TL;DR. UK solicitors handling client documents under the SRA Code of Conduct + UK GDPR can no longer treat email as the safe default in 2026. Two UK firms received six-figure ICO penalties in 2024-2025 over email-based misdirection. The four tools small and mid UK firms actually evaluate are LEAP, Smokeball, Karbon, and Beamprobe — each with different trade-offs between practice management depth and portal-only focus. This guide covers what the SRA requires, what UK GDPR adds, and which tool fits which firm.
What the SRA actually requires
The SRA Code of Conduct (current 2024 version) sets out:
- Principle 7: Act in the best interests of each client.
- Code 6.3: Keep the affairs of clients confidential, except as required by law or with consent.
- Code 6.4: Reasonable steps to protect clients’ confidential information.
The SRA does not mandate specific technology. It requires reasonable steps appropriate to the risk.
In 2026, the practical interpretation:
- Email is acceptable for low-risk correspondence (general updates, scheduling, public-information-only)
- Email is no longer appropriate for documents containing client personal data, matter-sensitive material, or financial information
- A portal-based workflow with audit trail is the recommended baseline for material document exchange
This isn’t speculation. It’s the position the Solicitors Regulation Authority took in its 2024 risk outlook and the position embedded in ICO enforcement actions against UK firms.
What UK GDPR adds
On top of SRA, UK GDPR Article 32 requires “appropriate technical and organisational measures” — encryption, access controls, audit trail, breach detection.
For client matters involving:
- Personal data of UK individuals
- Financial information
- Health information (Article 9 special category)
- Children’s data (Article 8)
The Article 32 bar is meaningfully higher. Email cannot satisfy the audit trail and access control requirements at this risk level.
The four UK options
1. LEAP
UK practice management with built-in portal.
- Pricing: £60-90/user/month (UK plans)
- Strengths: deep practice management — case files, time recording, billing, accounts integration
- Weaknesses: per-user pricing scales poorly for small firms; portal is one part of a much larger product
- Hosting: UK and Australia
- Best for: firms of 10+ staff already on LEAP for case management
2. Smokeball
UK practice management with portal.
- Pricing: £40-70/user/month
- Strengths: UK-built and UK-aware, mature in residential conveyancing market
- Weaknesses: per-user pricing, less Cloud-native than newer tools
- Hosting: UK
- Best for: mid-size UK firms running multiple practice areas
3. Karbon
US-built practice management adopted by UK firms.
- Pricing: £45-79/user/month
- Strengths: mature workflow tooling, popular among accountancy and increasingly law
- Weaknesses: US residency default, EU residency on enterprise only
- Best for: firms wanting modern workflow tooling and accepting US residency
4. Beamprobe
Focused secure portal, no practice management.
- Pricing: £29/month (Pro), £79/month (Business, up to 15 staff)
- Strengths: UK residency by default, NDA gate first-class, link-based client access (no client login required), flat pricing
- Weaknesses: no case management, no time recording, no billing — these need a separate tool
- Best for: small firms (1-10 staff) using a separate practice management tool, or firms wanting a focused portal without paying for full PM
How to choose
Three questions:
1. Do you need integrated practice management? Yes → LEAP, Smokeball, or Karbon. No → Beamprobe.
2. Are you UK-based with UK clients? Yes → UK residency matters. LEAP UK or Beamprobe.
3. How many staff? 1-3: per-user pricing manageable. 4-15: flat pricing wins on TCO. 15+: enterprise tier of practice management tools.
For most small UK firms (1-10 solicitors) with case management already in place, the answer is Beamprobe for portal + their existing PM tool.
For larger firms or firms without PM, the answer is LEAP or Smokeball UK.
The seven compliance practices
Whatever tool you pick, run this checklist:
- DPA signed and filed with vendor
- Encryption attestation in writing from vendor
- Audit trail enabled and exported quarterly to compliance archive
- NDA / engagement gate captures name, email, IP, timestamp before document access
- Right-to-erasure procedure documented for SAR responses
- UK or EU residency confirmed in writing
- Breach notification process documented with 72-hour ICO notification flow
ICO audits and SRA inspections increasingly ask about these. Have them ready.
Common pitfalls
The mistakes UK solicitors make:
- Sending matter documents via personal email. Trivially the most common breach pattern.
- Using WeTransfer for client documents. Audit log doesn’t satisfy SRA’s “reasonable steps.”
- Assuming a US-based tool is fine “because the headline says EU servers”. Verify in the vendor’s DPA.
- Forgetting the disclosure letter step in M&A. Even with a perfect data room, omitting the disclosure letter creates warranty exposure.
- No audit log export schedule. When the regulator asks for 12 months of access history, you have last week’s.
How Beamprobe helps UK solicitors
- AWS eu-west-2 (London) by default — only VDR with UK-only residency as default
- NDA / engagement gate first-class with custom text on Pro+
- Link-based client access (no login required for the client)
- Page-level analytics and audit log with CSV/PDF export
- £29/month flat for solo solicitors, £79 for firms up to 15 staff
- ICO registered, GDPR-clean, DPA published
Try Beamprobe free for 14 days →