UK AI Compliance 2025: What Professional Services Need to Know About the Data (Use and Access) Act and ICO Enforcement

The United Kingdom is not building a monolithic AI law. While the EU has its AI Act and other jurisdictions are racing to produce consolidated frameworks, the UK has made a deliberate choice: let existing regulators apply principles to their own sectors, keep the framework flexible, and reserve binding legislation for the most powerful AI systems only. That approach is now producing real consequences — new rights for individuals, active enforcement, and a growing body of case law that professional services firms cannot afford to ignore.

If your firm operates in the UK, serves UK clients, or processes the personal data of UK residents, the developments of the past twelve months demand your attention.

The UK's Principles-Based Approach: Stable Architecture, Shifting Details

The UK's five core AI principles — safety, security and robustness; transparency and explainability; fairness and accountability; and contestability and redress — remain the structural foundation. Responsibility for applying them sits with sector regulators: the Information Commissioner's Office (ICO) for data protection, Ofcom for communications, and the Competition and Markets Authority (CMA) for competition matters, among others.

This is not a passive framework. The government has signalled its intention to introduce binding legislation for developers of the most powerful AI models, expected no earlier than the second half of 2026. For now, however, the practical compliance burden for professional services firms falls primarily through data protection law and the ICO's increasingly assertive enforcement posture.

The Data (Use and Access) Act 2025: What Changed and Why It Matters

The Data (Use and Access) Act 2025 came into force in stages between August and December 2025, and it materially changes the rules around automated decision-making (ADM) under UK GDPR.

The previous framework under Article 22 of UK GDPR placed strict restrictions on solely automated decisions that produce legal or similarly significant effects. The new Act creates a more permissive environment for organisations to deploy ADM systems — but it does so alongside strengthened individual rights. Individuals now have clearer rights to human review of automated decisions, and an explicit right to contest decisions made about them by automated systems.

For professional services firms, the implications are direct:

Accountants and financial advisers using automated tools for credit assessments, risk scoring, or client categorisation must now ensure those tools are documented, explainable, and subject to a credible human review process. A system that produces a recommendation is one thing; a system that makes a consequential decision without meaningful human oversight is now legally exposed.

HR consultancies are in the ICO's sights. The regulator has explicitly stated it is scrutinising major employers and recruitment platforms that use ADM in hiring processes. Automated CV screening, candidate ranking, and performance monitoring systems all carry compliance risk if the organisation cannot demonstrate transparency, fairness, and a functioning redress mechanism.

Solicitors and legal service providers face an additional dimension, addressed further below. Legal AI tools that draft, research, or advise must be governed with the same rigour applied to any other professional output.

Marketing agencies handling profiling, audience segmentation, and behavioural targeting are operating in an environment where the ICO has committed to consulting on updated ADM and profiling guidance by autumn 2025. Updated statutory guidance will follow. Firms that have not reviewed their data flows and consent mechanisms are building on unstable ground.

ICO Enforcement: The Fines Are Real

The ICO is not a paper regulator. In 2024–2025, it received over 42,000 complaints, concluded 43 UK GDPR investigations, and imposed more than £4.4 million in penalties. These are not AI-specific fines, but they are increasingly AI-adjacent — and that distinction matters less with each passing quarter.

Three enforcement actions illustrate the current risk environment:

A consumer genetics organisation was fined £2.31 million in June 2025 for failing to protect user data following a cyber-attack. LastPass UK Ltd received a £1.2 million penalty in November 2025 for security failures affecting 1.6 million UK customers. MediaLab.AI (Imgur) was fined £247,590 for infringements related to children's data, specifically around age verification and consent.

None of these penalties requires an "AI Act" to land heavily. Existing data protection law is sufficient. The ICO's current strategic priorities — covering AI, biometrics, children's privacy, and online tracking — make clear where investigative resource is being directed. The regulator is also developing a statutory Code of Practice on AI and ADM that will address transparency, explainability, bias, discrimination, and redress. When that Code arrives, compliance will become measurably more demanding.

For international firms: UK fines are separate from EU AI Act penalties, which can reach €35 million or 7% of worldwide annual turnover for the most serious prohibited practices. Operating across both jurisdictions without a coherent compliance architecture is an increasingly untenable position.

The Courtroom: AI Hallucinations Have Consequences

There is now a body of UK case law emerging around the misuse of generative AI in legal and professional contexts, and it is unambiguous in its message.

In cases including R. (on the application of Ayinde) v Haringey LBC, courts have issued wasted costs orders and referred lawyers to regulatory bodies after AI-generated submissions contained fabricated case citations — the product of AI "hallucinations." These were not junior errors made in haste. They were professional failures in the supervision and verification of AI-generated content.

The professional obligation to verify output does not disappear because a machine produced it. Solicitors, barristers, and legal consultants using AI for research or drafting must have governance processes that treat AI output as a first draft requiring expert review, not a final product requiring a signature.

On the opposite side of the ledger, Garfield AI — an AI-powered law firm — secured a UK court victory in May 2026, recovering £7,000 for a freelancer in a small claims case. AI, properly governed, can expand access to justice. The difference between a wasted costs order and a successful outcome is not the technology; it is the governance around it.

What International Firms Should Do Now

Professional services firms operating across the UK, EU, US, Middle East, or Asia-Pacific cannot treat each jurisdiction's AI requirements as a separate, siloed exercise. The UK's principles-based framework interacts with EU AI Act obligations, sector-specific rules, and professional regulatory duties. The overlap creates both risk and, for those who get ahead of it, competitive advantage.

At a minimum, firms should be taking the following steps:

• Audit existing ADM systems for compliance with the updated Data (Use and Access) Act provisions, including documentation of decision logic and human review mechanisms.
• Review recruitment and HR technology against the ICO's stated enforcement priorities.
• Implement AI output governance policies that require verification of AI-generated content before use in client deliverables, court submissions, or professional advice.
• Map cross-jurisdictional obligations to identify where UK GDPR, EU AI Act, and local sector rules create cumulative requirements.
• Monitor the ICO's statutory Code of Practice on AI and ADM, expected to raise the compliance bar when finalised.

Speak to Ops Intel

The UK's AI compliance landscape is moving quickly, and the cost of getting it wrong — in fines, reputational damage, and regulatory scrutiny — is rising. Ops Intel works with professional services firms globally to map their AI compliance obligations, identify gaps, and build governance frameworks that hold up under regulatory and judicial scrutiny.

If you are not certain where your firm stands, that uncertainty is itself a risk. Contact Ops Intel today to arrange a compliance review and find out what your AI use cases require under UK, EU, and international frameworks.