be apparent in good time for the next election. One plus is that the banks will pay direct to HMRC, rather than your accounts department having to work out the calculations.
Some firms will not be affected because they do not have cient account or hold little client money. For others this proposal could have a major impact upon profitability. They will need to be making contingency plans now so as not to face finacial difficulties.
Here is a link to where you may access the consultation document: https://www.gov.uk/government/consultations/interest-on-lawyers-client-accounts-scheme/interest-on-lawyers-client-accounts-scheme#introducing-an-interest-on-lawyers-client-account-scheme-ilca
Contact Us
For advice on matters relating to law firm finance and compliance with the SRA Accounts Rules.
Fill in the form on this page or email: [email protected]
The NCA has just issued (November 2025) updated guidance relating to SARs (Suspicious Activity Reports) and DAMLs (Defence Against Money Laundering) & DATFs (defence against terrorist financing) to help reporters seeking a defence under POCA or TACT. Here is a link to the relevant page on the website for the UK Finance Intelligence unit - the part of the NCA respomnsible for receiving, analysing and disseminating intelligence submitted through the Suspicious Activity Reports (SARs) regime: https://www.nationalcrimeagency.gov.uk/what-we-do/crime-threats/money-laundering-and-illicit-finance/ukfiu
Please see the guidance here:
Help from Us with AML Compliance?
From the beginning of this month, October 2025, those holding & wishing to hold a Criminal Legal Aid contract MUST:
a) register with the ICO as a Data Controller
b) Appoint a Data Protection Supervisor or Data Protection Officer
c) Have in place compliant policies (see listed below)
d) Train all staff on Data Protection obligations and information risk awareness - initially now, any new staff as they join and an ANNUAL training plan to maintain the level of staff awareness of obligations with policies and procedures.
e) Review at least annually all data protection and information security policies
f) Conduct Data Protection Impact Assessments where appropriate of any new system or projects
g) Conduct staff screening to ensure reliability
h) Maintain Access Records - who has access to personal data with audit trails
i) Maintain Adequate Physical Security to premises housing personal data
j) Implement Controlled Disposal of Records
k) Have Cyber Essentials accreditation
Policies & Plans the LAA state that you MUST now have:
We have only listed above those items which are Mandatory. There are other recommendations which you can read in the full document. Here is a link to it: https://hunningsconsultancy.co.uk/wp-content/uploads/2025/10/Provider_Data_Security_Requirements_v5_October_2025.pdf
You know that your LAA Contract Manager will check for this in their audit.
Why are they doing this?
The LAA is, very belatedly, getting itself into line to be compliant with the Data Protection Legislation (click here for training on this legislation: https://hunningsconsultancy.co.uk/hcl-launches-cpd-training-courses-data-protection-compliance/). The LAA is Data Controller. Legal Aid firms are Data Providers and also Data Controllers under the UK GDPR. As such the LAA wants to make sure that firms doing Criminal Legal Aid work have taken every reasonable and appropriate measure to maintain the security of the data you will be processing on its behalf or shall be processing in common with the LAA. Notice that this rationale will logically extend to any firm doing Legal Aid work, so, inlcuding Civil Legal Aid. We believe that the LAA has focused on Criminal Legal Aid purely because of the new contract that started in October 2025. We believe that all other areas of Legal Aid will follow. The legislation and all other factors are the same.
How we can help you be compliant?
Contact Us
Fill in the form on the web page or [email protected]
It has long been our wish to provide short, to-the-point training courses that people may access at their convenience to upskill on the areas of compliance that we cover.
We are at last able to do so. We have started with Data Protection. AML to follow.
The course title has a link that takes you directly to the course where you may pay, watch the course, take the quiz (75% pass rate required) & download your certificate. They are short by design as feedback is that this is what busy people want. 10-30 minutes each. The price for each is £30+VAT – except for the 4-Pack (£100+VAT) for Data Protection which is 4 courses in a bundle, designed to cover the 4 core pieces of legislation that govern Data Protection in the UK – to give grounding in this for staff. (The courses are angled at lawyers, but Data Protection compliance applies across all sectors of work, so the training is of universal application.)
Contact us for a deal if you wish to bulk buy - buy more than 10 viewings.
AML & Financial Crime Compliance
| List of HCL on-line CPD Courses – click on the course name to gain access |
| Intro to AML & Suspicious Activity Reporting £30+VAT |
| Intro to the Money Laundering Regulations & Client Due Diligence £30+VAT |
More coming. Feel free to let us know of other courses you would find it helpful if we could provide.
Data Protection Compliance
| List of HCL on-line CPD Courses – click on the course name to gain access | |
| GDPR £30+VAT | 4 Pack of Data Protection [this includes the 4 courses to the left, designed to be the basic Data Protection training for staff] £100+VAT |
| DPA (Data Protection Act 2018) £30+VAT | |
| PECR (Privacy & Electronic Communications Regulations) £30+VAT | |
| DUAA (Data Use & Access Act) £30+VAT | |
| DUAA Update – Jan 2026 £30+VAT | |
| Data Breaches £30+VAT | |
| Data Protection Compliance Update - Summer 2025 £30+VAT | |
| Cyber Security Awareness Update - Summer 2025 £30+VAT | |
Feel free to let us know of other courses you would find it helpful if we could provide.
Feedback
"Hi Ingemar,
I have just done the AML one- passed first time so can’t complain! I thought it was very informative and just what I needed to update and refresh my knowledge.
