The ICO's Enforcement Reckoning: What the £14.47M Reddit Fine and New AI Code of Practice Mean for Your Firm

The first half of 2026 has removed any remaining ambiguity about where UK AI regulation is heading. Statutory frameworks are now in force, enforcement fines have reached record levels, and the courts are issuing judgments that reshape liability across intellectual property, professional conduct, and data protection. For accountants, solicitors, HR consultancies, and marketing agencies deploying AI tools, the question is no longer whether to take compliance seriously. It is whether your current arrangements would survive scrutiny.

This briefing sets out what has changed, what the regulators have signalled through their enforcement activity, and what your firm should be doing right now.

The DUAA Is Live — and It Changes the ADM Landscape

The core data protection provisions of the Data (Use and Access) Act 2025 (DUAA) entered into force on 5 February 2026. The Act substantially liberalises the rules around Automated Decision-Making (ADM), allowing organisations to rely on broader legal bases when processing non-sensitive personal data through automated systems.

On the surface, that sounds like good news for firms using AI to streamline operations — candidate screening in HR, credit risk assessment in accountancy, client segmentation in marketing. The flexibility is real. But it comes with a mandatory condition that the ICO is already interpreting strictly: meaningful human involvement.

The ICO has made clear that this standard is not satisfied by a reviewer who simply approves whatever the algorithm recommends. The person involved must have genuine authority to override the AI outcome, access to sufficient information to exercise that authority, and the practical capacity to do so without undue pressure to rubber-stamp results. Superficial oversight is not oversight. It is a liability.

Firms that have deployed ADM systems and assumed that a human signature on the output provides sufficient cover should revisit that assumption immediately.

The Statutory Code of Practice: Your Compliance Deadline Is Approaching

On 12 May 2026, the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 came into force. This statutory instrument legally compels the ICO to produce a definitive Code of Practice governing AI and ADM. A public consultation on updated ADM guidance closed on 29 May 2026.

The significance of this cannot be overstated. Once issued, the Code will become the benchmark against which the ICO measures compliance. Firms whose Data Protection Impact Assessments (DPIAs) do not adequately address high-risk automated processing will be exposed.

If your firm is using AI for any processing that materially affects individuals — employment decisions, financial assessments, client profiling — your DPIAs need to reflect the DUAA's requirements now, before the Code locks in expectations. Waiting until the Code is published to begin that review is not a strategy. It is a gamble.

The £14.47M Reddit Fine: What It Actually Signals

On 24 February 2026, the ICO issued a record fine of £14.47 million to Reddit, alongside a £247,590 penalty to MediaLab (Imgur), for serious failures in children's privacy protection. Reddit has appealed, but the underlying finding is instructive regardless of outcome.

The ICO ruled definitively that self-declaration age gates are legally insufficient for platforms likely to be accessed by minors. If your business collects or processes personal data from a user base that plausibly includes children, a tick-box saying "I am over 18" does not discharge your obligations.

For marketing agencies running online campaigns, for HR platforms accessed by job-seeking graduates, for any professional services business with a digital product or portal, this ruling sets a clear expectation. Age assurance must be technically robust, not simply a formality.

The ICO also opened a formal investigation into Grok AI on 3 February 2026, examining the generation of non-consensual sexualised imagery. Combined with the DUAA's introduction of a new criminal offence for creating non-consensual intimate deepfake images, the regulatory position on generative AI output is hardening rapidly. Firms using or deploying generative AI tools bear responsibility for what those tools produce.

Supply Chain Liability Is No Longer Someone Else's Problem

The ICO's £3.07 million fine against Advanced Computer Software established a precedent that every firm relying on third-party AI vendors must understand. The penalty was levied directly against a data processor — not a controller — for cybersecurity failures including the absence of multi-factor authentication.

This is a material shift. The ICO is willing to pursue suppliers directly, but that does not reduce your exposure as a controller. Your contracts with AI vendors must clearly allocate liability, mandate specific technical security standards, and give you the right to audit compliance. If your current vendor agreements do not include those provisions, they are not fit for purpose.

Professional services firms often inherit AI tools through software platforms, practice management systems, or productivity suites. Each of those integrations represents a potential supply chain risk. A vendor's failure can become your regulatory problem.

The Courts Are Watching How Your Lawyers Use AI

Two judicial developments deserve attention. In Emotional Perception AI, the UK Supreme Court ruled on 11 February 2026 that Artificial Neural Networks can be patented where they involve physical hardware, overturning the restrictive Aerotel framework. For technology businesses and the solicitors advising them, this opens new territory in IP strategy.

More immediately relevant for solicitors and any professional producing AI-assisted written work: the English courts are continuing to impose severe sanctions for AI-generated false citations. In cases such as Ayinde v Haringey, legal professionals have faced wasted costs orders and findings of professional misconduct for submitting fabricated references generated by AI tools.

This is not a technology problem. It is a governance problem. Any firm producing legal documents, compliance advice, or professional reports using AI assistance must have a rigorous human verification process in place. The professional liability exposure is real and the courts are not treating ignorance as a mitigating factor.

What Your Firm Should Do Now

The compliance picture across the first half of 2026 points in one direction: the era of self-reported, loosely monitored AI governance is over. Regulators have statutory powers, enforcement appetite, and a clear set of benchmarks. The practical priorities for professional services firms are:

• Audit your ADM processes and document how human oversight is genuinely exercised, not just formally assigned.
• Review your DPIAs against the DUAA's requirements for high-risk automated processing before the ICO's Code of Practice sets the definitive standard.
• Scrutinise your AI vendor contracts for liability allocation, security mandates, and audit rights.
• Implement output verification protocols for any AI-assisted professional work, particularly where advice or documents are produced for clients.
• Assess your age assurance measures if your platform or digital services could be accessed by minors.

Work With Ops Intel

Ops Intel helps UK professional services firms build AI compliance frameworks that are practical, auditable, and proportionate to their risk profile. Whether you need a DPIA review, a vendor contract assessment, or a full ADM governance audit, our team works directly with your practice to close the gaps before the regulator identifies them.

Contact Ops Intel today to arrange a compliance review. The regulatory window for proactive preparation is narrowing.