The DUA Act 2025: What Professional Services Firms Need to Know About Automated Decision-Making

The UK's Data (Use and Access) Act 2025 received Royal Assent on 19th June 2025. From 5th February 2026, it materially changes how organisations can use automated decision-making (ADM) in the UK. For professional services firms — whether you are an accountancy practice in London, a law firm in Dubai, an HR consultancy in Toronto, or a marketing agency in Singapore — if you process UK residents' personal data, these changes apply to you.

This is not a theoretical update. ADM is already embedded in how many firms operate: credit risk scoring, CV screening tools, client onboarding checks, automated compliance flags, and marketing segmentation all fall within scope. The question is whether your current approach remains lawful after February 2026.

What the DUA Act Actually Changes

The DUA Act replaces the former Article 22 of UK GDPR — which placed a near-blanket restriction on solely automated decisions with legal or similarly significant effects — with a new framework spanning Articles 22A to 22D.

The practical effect is a measured liberalisation. Where no special category data is involved, organisations have broader permission to use ADM, provided they implement appropriate safeguards. Where special category data is involved — health information, biometric data, racial or ethnic origin, religious beliefs, and similar categories — stricter conditions remain in place, and for good reason.

What this means operationally is that the binary question of "can we use ADM here?" becomes a more nuanced assessment of what type of data is being processed, what safeguards are in place, and how individuals can challenge or seek review of automated outcomes.

Why This Matters Beyond the UK

Professional services firms frequently assume that UK data protection developments are relevant only to their UK operations. That assumption is incorrect.

The UK GDPR applies to any organisation, wherever it is based, that processes the personal data of individuals in the UK in connection with offering goods or services, or monitoring behaviour. A US-based HR consultancy using an AI-powered applicant screening tool to assess UK candidates is squarely within scope. A Middle Eastern law firm using automated conflict-of-interest checking on UK client data faces the same obligations.

Beyond direct territorial reach, there is a broader strategic consideration. The UK, EU, US, Canada, and key Asia-Pacific regulators are increasingly aligned in their focus on automated decision-making, transparency, and individual rights. Firms that build their compliance frameworks around the more demanding standard — whether that is UK GDPR, the EU AI Act, or Canada's proposed AIDA — tend to find that other jurisdictions require less remediation. Firms that build to the lowest common denominator are routinely caught out.

The Safeguards You Need to Have in Place

Under the new framework, where ADM is used in connection with personal data, firms must be able to demonstrate several things.

Transparency. Individuals must be informed that ADM is being used, in a meaningful way — not buried in a privacy notice that nobody reads. If your firm uses an AI tool to score client creditworthiness, flag compliance risks, or rank job applicants, your affected individuals need to know this is happening and understand its significance.

Human oversight. For decisions with legal or similarly significant effects, organisations must ensure that a human being can meaningfully review and, where appropriate, overturn an automated outcome. A nominal review that rubber-stamps machine outputs does not satisfy this requirement. Regulators and courts are increasingly sceptical of oversight mechanisms that exist on paper only.

Contestability. Individuals must have a genuine route to challenge automated decisions. This means your firm needs a documented process — not just a principle — for receiving, investigating, and responding to such challenges.

Data minimisation and purpose limitation. The DUA Act does not alter the fundamental architecture of UK GDPR. ADM systems that process more personal data than is necessary, or that repurpose data in ways individuals would not reasonably expect, remain non-compliant regardless of the new ADM provisions.

Special Category Data: A Higher Bar

If your ADM system touches special category data — and many do, often inadvertently — the conditions are stricter. Health data is the obvious example, but consider also the data that flows through HR-related AI tools: information about disabilities, pregnancy, or religious observance may be present in CVs, occupational health assessments, or flexible working requests.

Biometric data used for identity verification is another area of active regulatory focus. The ICO has made AI and biometrics a strategic priority, and the enforcement landscape is moving in one direction. Firms deploying biometric authentication or verification tools should audit whether special category data protections are properly applied throughout the processing chain.

The ICO Is Watching

The ICO's enforcement record makes clear that data protection failings carry real financial consequences. Fines of £1.2 million and £3.07 million were issued in late 2024 and early 2025 respectively for security failures unrelated to AI — demonstrating that the regulator will act when standards are not met. The ICO's formal investigation into xAI in February 2026 over non-consensual imagery generated by its Grok model signals that AI-specific enforcement is now live, not merely anticipated.

For professional services firms, the reputational dimension compounds the financial risk. A firm advising clients on compliance that faces its own ICO investigation is in an acutely uncomfortable position.

What You Should Do Before February 2026

The implementation date for Articles 22A to 22D is 5th February 2026. Firms that have not yet reviewed their ADM practices should treat this as a fixed deadline, not a soft target.

At a minimum, you should: map where ADM is currently used across your business, including tools procured from third-party vendors; assess which processing activities involve special category data; audit your transparency documentation and individual rights processes; and review contracts with AI tool providers to confirm accountability is properly allocated.

The DUA Act is one part of a broader compliance picture. The UK government has signalled further AI-specific legislation. The EU AI Act is already in force for firms with European operations. Canada, Australia, and several Gulf states are advancing their own frameworks. Firms that treat each development as a separate compliance sprint will find themselves perpetually behind.

Ops Intel helps professional services firms understand and act on their AI compliance obligations — across the UK, EU, and internationally. If you need to assess your automated decision-making practices ahead of the February 2026 deadline, or want a clear picture of how multiple regulatory frameworks apply to your business, speak to our team. [Contact Ops Intel today.]