Sean Harkin
Director
KSH Law"
Further Data Protection Assistance
We have a team of experts in this area who regularly provide guidance & assistance in Data Protection compliance. They will review and draft documents, policies and procedures, help if you receive a SAR (Subject Access Request), help if you suffer a Data Breach, provide more in depth training. They also act as external Data Protection Officers for a number of businesses (in the UK and abroard). Contact us for more information by filling in the form below or email Ingemar Hunnings, our lead consultant at: [email protected].
Further AML & Financial Crime Assistance
We have a team of experts in this area who regularly provide guidance & assistance in AML & Sanctions compliance. They will review and draft documents, policies and procedures, help if you believe tou may need to make a SAR (Suspicious Activuity Report), review your Policies & Procedures, help if the SRA or FCA ask to do an Audit or inspection etc. Contact us for more information by filling in the form below or email Ingemar Hunnings, our lead consultant at: [email protected]. Also see other specific service on this website.
On 21st October 2025 the government announced that the supervision of compliance with anti-money laundering and counter-terrorism financing (AML/CTF) requirements for the professions would be consolidated under one body - the FCA.
Currently the supervisory system is made up of three public sector supervisors - the Financial Conduct Authority (FCA), the Gambling Commission and His Majesty’s Revenue and Customs (HMRC) - and 22 private sector professional body supervisors (PBSs) who supervise the legal and accountancy sectors. These supervisors ensure firms comply with the Money Laundering Regulations (MLRs). They help firms understand their obligations and take enforcement action if the MLRs are breached.
Following a consultation the government has decided to move the supervisory responsibilities from those 22 organisations (including the SRA) together to one supervisory body - the FCA. They will supervise firms that carry out activities within scope of the Money Laundering Regulations as Legal Service Providers (LSPs), Accountancy Service Providers (ASPs), and Trust and Company Service Providers (TCSPs). In practice, this means that all firms currently supervised for AML/CTF matters by a PBS, and all ASPs and TCSPs supervised by HMRC will be supervised by the FCA. WE are not sure if this will include Estate Agents and Letting Agencies (which are mentioned in the government document). This will become clearer over time.
When will this happen? The government has stated:
"implementation of this policy is subject to the passage of enabling legislation, confirmation of funding arrangements, and development of a detailed transition and delivery plan. As such, the date at which the FCA will commence supervision of the professional services sector will be heavily dependent on the availability of parliamentary time. To prepare for this, we will publish a separate consultation on the powers that the supervisor should have in early November."
Typically a consultation will take 3 months. We shall see. Then time has to be found for legislation. A 'detailed transition and delivery plan' will have to be agreed. So, we do not expect this to happen soon. But it will happen. In the meantime, we recommend firms continue to abide by the SRA guidance.
Link to the government announcement: https://hunningsconsultancy.co.uk/wp-content/uploads/2025/10/AML-HM-Treasury-FCA-211025-.pdf
Help from Us with AML Compliance?
The decision of the High Court in late September in Mazur & Anor v Charles Russell Speechlys LLP [2025] EWHC 2341 (KB) has thrown into question who may conduct litigation. Can a paralegal, litigation executive, trainee, or CILEX Fellow without independent practice rights — conduct litigation under the supervision of a solicitor? Many litigation departments are structured on this basis. Costs were disallowed because someone who was not a qualified representative had signed particulars of claim in a debt recovery matter, despite them being head of department.
On 1st October 2025 the SRA issued a statement on this:
"Our view is that the judgment in the recent case of Julia Mazur & Ora v Charles Russell Speechlys LLP doesn't change the position in law.
Sheldon J said the Legal Services Act (LSA) makes it clear that only regulated individuals can conduct litigation as it’s a reserved legal activity. Non-authorised individuals can support litigation – as they do in other areas – but only an authorised individual, such as a solicitor, should be conducting litigation.
This is the position that we have reflected in our existing guidance on effective supervision, published in November 2022. In that guidance, we say:
'People who are not themselves authorised to conduct litigation can only support authorised individuals to conduct litigation, rather than conducting litigation themselves under the supervision of an authorised individual.'
There is a distinction between conducting litigation and supporting litigation, but the boundary between the two activities will depend on the facts. Being engaged (whether as an employee or other contractor) by an authorised person who is permitted to conduct reserved activities does not automatically confer a right to conduct litigation on an employee or contractor who is not authorised. They are permitted to support litigation under appropriate supervision, not to conduct it.
Our guidance addresses many aspects to consider when assessing appropriate supervision arrangements. The onus is on firms to satisfy themselves that they are complying with the LSA, and only authorised individuals are conducting litigation. We recommend you should be recording your decision-making around the approach you are taking (see 'Recording supervision arrangements' in the guidance)."
They have referred to their guidance on supervision arrangements: SRA | Effective supervision | Solicitors Regulation Authority
This part seems to be particularly relevant:
"Reserved legal activities - litigation
LSA 2007 makes no provision for unauthorised people to carry out litigation under supervision. Therefore people who are not themselves authorised to conduct litigation can only support authorised individuals to conduct litigation, rather than conducting litigation themselves under the supervision of an authorised individual.
In our view, the consequence of the LSA 2007 restrictions on litigation is that an unauthorised person who is supporting litigation must be employed in the same firm as the authorised person who is conducting the litigation, rather than somewhere else."
It will be for each firm to decide, but it seems to us that it would be wise that any could documents should be signed by the supervising solicitor.
20th October 2025 update: the SRA drew together here there relevant advice: https://www.sra.org.uk/home/hot-topics/conducting-litigation/
