The DUAA Revolution: What UK Professional Services Must Do Now to Stay Compliant with AI Decision-Making

The legal landscape governing how UK businesses use artificial intelligence shifted materially on 5 February 2026. That was the date the core provisions of the Data (Use and Access) Act 2025 (DUAA) came into force, and for professional services firms — accountants, solicitors, HR consultancies, marketing agencies — the implications are immediate and operational. This is not a story about future-proofing. It is a story about what you are now legally required to do.

What the DUAA Actually Changes

Under the old UK GDPR framework, automated decision-making (ADM) that produced legal or similarly significant effects was effectively prohibited unless a narrow exemption applied. The DUAA dismantles that general prohibition and replaces it with a "permission-with-safeguards" model for non-sensitive data. In plain terms: organisations can now deploy ADM more broadly, but doing so lawfully requires specific, documented safeguards.

Those safeguards are not optional extras. They include genuine transparency with the individuals affected, a meaningful right to contest automated outcomes, and demonstrable human intervention in the decision-making process. The Information Commissioner's Office (ICO) is currently developing a binding statutory code of practice on AI and ADM that will codify exactly what each of these requirements looks like in practice. Firms that assume the old light-touch approach will carry forward are taking a significant legal risk.

Genuine Human Oversight Is Now a Legal Standard, Not a Management Principle

This is the point where many professional services firms will need to do serious internal work. The DUAA's human intervention requirement is not satisfied by having a manager glance at an AI-generated recommendation and approve it. Regulators and courts are increasingly clear that superficial "rubber-stamping" does not meet the legal threshold.

Consider what this means concretely. If your HR team uses an AI tool to screen CVs or score candidates, the person reviewing the output must have the genuine authority — and the genuine capability — to override that recommendation based on their own assessment. If your decision-making process is structured so that the AI's output is routinely accepted without challenge, you are not compliant, regardless of what your policy documentation says.

The same logic applies to credit decisions at accountancy practices, risk-scoring tools at financial advisory firms, and client segmentation processes at marketing agencies. Document your human review processes. Test them. Ensure your reviewers understand what the AI is doing and what factors drove its output. Compliance here is an operational matter, not a paperwork exercise.

Enforcement Is Getting Sharper — and More Expensive

The ICO has moved away from issuing guidance and warnings as its primary tool. Its current enforcement strategy is focused on high-impact action against systemic failures. Two recent penalties illustrate the direction of travel.

Reddit received a £14.47 million fine for serious failures in age assurance — a matter of children's privacy, not AI specifically, but a clear signal that the ICO will pursue large penalties where organisations fall short on high-priority protections. More directly relevant to professional services is the £3.07 million fine against Advanced Computer Software, which established a significant precedent: data processors, not just data controllers, can face direct financial liability for failing to secure their supply chains.

If your firm relies on third-party AI vendors — and most do — that ruling matters. Your contractual arrangements with those vendors need to be reviewed. Do your data processing agreements impose enforceable cybersecurity standards? Do they include indemnity provisions? If not, the liability risk sits with your firm.

The Copyright Picture Has Clarified — With Caveats

Two developments in the past year have materially changed the IP context for AI use in the UK. First, the High Court's November 2025 ruling in Getty Images v Stability AI found that an AI model's weights do not constitute an infringing copy of the works used to train it, dismissing the central secondary copyright infringement claim. This is a meaningful legal protection for AI developers and, by extension, for firms deploying AI tools built on large training datasets.

However, the same ruling found Stability AI liable for trademark infringement where its outputs reproduced Getty's watermarks. The lesson is precise: training on third-party content may be legally defensible; generating outputs that reproduce protected marks is not.

Second, the government formally abandoned plans in March 2026 to introduce a broad text and data mining (TDM) copyright exception for commercial AI training. If you were anticipating that exception as a shield for your own data practices or those of your AI vendors, it is not coming. Audit what your vendors are training on and ensure your contractual position is sound.

The EU AI Act Is Your Problem Too

A common misconception among UK-based firms is that Brexit means the EU AI Act is irrelevant to them. It is not. The Act applies extraterritorially: if your firm deploys AI that affects EU citizens, or if you serve EU-based clients, you may be within scope.

The compliance deadline that demands immediate attention is 2 August 2026, when the obligations applicable to "High-Risk" AI systems become fully enforceable. Recruitment tools, performance management systems, and credit assessment processes all fall within this category. If your firm uses any of these technologies and has EU-facing operations, the requirements — including mandatory conformity assessments, technical documentation, and human oversight obligations — apply to you.

The UK government has chosen a sector-led regulatory model, deliberately avoiding a standalone AI statute. That is a considered policy choice, not an absence of regulation. But it means UK firms operating across jurisdictions must maintain parallel compliance frameworks. That is a resource question that needs to be addressed now, not in July.

Your Practical Checklist for Right Now

The regulatory picture demands concrete action across four areas:

Audit your ADM processes. Map every instance where AI contributes to a decision affecting individuals — clients, employees, job applicants. Assess whether your current safeguards meet the DUAA standard.

Operationalise human oversight. Revise your internal workflows so that human review is substantive, documented, and genuinely capable of overriding AI outputs. Train the relevant staff.

Review third-party vendor contracts. In light of processor liability precedents and the absence of a TDM copyright exception, ensure your AI vendor agreements include robust cybersecurity obligations and appropriate indemnities.

Assess your EU AI Act exposure. If you have any EU-facing activity, identify which AI tools you deploy that may qualify as High-Risk systems and begin your compliance assessment immediately.

And if you are using AI for legal research or client-facing outputs, verify everything. The judiciary has been explicit: following sanctions in cases such as Ayinde v London Borough of Haringey, the submission of unverified AI-generated content in legal proceedings is now treated as a breach of professional duty. The Bar Council, the Judiciary, and the Civil Justice Council have all issued warnings. Verification is a professional obligation, not a best practice.

Work With Ops Intel to Get This Right

The DUAA has changed the rules. Enforcement is active. The EU AI Act clock is running. Professional services firms that treat AI compliance as an administrative afterthought are accumulating legal and reputational risk with each passing month.

Ops Intel works exclusively with UK professional services businesses to build AI governance frameworks that are practical, proportionate, and defensible. From ADM audits and vendor contract reviews to EU AI Act readiness assessments, we translate complex regulatory requirements into operational action.

Contact Ops Intel today to arrange a compliance review. The time for monitoring the situation has passed.