The DUAA Game-Changer: How UK Professional Services Must Adapt to the New 'Permission-with-Safeguards' AI Model

The regulatory ground beneath UK professional services has shifted considerably this spring. The commencement of core data protection provisions under the Data (Use and Access) Act 2025 (DUAA) on 5 February 2026 marks the most significant change to automated decision-making (ADM) rules since GDPR was first transposed into UK law. For accountants, solicitors, HR consultancies, and marketing agencies already deploying AI tools — or considering doing so — this is not a development to monitor from a distance. It requires immediate, structured action.

This post sets out what has changed, what enforcement looks like in practice, and what your firm needs to do next.

From Prohibition to Permission: Understanding the DUAA Shift

Under the previous UK GDPR framework, automated decision-making that produced legal or similarly significant effects on individuals was, in effect, heavily restricted. The default was prohibition unless specific conditions applied. The DUAA inverts that logic for non-sensitive personal data. The model is now permission-with-safeguards: organisations can deploy ADM more broadly, provided they implement a defined set of protections.

Those safeguards are not optional enhancements. They are mandatory obligations: transparency about how automated decisions are made, a genuine right for individuals to contest those decisions, and meaningful human intervention — not token oversight, but real authority to review and reverse an AI's output.

To give these requirements legal teeth, the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026, published on 12 May 2026, legally compel the ICO to produce a binding Code of Practice on AI and ADM. The ICO's draft ADM guidance consultation closed on 29 May 2026. Whatever emerges from that process will not be soft guidance — it will carry statutory weight.

The practical message for professional services firms is straightforward: if you were waiting to see how the regulatory landscape settled before formalising your AI governance, that window has closed.

What 'Meaningful Human Intervention' Actually Means

The phrase "meaningful human intervention" is doing considerable work in the new framework, and the ICO has been explicit about what it does not mean. A reviewer who receives an AI recommendation, glances at it, and approves it without independent scrutiny is not providing meaningful oversight. The ICO has signalled clearly that superficial rubber-stamping constitutes a compliance failure.

For HR consultancies using AI tools to sift CVs or score candidates, this is particularly acute. For accountants using automated systems to flag credit risk or assess client suitability, the same logic applies. The human reviewer must possess genuine authority to contest and alter the AI's output, must understand the basis on which that output was generated, and must exercise independent judgement. Document that judgement. If you cannot demonstrate it happened, the ICO will treat it as though it did not.

Firms should also revisit their Data Protection Impact Assessments (DPIAs) for any AI deployment touching recruitment, HR processes, or credit-related decisions. A DPIA completed before February 2026 almost certainly does not reflect the new safeguard requirements.

Enforcement Is Not Hypothetical

Some firms still treat data protection compliance as a theoretical exercise. Recent enforcement action should correct that view.

The ICO's £14.47 million fine against Reddit for children's privacy failures demonstrates the regulator's willingness to levy record penalties where systemic failures are identified. The £3.07 million fine against Advanced Computer Software established direct financial liability for data processors who fail to implement adequate cybersecurity measures — a warning that supply chain accountability extends well beyond the data controller. And the Upper Tribunal's decision upholding ICO jurisdiction over Clearview AI confirms that UK GDPR's extraterritorial reach is real and enforceable against foreign companies conducting behavioural monitoring on UK residents.

The pattern is consistent: the ICO is pursuing high-impact, targeted enforcement rather than broad-brush action. But "targeted" does not mean rare. It means the regulator chooses cases that set precedents and send sector-wide signals.

The Copyright Question: AI Training and Intellectual Property

Separate from data protection, professional services firms using or procuring AI tools need to understand the current state of UK copyright law as it applies to AI-generated content.

On 18 March 2026, the government confirmed it has abandoned plans for a broad text-and-data mining (TDM) exception that would have permitted commercial AI training on copyrighted material without licence. This is a significant decision. It means AI developers — and by extension, the firms relying on their tools — face ongoing exposure if those tools were trained on unlicensed content.

The High Court's decision in Getty Images v Stability AI offered developers a narrow point of relief, ruling that AI model weights are not "infringing copies" under UK copyright law. However, the court allowed trademark infringement claims to proceed where AI outputs reproduced visible watermarks. The takeaway for professional services is cautious and practical: understand what data your AI tools were trained on, and what content they are generating on your behalf. Indemnity clauses in vendor contracts matter more than ever.

The AI Verification Obligation for Legal and Professional Work

For solicitors and any firm where AI tools are used to support research, drafting, or client advice, the case of Ayinde v Haringey is required reading. Lawyers in that case faced severe sanctions after submitting AI-generated citations that did not exist. The subsequent civil justice consultation, which closed in April 2026, has accelerated the formalisation of verification requirements.

The position is now unambiguous: strict human-in-the-loop verification of AI-generated legal and professional content is a non-negotiable requirement. This is not a technology question. It is a professional conduct question. If your firm is using AI to assist with legal research, regulatory advice, or client-facing documentation, you need a documented verification protocol that your fee-earners are trained to follow and your supervisors are equipped to audit.

Do Not Ignore the EU AI Act

While the UK government has confirmed it will not introduce a standalone domestic AI statute in the near term — choosing instead to pursue voluntary international standards and a sector-led approach — UK firms with EU clients or EU-facing operations cannot rely on that flexibility.

The EU AI Act's obligations for "High-Risk" AI systems become fully enforceable on 2 August 2026. If your firm deploys AI in areas classified as high-risk — which includes AI used in employment, access to essential services, and legal assistance — and those systems affect EU citizens, you are in scope. The compliance requirements are stringent, including conformity assessments, technical documentation, and mandatory human oversight mechanisms. Preparing for these obligations now is not premature. It is already late.

The Compliance Gap Is Growing

The spring 2026 regulatory developments have, collectively, raised the compliance baseline for any professional services firm using AI. The DUAA has opened new permissions, but those permissions come with enforceable obligations. The ICO's forthcoming Code of Practice will make those obligations more specific. Enforcement precedents show the regulator is prepared to act. And for firms with EU exposure, a hard deadline arrives in August.

The gap between firms that have structured AI governance and those operating on informal arrangements is growing wider. Closing that gap requires a methodical assessment of your current AI use, your DPIA coverage, your human oversight processes, and your vendor contracts.

Ops Intel helps UK professional services firms translate regulatory complexity into clear, actionable compliance frameworks. Whether you need a DPIA review, an AI governance audit, or support preparing for EU AI Act obligations, our team works directly with accountancy practices, law firms, HR consultancies, and marketing agencies to build proportionate, defensible compliance programmes.

Contact Ops Intel today to arrange an initial consultation and understand exactly where your firm stands.