UK AI Compliance 2025–2026: What Professional Services Firms Need to Know About the ICO's New Code of Practice

The UK's approach to AI regulation is maturing quickly, and professional services firms — whether they're processing client data, using AI-assisted recruitment tools, or deploying automated decision-making in advisory workflows — are increasingly in scope. The Information Commissioner's Office (ICO) now has sharper teeth, broader priorities, and a statutory code of practice on the horizon. If your firm operates in the UK, handles UK client data, or processes the personal data of UK residents from offices abroad, this briefing is directly relevant to your compliance obligations.

The UK Has Chosen a Different Path to the EU

Unlike the European Union, which introduced a single, comprehensive AI Act, the UK has deliberately avoided a monolithic legislative framework. Instead, the government's approach — outlined in its March 2023 AI Regulation White Paper and reaffirmed since — empowers existing sector regulators to apply five cross-cutting AI principles within their own domains. Those principles are: safety, security and robustness; transparency and explainability; fairness; accountability and governance; and contestability and redress.

For professional services firms, this matters because it means your primary compliance obligations in the UK context flow through regulators you already know. For those in financial services, the FCA remains the lead voice. For everyone processing personal data — which means virtually every accountancy practice, law firm, HR consultancy, and marketing agency — the ICO is central. This is not a future concern. The ICO's enforcement activity is already live and escalating.

The ICO's Statutory Code of Practice: What It Means in Practice

Regulations requiring the ICO to produce a statutory code of practice on AI and Automated Decision-Making (ADM) came into force in May 2026. This is a significant development. A statutory code carries real legal weight — organisations that fail to follow it will find it much harder to demonstrate compliance with UK GDPR obligations. The code will set out clear expectations on transparency, explainability, bias and discrimination, and rights and redress in the context of AI systems.

Simultaneously, in March 2026, the ICO opened a consultation on updated guidance for ADM and profiling, reflecting reforms introduced by the Data (Use and Access) Act 2025 — legislation that received Royal Assent in June 2025 and has broadly been welcomed as "AI-friendly." That Act expanded the circumstances in which automated processing of personal data is permitted and clarified provisions around scientific research. However, it also significantly increased PECR penalties, aligning them with UK GDPR maximums of £17.5 million or 4% of annual worldwide turnover for serious breaches.

The direction is clear: the UK is creating more space for AI innovation, but simultaneously raising the bar for accountability when things go wrong.

Where the ICO Is Focusing Its Scrutiny

The ICO has identified specific areas of targeted enforcement activity for 2025 and 2026 that professional services firms should take seriously.

Recruitment and HR processes are under direct scrutiny. The ICO is examining how major employers and platforms use automated decision-making in recruitment — assessing whether candidates are being assessed by systems that are fair, transparent, and lawfully deployed. HR consultancies advising clients on AI-assisted hiring tools, or law firms using such tools internally, need to be able to demonstrate their compliance posture with confidence.

Foundation model developers and AI training data are also in the ICO's crosshairs, with the regulator engaging directly with companies to assess whether personal data is being adequately protected during model training. Firms that have built custom AI tools or fine-tuned models on client data should treat this as a direct signal.

Investigations into harmful AI outputs are escalating. In March 2026, the ICO launched formal investigations into X Internet Unlimited Company and X.AI LLC concerning the Grok AI system, following reports of its use to generate manipulated sexualised images, including of children. The investigations assess lawfulness, fairness, transparency, and the adequacy of safeguards at the design and deployment stage. While these investigations target platform developers, they reinforce the ICO's position that accountability begins at the point of procurement and deployment — not just development.

Recent Enforcement Fines Are a Warning Shot

The fines landing in 2025 and 2026 are not trivial. Reddit received a £14.47 million fine in February 2026 for failing to lawfully process children's personal information. MediaLab.AI (Imgur) was fined £247,590 for similar infringements. LastPass UK Ltd received a £1.2 million penalty in November 2025 following a data breach caused by security failures.

These cases are instructive not just because of their scale, but because of what they reveal about the ICO's priorities: lawful processing, protections for vulnerable data subjects, and security by design. For professional services firms managing sensitive client data — whether that's financial records, legal files, HR data, or marketing analytics — these enforcement actions are a direct indicator of where the ICO will look next.

The International Dimension: Why This Matters Beyond the UK

For firms headquartered outside the UK but serving UK clients, or for UK-based firms operating internationally, the compliance picture is layered. UK GDPR applies to the processing of personal data relating to UK residents regardless of where your organisation is based. That means a Canadian HR consultancy using an AI-assisted screening tool to assess UK job applicants, or a US marketing agency running automated profiling campaigns targeting UK consumers, is within scope.

Conversely, UK-based firms with clients or staff in the EU, US, Canada, or Asia-Pacific face a patchwork of overlapping obligations — from the EU AI Act's risk-based classification system to state-level AI legislation in the US, and sector-specific requirements across the Middle East and Asia-Pacific markets. The UK's principles-based framework may be more flexible than the EU's, but that flexibility does not reduce the burden of demonstrating compliance. It arguably increases it, because there is no single checklist to follow.

What Professional Services Firms Should Do Now

The practical steps are straightforward, but they require deliberate action.

First, audit your AI and automated decision-making use. Map where AI tools are being used in client-facing or internal processes — recruitment, document review, financial analysis, client profiling, marketing automation — and assess whether those uses have been risk-assessed and documented.

Second, review your lawful basis for processing. If any of those AI tools involve personal data, confirm that your lawful basis is clearly established, documented, and communicated to data subjects.

Third, prepare for the statutory code. The ICO's forthcoming code will set the benchmark. Start aligning your policies and procedures now, rather than waiting for enforcement to prompt a reactive response.

Fourth, consider your international obligations in parallel. UK compliance is one layer of a multi-jurisdictional picture. Firms operating globally need a compliance framework that addresses the intersecting requirements of multiple regulators.

Ops Intel helps professional services firms navigate AI compliance across jurisdictions — from UK GDPR and the ICO's evolving requirements to the EU AI Act, North American data laws, and beyond. If you're uncertain where your firm stands, or you need a structured approach to AI governance, get in touch with our team to discuss how we can help.