The UK Compliance Deadline
Most Businesses Are Missing

While everyone has been watching the EU AI Act, a UK compliance deadline has crept up quietly. The Data (Use and Access) Act 2025 — the DUAA — came into force on 5 February 2026. One of its requirements hits a hard deadline on 19 June 2026, and it applies to every organisation that processes personal data. No small business exemption. No phased rollout.

If you process personal data — and almost every business does — you have eleven days to get this right.

What is the DUAA?

The Data (Use and Access) Act 2025 is the UK's post-Brexit evolution of data protection law. It amends UK GDPR in several significant ways, but three changes matter most for businesses using AI or automated systems:

• A new statutory regime for automated decision-making (ADM)
• A mandatory data protection complaints process (the 19 June deadline)
• Stronger ICO enforcement powers, including the ability to commission independent technical reports at your expense

The 19 June Deadline: What You Need

From 19 June 2026, every organisation that processes personal data must have a formal data protection complaints process in place. This isn't optional and there is no size threshold — a two-person accountancy firm is subject to the same requirement as a FTSE 100 company.

What "in place" means:

• A documented process for receiving, handling, and responding to data protection complaints
• A named individual or team responsible for handling complaints
• Clear timelines for acknowledgement and resolution
• A record-keeping process for complaints received

If someone complains that you've misused their data — or that an AI system made a decision about them that affected them — you need a defined process for handling it. "We'll look into it" is not a process.

Automated Decision-Making: The Rules Have Changed

The DUAA rewrites the automated decision-making (ADM) rules that existed under UK GDPR Article 22. The headline change sounds permissive: decisions made by automated systems are now broadly permitted, where previously they required a specific legal basis.

The catch is that broader permission comes with tighter safeguards. If your business uses AI to make or significantly influence decisions that affect individuals — CV screening, credit decisions, client risk scoring, pricing, service eligibility — you now need to demonstrate:

• Transparency: individuals must be informed that automated processing is taking place
• Right to challenge: individuals must be able to request human review of automated decisions
• Human intervention capability: you must be able to carry out that human review — it cannot be theoretical
• Documented lawful basis: legitimate interests is now available for ADM, but you still need a DPIA and a legitimate interests assessment

The compliance question has shifted from "do we qualify for an exception?" to "have we built the safeguards correctly?" That's a harder question — and most businesses haven't answered it.

What This Means for Professional Services Firms

Accountants, solicitors, HR consultancies, and recruiters are directly in scope if they use AI tools that touch client or candidate data. Common scenarios:

• Recruitment firms using AI to screen CVs or rank candidates — now requires explicit transparency notices, documented scoring criteria, and a human review process on request
• Accountancy practices using AI for risk scoring or client onboarding checks — your clients have the right to challenge automated assessments
• Solicitors using AI document review tools — if those tools influence advice or decisions affecting a client, disclosure obligations apply
• HR consultancies running AI-assisted performance reviews — individuals must be able to request human oversight

Many firms are using these tools already. The question is whether the compliance infrastructure around them has caught up.

The ICO's New Teeth

Alongside the DUAA obligations, the ICO has new enforcement powers worth noting. The regulator can now require organisations under investigation to commission and pay for independent technical reports — essentially forcing you to fund the evidence used against you.

This is a significant escalation. Previously, an ICO investigation was largely documentary — submit your policies, your DPIAs, your records. Now, the ICO can demand a technical audit of your actual AI systems. If you can't demonstrate that your automated decision-making process works the way your policy says it does, that discrepancy is now much easier to evidence.

What to Do Before 19 June

If you're starting from scratch, prioritise in this order:

1. Build your complaints process. This is the hard deadline. Document it, name a responsible person, set response timelines, and make it findable in your privacy notice. Do this first.
2. Inventory your AI and automated tools. List every tool that touches personal data or influences decisions. Include third-party software — if a vendor's AI makes decisions using your clients' data, you're still on the hook.
3. Review your ADM disclosures. If you use automated tools that affect individuals, your privacy notice needs to say so clearly, explain the logic involved, and describe how individuals can request human review.
4. Check your legitimate interests assessments. If you're relying on legitimate interests as the lawful basis for ADM, you need a current LIA and a DPIA on file.

Steps 2 through 4 don't have to be complete by 19 June — but the complaints process does. And if the ICO comes looking, the inventory and disclosures will be what they ask for first.

The DUAA in the Wider Compliance Picture

The DUAA doesn't exist in isolation. UK businesses using AI now sit at the intersection of five regulatory frameworks:

• UK GDPR + DUAA — data protection baseline, now with ADM regime
• The EU AI Act — extraterritorial scope catches UK firms serving EU clients
• FCA Consumer Duty — AI explainability and fair treatment obligations for financial services
• UK AI Principles — currently non-binding but influencing ICO guidance
• Sector-specific rules — SRA, FCA, ICAEW each have their own AI guidance layer

No single document covers all of this. A proper AI compliance framework — one that maps your specific AI use against each applicable framework — is what separates firms that can demonstrate compliance from firms that are hoping no one asks.