AI Compliance for Professional Services: What the Data (Use and Access) Act 2025 Means for Your Firm

The UK's approach to AI regulation has never been about building a single, sweeping statute. Instead, the government has doubled down on a sector-led, pro-innovation model — letting existing legal frameworks carry the compliance weight while targeted reforms tighten specific pressure points. For professional services businesses, the most significant of those reforms is now live.

The Data (Use and Access) Act 2025 (DUAA) brought its core automated decision-making (ADM) provisions into force on 5 February 2026. Combined with sharply escalating ICO enforcement, a clutch of sobering court decisions on AI-generated content, and a hardening position on copyright, the compliance picture for accountants, solicitors, HR consultancies, and marketing agencies has changed materially — whether they operate in the UK, serve European clients, or work across international markets.

Here is what your firm needs to understand.

The DUAA Replaces Article 22 — and the Bar Has Moved

The DUAA replaces Article 22 of the UK GDPR with what regulators describe as a "permission-with-safeguards" model. Where Article 22 imposed a near-blanket prohibition on solely automated decisions with significant effects, the new framework is more permissive for non-sensitive data — but the conditions attached to that permission are demanding.

Firms may now process automated decisions affecting individuals, provided those individuals receive genuine transparency about the logic involved and retain a meaningful right to human intervention. The operative word is meaningful. The ICO has been explicit: a reviewer who lacks the authority, the time, or the information to actually override an AI output does not constitute human involvement. Rubber-stamping an automated shortlist is not a legal safeguard. It is a liability.

For professional services businesses, the practical impact is immediate. HR consultancies deploying AI-assisted recruitment tools, accountancies using automated credit-scoring models, and legal firms using AI to triage or prioritise client matters all sit squarely within scope. Each needs to audit its ADM processes now, not when the ICO's forthcoming binding Code of Practice on AI and ADM is finalised — a consultation on draft guidance closed in May 2026, and formal obligations will follow.

Enforcement Is No Longer Theoretical

The ICO has moved decisively from guidance into enforcement, and the penalties signal where regulatory attention is focused.

A record £14.47 million fine against Reddit for children's privacy violations established that the ICO is willing to pursue high-profile targets at scale. Equally significant for professional services is the multi-million-pound penalty imposed on Advanced Computer Software, a data processor. That case created a direct precedent: IT suppliers and technology vendors can be held financially liable where their security failures compromise client data. For firms that rely on third-party AI platforms — and most do — this means supply chain oversight is no longer optional due diligence. It is a compliance requirement with direct financial consequences.

Professional services firms operating internationally should note that this enforcement posture is not unique to the UK. Equivalent pressure is building across jurisdictions, and the reputational cost of a regulatory action in one market increasingly travels across borders.

Courts Are Losing Patience with AI-Generated Content

The courtroom has become an increasingly uncomfortable place for firms that deploy AI without rigorous verification protocols.

In 2026 alone, confirmed or suspected AI hallucination incidents in UK courts reached 64 reported cases. Decisions including Re A, B, C, D and Brightwaters Energy have placed AI-generated legal content under direct judicial scrutiny. The Unitel Direct case went further: commercial claims were dismissed in part because of uncertainties surrounding AI-generated telephone transcripts, raising the stakes considerably beyond citations to the integrity of documentary evidence itself.

The implication is unambiguous. Human verification of AI-generated research, legal analysis, and professional documentation is a non-negotiable duty. It is not a best practice to aspire to — it is the baseline standard against which professional conduct will be measured. Solicitors, compliance officers, and consultants who submit AI-generated content without independent verification face professional sanctions, reputational damage, and potentially adverse judicial outcomes for their clients.

This applies equally to firms working across the US, Canada, the EU, and Asia-Pacific. Courts in multiple jurisdictions are reaching similar conclusions on AI-generated content, and the professional duty of competence in those markets is converging around the same expectation.

Copyright Risk Remains Unresolved — and Your Vendor Contracts May Not Protect You

In March 2026, the UK government formally abandoned its proposal for a broad text and data mining (TDM) copyright exception for commercial AI training. The conclusion was clear: AI developers must continue to rely on existing licensing frameworks. Training commercial AI models on UK copyright works without a licence remains an infringement.

This has direct consequences for professional services firms that procure third-party AI tools. If a vendor's model was trained on unlicensed data, your firm's use of that model may carry downstream IP risk. The High Court's late-2025 ruling in Getty Images v Stability AI confirmed that AI model weights are not themselves infringing copies, but trade mark claims succeeded where outputs reproduced visible watermarks — illustrating that IP liability can arise from what the model produces, not just how it was built.

Your vendor contracts need to reflect this reality. Robust contractual indemnities covering intellectual property are now a procurement essential, not a negotiating point to concede. Firms advising clients on AI procurement — or deploying AI tools internally — should conduct a structured audit of third-party vendor agreements against this framework.

Dual Compliance Is Now a Practical Requirement for UK Firms with EU Exposure

The UK's divergence from the EU regulatory framework is creating a compliance split that international professional services businesses cannot afford to ignore.

From 2 August 2026, the EU AI Act's obligations for high-risk AI systems become mandatory. Any UK firm serving European clients, employing EU-based staff, or deploying AI that affects EU residents may fall within scope of the Act's extraterritorial reach — much as the GDPR extended beyond EU borders. High-risk categories include AI used in employment, access to essential services, and certain legal and administrative processes: precisely the functions that professional services firms use AI to support.

Running a dual-track compliance programme — meeting both UK DUAA obligations and EU AI Act requirements — demands a structured approach. The systems are not identical, and assuming UK compliance automatically satisfies EU obligations is an error that will become more costly as enforcement matures on both sides.

Firms based in the US, Canada, the Middle East, or Asia-Pacific that serve UK or EU clients face the same calculus. Regulatory obligations follow the data and the affected individuals, not the location of the business.

What Your Firm Should Do Now

The compliance obligations are live, the enforcement environment is active, and the courts have signalled that professional standards apply to AI outputs with the same rigour as any other professional work product.

That means auditing your ADM processes against the DUAA's safeguards, reviewing vendor contracts for IP indemnities, implementing verification protocols for AI-generated content, and mapping your EU exposure against the AI Act's high-risk provisions.

Ops Intel works with professional services businesses across the UK, EU, US, and beyond to build AI compliance frameworks that are practical, proportionate, and aligned with current regulatory requirements. If you need clarity on what these changes mean for your firm specifically, contact our team to arrange a compliance review.