The DUAA Game-Changer: What UK Professional Services Must Do Now on AI Verification and ADM Safeguards

The first half of 2026 has not been kind to organisations that treated AI compliance as a box-ticking exercise. A landmark statute has reshaped how automated decisions must be made and overseen. The Information Commissioner's Office has issued penalties running into the tens of millions. And the English judiciary has made clear it will sanction professionals who submit AI-generated work without rigorous verification. For accountants, solicitors, HR consultancies, and marketing agencies, the compliance landscape has shifted materially — and the window for passive observation has closed.

This post sets out what has changed, why it matters specifically to professional services, and what your firm needs to do next.

The Data (Use and Access) Act 2025: A Fundamental Reset on Automated Decision-Making

The Data (Use and Access) Act 2025 (DUAA) brought its core data protection provisions into force on 5 February 2026. Its most consequential change for professional services firms concerns Automated Decision-Making (ADM).

Previously, the UK GDPR operated on a general prohibition model: automated decisions with significant effects on individuals were largely forbidden unless specific, narrow conditions were met. The DUAA replaces this with a "permission-with-safeguards" model for non-sensitive data. Organisations can now rely on broader legal bases for automated decisions — but only if they implement a defined set of mandatory safeguards.

Those safeguards are not optional enhancements. They include:

• Transparency — individuals must be meaningfully informed that an automated decision is being made and on what basis.
• Contestability — individuals must have a genuine, accessible route to challenge the outcome.
• Meaningful human involvement — a human reviewer must have real authority and discretion to override the automated decision. The ICO has been explicit on this point: a reviewer who simply ratifies whatever the system produces does not satisfy the requirement.

This last point deserves particular attention. If your firm uses AI-assisted tools for credit assessments, recruitment screening, HR performance reviews, or client-facing recommendations, you cannot assume that having a human nominally "in the loop" is sufficient. The law now demands that the human can — and demonstrably does — exercise genuine judgement.

To reinforce these obligations further, the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 came into force on 12 May 2026. This statutory instrument legally compels the Information Commissioner to prepare and publish a binding statutory Code of Practice on AI and ADM. That Code will, when published, carry statutory weight. Firms should be updating their Data Protection Impact Assessments (DPIAs) now, in anticipation of its requirements — not waiting until it lands.

The ICO Has Found Its Enforcement Teeth

Regulatory guidance carries limited weight without credible enforcement. The ICO has now demonstrated, emphatically, that it is prepared to act.

On 23 February 2026, the ICO issued a £14.47 million penalty to Reddit — a record fine — for failing to implement adequate age assurance measures or conduct a child-specific DPIA before January 2025. The ruling established a principle that professional services handling any platform or tool accessible to minors must absorb: self-declaration age gates are legally insufficient. If your agency runs digital campaigns with user-generated content, or your HR platform collects data from individuals who may be under 18, this precedent is directly relevant to your compliance posture.

Equally significant is the ICO's £3.07 million fine against Advanced Computer Software — the regulator's first major penalty imposed directly on a data processor under UK GDPR. The firm's failure to implement multi-factor authentication was central to the finding. The implication is straightforward and non-negotiable: liability now flows explicitly into the processor supply chain. Your firm's obligations do not end at your own systems. If you engage third-party AI tools, cloud providers, or software vendors who process personal data on your behalf, their security failures can become your regulatory exposure.

The ICO has also launched a formal investigation into Grok AI, concerning the generation of non-consensual sexualized deepfakes. This signals that the regulator is actively scrutinising AI systems at the content-generation level — not merely at the data collection and storage stages where enforcement has traditionally concentrated.

The Judiciary Has Drawn Its Own Red Lines on AI Verification

Outside the data protection sphere, the courts have issued their own unambiguous signal. Cases including Ayinde v Haringey and The Father v The Mother have involved legal professionals and litigants submitting AI-generated documents containing fabricated citations — references to cases that do not exist. In both instances, sanctions and cost orders followed.

The Bar Council and the English judiciary have responded by placing the burden of verification squarely on the professional. There is no defence available that amounts to "the AI produced it." Personal responsibility for AI-generated work product is now a professional obligation, not merely a matter of good practice.

The Civil Justice Council is actively consulting on whether formal declarations should be required — specifically, that AI was not used to generate trial witness statements. Whether or not that particular requirement is adopted in its current form, the direction of travel is unmistakeable.

For solicitors, this means every AI-assisted document that goes before a court or is submitted on behalf of a client requires independent verification of every factual claim and citation. For accountants and HR consultancies, it means that any AI-generated analysis, report, or recommendation must be reviewed by someone with the competence and authority to identify and correct errors — not someone who approves it as a matter of routine.

Four Actions Your Firm Should Take Now

The convergence of statutory reform, enforcement action, and judicial guidance points to four concrete priorities for professional services firms operating with AI tools.

1. Audit your ADM processes against the DUAA's new safeguards. Map every system that produces or contributes to decisions affecting clients or employees. For each, confirm that transparency, contestability, and genuine human oversight mechanisms are in place and documented. Rubber-stamp approval processes need to be redesigned, not rebranded.

2. Review and update your DPIAs. The incoming statutory Code of Practice will set benchmarks that your existing DPIAs may not meet. Conducting a gap analysis now — particularly for systems involving ADM or the processing of children's data — puts you ahead of the compliance curve rather than behind it.

3. Scrutinise your vendor and processor relationships. Following the Advanced Computer Software ruling, your third-party due diligence needs to include specific assessment of technical security controls: multi-factor authentication, access management, encryption standards, and incident response capability. Contractual protections must be backed by verified practice.

4. Establish and enforce an AI output verification protocol. Every AI-generated document, analysis, or recommendation that leaves your firm — to a court, a client, a regulator, or a counterparty — must pass through a defined verification step carried out by a competent professional. This is not optional risk management; it is your professional and legal obligation.

Work With Specialists Who Understand What This Moment Demands

The regulatory and judicial developments of early 2026 represent a genuine inflection point. The DUAA has reset the rules on automated decision-making. The ICO has demonstrated it will act against organisations — and their processors — who fall short. And the courts have made professional responsibility for AI outputs explicit.

Ops Intel works with UK professional services firms to translate these obligations into practical, proportionate compliance frameworks. Whether you need a DPIA review, an ADM audit, vendor assessment support, or a firm-wide AI governance policy, our team has the regulatory expertise to help you act now — before the next enforcement action or judicial finding lands closer to home.

Get in touch with Ops Intel today to arrange an initial compliance consultation.