← Insights / Compliance

The ICO's AI Enforcement Turn: What UK Professional Services Need to Know About DUAA 2025 and Rising Penalties

The UK's AI compliance environment has shifted materially in the past twelve months. New legislation has redrawn the rules on automated decision-making, the Information Commissioner's Office (ICO) is issuing larger fines with greater confidence, and the courts are producing precedents — both encoura

Compliance 19 July 2026 6 min read

The ICO's AI Enforcement Turn: What UK Professional Services Need to Know About DUAA 2025 and Rising Penalties

The UK's AI compliance environment has shifted materially in the past twelve months. New legislation has redrawn the rules on automated decision-making, the Information Commissioner's Office (ICO) is issuing larger fines with greater confidence, and the courts are producing precedents — both encouraging and cautionary — that will shape how professional services firms operate for years to come.

If your firm processes personal data from UK residents, regardless of where you are based, this briefing is directly relevant to you.


The Data (Use and Access) Act 2025: What Has Actually Changed

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent in June 2025 and represents the most significant amendment to the UK GDPR framework since it was introduced. Provisions relating to automated decision-making (ADM) began commencing on 1 December 2025, with broader framework changes taking effect from 5 February 2026.

The headline change is that the DUAA creates a more permissive regime for automated decision-making — broadening the circumstances in which organisations can make decisions about individuals using solely automated processes without requiring a human to be directly involved. This may sound like welcome flexibility for firms using AI-driven client assessment tools, workflow automation, or AI-assisted HR processes. In practice, however, the Act simultaneously introduces new individual rights safeguards that organisations must honour. Broader permissions come with clearer accountability obligations, not fewer.

Critically, the DUAA places a statutory duty on the ICO to produce a Code of Practice on AI and Automated Decision-Making. Interim guidance is anticipated in Summer 2026, with final guidance expected shortly thereafter. Once published, this Code will become the definitive compliance benchmark for any UK AI deployment involving personal data. Professional services firms should be tracking its development closely and using the interim period to audit their current ADM practices against existing guidance.


ICO Enforcement: Fewer Fines, Far Greater Consequences

The ICO has been explicit that AI and biometrics, children's privacy, and online tracking are its enforcement priorities for 2024 to 2026. What is notable is not just what the ICO is targeting, but how it is pursuing those targets.

In the first half of 2025 alone, the ICO issued six fines totalling approximately £5.6 million — more than double the £2.7 million collected across eighteen fines in the whole of 2024. The message embedded in that shift is deliberate: the regulator is concentrating its enforcement resources on serious cases and is prepared to impose penalties that are genuinely consequential.

The £14 million fine issued to Capita in October 2025 for a data breach affecting over six million people is illustrative. That figure was reduced from an initial £45 million, but even the reduced amount demonstrates a level of enforcement ambition that should concentrate minds at board level. The alignment of Privacy and Electronic Communications Regulations (PECR) fines with UK GDPR levels — now reaching up to £17.5 million or 4% of annual worldwide turnover — further expands the financial exposure for firms using AI in conjunction with electronic communications data.

For accountants using AI-driven client reporting tools, HR consultancies deploying automated screening systems, solicitors using AI for document review, or marketing agencies running AI-assisted targeting campaigns, the compliance stakes are now materially higher than they were two years ago.


Extraterritorial Reach: A Warning for Non-UK Firms

The ICO's £7.5 million fine against Clearview AI was upheld by the Upper Tribunal in October 2025. Clearview is a US-based company. The ruling firmly reasserts the ICO's extraterritorial jurisdiction: if your AI system processes the personal data of UK residents, UK data protection law applies to you, irrespective of where your business is incorporated or operated.

For professional services firms based in the United States, Canada, the EU, the Middle East, or the Asia-Pacific region that serve UK clients or handle data relating to UK individuals, this is not an abstract concern. Your AI tools are within scope. Your compliance obligations under UK GDPR are real. A firm headquartered in Dubai, Toronto, or Singapore using a US-built AI platform to process data from UK-based clients is not outside the ICO's reach.


What the ICO's Recruitment Audit Tells Us About Systemic Risk

In November 2024, the ICO published an audit report on the use of AI tools in recruitment. The findings were striking in their breadth. Across the organisations audited, the ICO identified systemic failures in Data Protection Impact Assessments (DPIAs), security controls, lawful basis for processing, data minimisation, and transparency. The audit generated 296 recommendations.

These are not obscure technical failures. They are the foundational elements of responsible AI deployment. For HR consultancies and professional services firms with in-house people functions, the audit report should be read as a direct signal. If the ICO finds those same failures during a future investigation of your organisation, enforcement action is a realistic outcome.


The Courts Are Watching Too

Two developments from the courts deserve attention. In June 2026, Garfield AI — a regulated AI law firm — achieved what is believed to be the first UK court victory for a firm where AI handled the bulk of pre-trial work. This demonstrates that AI-assisted legal services can succeed within the formal justice system when deployed responsibly and with appropriate oversight.

The counterpoint arrived one month later. In July 2026, the Crown Prosecution Service apologised for submitting court documents containing non-existent legal cases generated by AI — a direct consequence of inadequate human review of AI outputs. The reputational and procedural consequences were significant.

Together, these cases draw a sharp line. AI tools can deliver real value in professional services. But deploying them without robust governance, verification processes, and human oversight creates liability that no firm should be willing to accept.


Binding Regulation for Frontier AI Is Coming

For firms using or advising on large language models and other powerful AI systems, the government has signalled a move towards binding regulation for the most capable AI models — a position proposed in the 2024 King's Speech and reaffirmed in February 2025. The AI Safety Institute has been rebranded the AI Security Institute, reflecting a sharpened focus on national security and AI misuse. These are not abstract policy positions. They are advance notice of a more demanding regulatory environment ahead.


What Professional Services Firms Should Do Now

The period between now and the publication of the ICO's final AI and ADM Code of Practice is not a waiting period. It is a window to get your house in order before the benchmarks are locked in. Practically, that means reviewing your DPIA processes for any AI tools handling personal data, auditing the lawful basis for automated decision-making in your workflows, documenting your transparency obligations to clients and data subjects, and ensuring your governance framework addresses AI-generated outputs and human oversight.


Work With Ops Intel

Ops Intel helps professional services firms across the UK, Europe, North America, the Middle East, and Asia-Pacific understand and meet their AI compliance obligations — before enforcement finds the gaps for you.

Whether you need a gap analysis against DUAA 2025, a DPIA review for an AI tool you are already using, or a compliance framework built from the ground up, our team brings the regulatory depth and practical focus that professional services businesses require.

Get in touch with Ops Intel today to arrange an initial consultation.

Work with Ops Intel

Need help navigating AI compliance?

We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.

Call Now Claim Your Free Audit