UK AI Compliance for Professional Services: What the Data (Use and Access) Act 2025 Means for Your Firm
The UK's AI compliance landscape has shifted materially in the past twelve months. New legislation has received Royal Assent, the Information Commissioner's Office (ICO) is actively investigating and fining organisations for AI-related data protection failures, and the courts are beginning to grappl
UK AI Compliance for Professional Services: What the Data (Use and Access) Act 2025 Means for Your Firm
The UK's AI compliance landscape has shifted materially in the past twelve months. New legislation has received Royal Assent, the Information Commissioner's Office (ICO) is actively investigating and fining organisations for AI-related data protection failures, and the courts are beginning to grapple with questions that will shape how professional services firms can and cannot use AI tools. If your firm operates in or with the UK — or handles the data of UK residents — you need to understand what has changed and what it demands of you.
The UK's Regulatory Philosophy: Principles Over Prescription
Before examining the specifics, it is worth understanding the architecture of UK AI regulation, because it differs meaningfully from approaches taken elsewhere.
The EU AI Act is prescriptive: it classifies AI systems by risk level and imposes detailed, codified obligations on each category. The UK has taken a different path. There is no standalone UK AI Act. Instead, the government has adopted a cross-sectoral, outcomes-based framework built around five core principles: safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress.
Crucially, existing regulators — the ICO, the Financial Conduct Authority (FCA), Ofcom, and others — are responsible for applying these principles within their own sectors, using existing powers and supplementary guidance. For professional services firms, this means your AI compliance obligations are not found in a single statute. They are distributed across data protection law, financial services regulation, professional conduct rules, and sector-specific guidance. That complexity is not a reason to delay action; it is a reason to act with more rigour.
What the Data (Use and Access) Act 2025 Changes
The Data (Use and Access) Act 2025 (DUAA 2025) received Royal Assent on 19 June 2025 and commenced on 5 February 2026. It is the most significant reform to UK data protection law since the UK GDPR was adopted post-Brexit, and it carries direct implications for how professional services firms deploy AI.
Two changes deserve particular attention.
Automated decision-making (ADM). The DUAA 2025 expands the circumstances in which organisations can lawfully carry out automated decision-making — that is, decisions made without meaningful human involvement. Under the previous framework, solely automated decisions with significant effects on individuals were tightly restricted. The new Act broadens the conditions under which such processing is permissible, which may open the door to wider AI-driven decision-making in areas such as credit assessments, HR processes, and client suitability analysis. However, broader permission does not mean fewer obligations. Firms will still be required to demonstrate that any ADM is lawful, transparent, and subject to appropriate human oversight and redress mechanisms.
Research and development. The Act also clarifies the lawful basis for processing personal data for scientific and technological development research. For firms building, customising, or fine-tuning AI models on client or employee data, this clarification provides greater legal certainty — but only where the processing genuinely meets the research criteria and appropriate safeguards are in place.
The ICO is currently developing a statutory Code of Practice on AI and Automated Decision-Making, with final guidance anticipated in Summer 2026 following public consultation. Firms should monitor this closely: the Code will provide the most granular regulatory expectations to date on AI use in the UK.
ICO Enforcement: The Risk Is Real
Some firms treat regulatory guidance as advisory until a fine arrives. The ICO's recent enforcement record should put that approach to rest.
In October 2025, a £7.5 million fine against Clearview AI was reinstated on appeal, confirming the extraterritorial reach of UK data protection law. Clearview had scraped facial images from the internet without a lawful basis. The case establishes clearly that operating outside the UK does not insulate an organisation from ICO jurisdiction if it processes the personal data of UK residents.
The ICO ordered Serco Leisure to cease using facial recognition and fingerprint scanning for employee attendance — a direct warning to any firm considering biometric systems for workforce management. Snap's 'My AI' chatbot prompted a formal investigation and preliminary enforcement notice before the company made remedial changes to its privacy risk assessments, particularly regarding children's data. MediaLab.AI was fined £247,590 for processing children's data without proper consent.
These are not edge cases involving reckless operators. They are cases involving commercially deployed AI tools in everyday business contexts. The ICO's 2024/25 Annual Report recorded 43 concluded UK GDPR investigations and 204 incidents. AI and biometrics remain a stated strategic enforcement priority through 2026.
For international firms, the Clearview precedent is especially significant. If you process personal data belonging to UK residents — including through AI systems hosted outside the UK — you are within scope.
AI in Legal and Professional Contexts: Emerging Court Risk
The UK courts are beginning to shape the boundaries of AI use in professional practice, and the early signals are instructive.
In June 2026, AI law firm Garfield AI became the first AI-driven legal practice to win a case in an English court, having managed all pre-trial work for a freelance HR consultant. This is a landmark moment, but it coexists with a more cautionary trend: judges have issued warnings following instances of lawyers submitting AI-generated case citations that did not exist. The professional and reputational consequences of such errors are severe.
For law firms, accountancy practices, HR consultancies, and marketing agencies producing AI-assisted work product, the lesson is straightforward. AI can increase capacity and efficiency; it cannot substitute for professional verification. Outputs must be checked. Hallucinations are not a technical curiosity — they are a professional liability.
Copyright is also coming into focus. AI training data disputes are emerging, and while the UK government declined to introduce a new data mining exception following its December 2024 consultation, it is pressing for industry transparency on AI training inputs. Firms using third-party AI tools should understand what those tools were trained on and whether their use creates downstream copyright exposure.
What This Means for Firms Outside the UK
If your firm is based in the US, Canada, the EU, the Middle East, or Asia-Pacific, but you have UK clients, UK employees, or handle UK personal data in any capacity, these developments affect you directly.
The extraterritorial application of UK data protection law — confirmed again in Clearview — means jurisdictional distance is not a compliance defence. Firms operating across multiple markets also face the practical challenge of harmonising their AI governance frameworks across different regulatory regimes: the EU AI Act, UK GDPR, US state-level AI and privacy laws, and emerging frameworks in markets such as Singapore, the UAE, and Canada. The UK's principles-based approach is more flexible than the EU's, but flexibility still requires documented decision-making, risk assessments, and accountability structures.
Steps Your Firm Should Be Taking Now
The regulatory direction of travel is clear. Enforcement is active. Legislation has commenced. Here is where to focus:
- Audit your AI tools. Identify every AI system in use across your firm, including third-party platforms, and document what personal data each processes and on what legal basis.
- Review your ADM processes. If any AI-assisted process makes or significantly influences decisions about individuals, assess whether it meets the updated DUAA 2025 requirements and prepare for the ICO's forthcoming Code of Practice.
- Train your people. Staff using AI tools must understand that outputs require verification and that data input into AI systems may constitute personal data processing.
- Watch the ICO's Code of Practice. The finalised guidance expected in Summer 2026 will set the clearest expectations yet. Build time into your compliance calendar to assess its implications.
AI compliance is not a future concern. For professional services firms operating in or with the UK, it is a present obligation — and one where the cost of inaction is measurable in enforcement notices, fines, and professional liability.
Ops Intel helps professional services firms across the UK, US, Canada, EU, and beyond build AI compliance frameworks that are practical, proportionate, and audit-ready. If your firm needs clarity on what the DUAA 2025 and ICO enforcement priorities mean for your AI use, get in touch with our team today to arrange an initial consultation.
Work with Ops Intel
Need help navigating AI compliance?
We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.