UK AI Compliance 2026: What Professional Services Firms Need to Know About the New Code of Practice
The UK's AI regulatory picture is sharpening. After years of broad principles and guidance documents, 2026 has brought concrete legislative obligations that professional services firms cannot afford to ignore — whether they are based in London, Dubai, Toronto, or Singapore.
UK AI Compliance 2026: What Professional Services Firms Need to Know About the New Code of Practice
The UK's AI regulatory picture is sharpening. After years of broad principles and guidance documents, 2026 has brought concrete legislative obligations that professional services firms cannot afford to ignore — whether they are based in London, Dubai, Toronto, or Singapore.
This post sets out the most important developments, what they mean in practice, and where the real compliance risks now lie.
The UK's Approach: Still No "AI Act," But That Doesn't Mean No Obligations
Unlike the European Union, the UK has not enacted a single, overarching AI law. The government's position, established in its March 2023 white paper, remains deliberately "pro-innovation": regulate AI through existing legal frameworks and delegate oversight to sector-specific regulators, guided by five core principles — safety, transparency, fairness, accountability, and redress.
For professional services firms, this matters for two reasons.
First, it means your AI compliance obligations in the UK are not found in one place. They are distributed across data protection law, sector-specific regulator guidance (the FCA, SRA, ICO, and others), and employment law — depending on how and where you deploy AI.
Second, the absence of a single act does not create a compliance vacuum. The relevant obligations are real, enforceable, and increasingly being tested through ICO investigations and the courts.
The Data (Use and Access) Act 2025: What Changed
The Data (Use and Access) Act 2025 came into force on 19th June 2025 and represents the most significant change to the UK data protection framework since the UK GDPR.
On the surface, the Act is permissive. It expands the circumstances under which organisations can make decisions based solely on automated processing of personal data. It also clarifies that "scientific research" — a ground that has historically supported broader data use — can include commercial and technological development purposes. For firms building or procuring AI tools, this opens some useful doors.
However, professional services firms should resist the temptation to treat this as a green light. The Act does not remove the obligation to identify a lawful basis for processing. It does not suspend the requirement for transparency. And it does not eliminate the need for a Data Protection Impact Assessment (DPIA) where high-risk processing is involved. If your firm uses AI in client onboarding, document review, HR processes, or marketing, the fundamentals of UK data protection law still apply in full.
The 2026 Code of Practice: The Development That Demands Immediate Attention
The most operationally significant development of the year is the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026, which came into force on 12th May 2026.
This legislation requires the Information Commissioner's Office (ICO) to produce a statutory Code of Practice on AI and Automated Decision-Making — a document that will carry genuine legal weight, not merely best-practice status. The final version is expected in Summer 2026, with specific provisions addressing children's data included.
A statutory code is not guidance you can politely set aside. When the ICO investigates a data protection complaint or conducts an audit, adherence to — or departure from — a statutory code will be a material consideration. For professional services firms, this means the code will effectively set the compliance floor for AI use in the UK.
What should firms do now?
Do not wait for the final code to be published. Use the period between now and its release to map your AI tools, document your legal basis for each processing activity, review your DPIAs, and identify gaps in your transparency documentation. Firms that treat the code's arrival as a starting gun will already be behind.
ICO Enforcement: The Pattern Is Clear
The ICO's enforcement record over the past two years removes any doubt about the direction of travel. AI and biometrics remain one of the regulator's three strategic enforcement priorities, alongside children's privacy and online tracking.
Several recent cases are instructive for professional services firms specifically.
The Clearview AI case — in which the Upper Tribunal reinstated a £7.5 million fine in October 2025 — confirmed that UK data protection law applies extraterritorially where an organisation monitors the behaviour of UK residents. For any firm headquartered outside the UK but with UK clients or data subjects, this is directly relevant. Jurisdiction is not determined by where your servers sit.
The Serco Leisure case, in which the ICO ordered the cessation of facial recognition and fingerprint scanning for employee attendance, signals that biometric processing in HR contexts will face intense scrutiny. HR consultancies and professional services firms with large workforces should treat any biometric data processing as a high-risk activity requiring explicit justification.
The ICO's audit of AI recruitment tools (published November 2024) found widespread failures around data minimisation, DPIAs, security measures, and lawful basis — even among organisations that believed they were compliant. If your firm uses AI-assisted CV screening, candidate ranking, or any automated step in the hiring process, the ICO has essentially told you where to look.
Finally, the xAI (Grok) investigation, launched in February 2026, extends the ICO's reach into generative AI outputs. The investigation concerns the processing of personal data in the creation of non-consensual sexualised imagery. For professional services firms, the broader signal is this: the ICO is now examining not just how AI systems are trained, but what they produce and whether that output involves the unlawful processing of personal data.
Total ICO fines increased by 42% in 2025, with 28 monetary penalty notices issued. Enforcement is not easing.
The International Dimension: This Affects You Wherever You Are Based
UK data protection law applies wherever you process the personal data of UK residents. For a marketing agency in the UAE running campaigns targeting UK consumers, an HR consultancy in Canada managing UK employee data, or a law firm in Australia advising UK clients — the ICO's reach is real.
The Clearview AI ruling reinforced this explicitly. Firms operating globally should assess their UK data protection obligations on the basis of what data they handle, not where they are incorporated.
At the same time, firms operating across multiple jurisdictions will need to track how the UK's approach interacts with the EU AI Act, Canada's Bill C-27, and equivalent frameworks in markets such as Singapore, Australia, and the Gulf states. The compliance demands are not uniform, but they are converging around common themes: transparency, lawful basis, human oversight, and accountability for automated decisions.
What to Prioritise in the Next 90 Days
Given the pace of change, professional services firms should focus on the following:
- Map your AI tools. Know what you are using, where, and for what purpose.
- Review your lawful basis documentation for every AI-assisted process involving personal data.
- Conduct or update DPIAs for any high-risk processing, including recruitment tools, client profiling, and automated decision-making.
- Monitor the ICO's statutory code as it is finalised, and build a compliance response plan around its requirements.
- Brief your leadership. AI compliance is not an IT matter. It sits with the board.
If your firm is working through any of these obligations and needs expert guidance, Ops Intel can help. We work with professional services businesses across the UK, EU, North America, the Middle East, and Asia-Pacific to build practical, proportionate AI compliance frameworks. Contact Ops Intel today to speak with one of our specialists.
Work with Ops Intel
Need help navigating AI compliance?
We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.