UK AI Compliance 2026: What Professional Services Need to Know About DUAA 2025 and the ICO's Enforcement Turn
The UK's approach to AI regulation is often misread by international observers. There is no single AI Act on the horizon. Instead, the government has deliberately chosen a principles-based framework — one that asks existing regulators to apply five core principles across their own sectors. For profe
UK AI Compliance 2026: What Professional Services Need to Know About DUAA 2025 and the ICO's Enforcement Turn
The UK's approach to AI regulation is often misread by international observers. There is no single AI Act on the horizon. Instead, the government has deliberately chosen a principles-based framework — one that asks existing regulators to apply five core principles across their own sectors. For professional services firms operating in or with the UK, this does not mean lighter obligations. It means obligations that are already live, already enforceable, and already being tested in courts and tribunals.
If your firm handles personal data, uses automated tools to make decisions about clients or employees, or deploys AI in any client-facing capacity, the developments of the past twelve months demand your attention.
The Framework That Is Actually Governing You Right Now
The UK's five AI principles — safety, security and robustness; transparency and explainability; fairness; accountability and governance; and contestability and redress — are not aspirational statements. They are the lens through which sector regulators are already assessing AI deployments. For accountants, the FRC; for solicitors, the SRA; for HR consultancies, the ICO; for marketing agencies, the ASA and ICO in combination. Each regulator is interpreting these principles within its own domain.
The absence of a headline "UK AI Act" does not create a compliance gap. It creates a compliance patchwork, and navigating it requires understanding which regulator is watching your particular use case — and what standards they are applying.
What DUAA 2025 Actually Changes
The Data (Use and Access) Act 2025 is the most consequential piece of UK AI-adjacent legislation to have reached the statute book. Its provisions on automated decision-making began commencing on 1 December 2025, with broader UK GDPR framework changes effective from 5 February 2026. For professional services firms, three changes matter most.
First, the Act expands the lawful circumstances under which solely automated processing of personal data is permitted. The previous regime under UK GDPR Article 22 was restrictive. DUAA 2025 widens the gateway — but this expansion comes with accountability obligations attached. Firms that wish to take advantage of it must be able to demonstrate that appropriate safeguards are in place, that individuals are informed, and that meaningful human review remains accessible.
Second, the definition of 'scientific research' has been clarified to include commercial and technological development. This has direct implications for firms developing proprietary AI tools, running internal pilots, or building on foundation models. Activity that was previously in a legal grey area now has a clearer statutory footing — but that footing is not unconditional.
Third, DUAA 2025 places a statutory duty on the ICO to produce a Code of Practice on AI and Automated Decision-Making. That code is expected to be completed around 2027, with interim guidance on automated decision-making anticipated in Summer 2026. The moment that code is finalised, it becomes the definitive compliance benchmark for UK AI deployments involving personal data. Firms that wait for the code before preparing will be behind.
The ICO Is Not Waiting for the Code
The ICO has made its priorities explicit. AI and biometrics, children's privacy, and online tracking are its stated enforcement focus areas for 2024–26. Between 2024 and 2025, it ran a five-part consultation series on generative AI and data protection, covering lawful basis, purpose limitation, accuracy, and individual rights. The conclusions are being integrated into updated guidance now.
The enforcement record reinforces the message. The £7.5 million fine against Clearview AI for collecting facial images without consent has survived a legal challenge at the Upper Tribunal, which overturned an earlier ruling in Clearview's favour and confirmed that UK data protection law applied. Clearview has been granted permission to appeal to the Court of Appeal, so the final outcome remains pending — but the Upper Tribunal's reasoning is already instructive. The ICO can assert jurisdiction over foreign entities whose data processing activities affect UK individuals, even where those entities have no UK establishment.
For any international firm — whether based in the US, Canada, the EU, the Middle East, or Asia-Pacific — processing data about UK individuals as part of client work, recruitment, or service delivery, this matters. The ICO's reach is not bounded by your firm's registered address.
The audit report published in November 2024 on AI tools in recruitment is equally sobering. The ICO identified systemic failures across Data Protection Impact Assessments, security controls, lawful basis, data minimisation, and transparency. All 296 recommendations were accepted or partially accepted by the audited organisations. HR consultancies and professional services firms that use AI-assisted shortlisting, psychometric analysis, or CV screening tools should treat this audit as a direct signal of where enforcement attention is heading.
The Legal Profession Is Not Insulated
Two cases from May 2026 illustrate the pressures hitting legal services specifically — and carry lessons for every professional services sector.
Garfield AI, an AI-powered law firm, successfully recovered £7,000 for a freelancer at Wandsworth County Court, handling all pre-trial work autonomously. This is not a novelty. It is a proof of concept for AI-led legal services in low-value disputes, and it signals competitive disruption that firms across the sector need to factor into their strategic planning.
The counterweight came from Pinsent Masons, criticised by a London court in May 2026 for filing submissions that contained false information generated by AI. The reputational and regulatory consequences of AI hallucinations in client-facing work are not theoretical. They are documented. Any firm that deploys AI in document drafting, legal research, or client advice without robust human review processes is carrying a liability it may not have formally assessed.
The Cyber Security Dimension
The Cyber Security and Resilience Bill, introduced in November 2025, proposes to expand the Network and Information Systems Regulations. For firms deploying AI, the relevance is direct: the Bill includes provisions targeting AI-powered cyber threats and mandating mitigating measures. As AI tools become both a target and a vector for sophisticated attacks, compliance with this legislation will require firms to assess their AI deployments not only through a data protection lens but through a cyber resilience one.
What International Firms Should Do Now
Professional services firms operating globally — particularly those with UK clients, UK employees, or UK-based data processing — should treat UK compliance as an active obligation, not a watch-and-wait exercise. Concretely, that means:
- Auditing automated decision-making processes against the DUAA 2025 changes and documenting the lawful basis for each
- Completing or updating Data Protection Impact Assessments for any AI tool that processes personal data
- Reviewing transparency disclosures to ensure individuals understand when and how automated decisions affect them
- Implementing human review mechanisms that are genuine, not cosmetic
- Mapping AI tool procurement against both data protection and cyber security requirements
- Tracking ICO guidance as it is published, particularly the interim ADM guidance expected Summer 2026
Compliance Is a Moving Target — and It Is Moving Fast
The UK's regulatory picture will continue to shift through 2026 and 2027 as legislation commences, guidance is finalised, and enforcement cases resolve. Firms that build compliance capability now, rather than reacting to each development in turn, will be better positioned to absorb those changes without disruption.
Ops Intel helps professional services firms understand their AI compliance obligations — across the UK, EU, US, and beyond — and build the governance structures to meet them. If your firm is navigating DUAA 2025, ICO expectations, or cross-border AI compliance, get in touch with our team to discuss how we can support you.
Work with Ops Intel
Need help navigating AI compliance?
We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.