← Insights / Compliance

UK AI Compliance 2026: What Professional Services Firms Need to Know About the Data Act, ICO Enforcement, and New Court Precedents

The UK's AI compliance landscape has moved decisively from vague principles to enforceable reality. For professional services firms — whether you are an accountancy practice in Manchester, a law firm in Singapore with UK clients, or an HR consultancy operating across the EU and North America — the d

Compliance 14 July 2026 6 min read

UK AI Compliance 2026: What Professional Services Firms Need to Know About the Data Act, ICO Enforcement, and New Court Precedents

The UK's AI compliance landscape has moved decisively from vague principles to enforceable reality. For professional services firms — whether you are an accountancy practice in Manchester, a law firm in Singapore with UK clients, or an HR consultancy operating across the EU and North America — the developments of the past twelve months carry direct operational consequences. This briefing sets out what has changed, what it means, and what you need to do next.

The Data (Use and Access) Act 2025: A New Framework for Automated Decision-Making

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025 and commenced on 5 February 2026. It is the most significant piece of UK data legislation since the retained GDPR, and its implications for AI-driven professional services are substantial.

The Act expands the lawful circumstances under which organisations can conduct automated decision-making (ADM) — the process by which AI systems make or materially influence decisions about individuals without meaningful human intervention. Under previous UK GDPR provisions, ADM was tightly restricted. The DUAA introduces a more permissive framework, but it does not remove accountability. In parallel, it strengthens individual rights safeguards, meaning that while firms have more latitude to deploy AI in decision workflows, the obligations around transparency, explainability, and redress have increased, not diminished.

Critically, the DUAA provides the statutory foundation for the ICO's forthcoming Code of Practice on AI and Automated Decision-Making. Public consultation was anticipated for May 2026, with finalisation expected by Summer 2026. Once published, this Code will represent the authoritative compliance standard against which ICO investigations and enforcement decisions will be measured. Firms that have not yet mapped their ADM processes should treat this timeline as a hard deadline, not a soft aspiration.

ICO Enforcement: Fewer Actions, Far Larger Fines

The enforcement picture has sharpened considerably. In the first half of 2025, the average ICO fine exceeded £2.8 million — a sevenfold increase in revenue from enforcement compared to 2024, achieved across a third of the number of actions. The message is unambiguous: the ICO is targeting fewer cases but pursuing them with greater financial severity.

For professional services firms, the reinstatement of the £7.5 million fine against Clearview AI in October 2025 carries particular significance. The appeal outcome confirmed that the ICO's jurisdiction extends to any AI system that processes the personal data of UK residents, regardless of where that system is physically located or where the business operating it is based. If your firm uses an AI tool developed in the United States, hosted in the EU, or procured from a vendor in Asia-Pacific — and that tool processes data relating to UK individuals — you are within scope.

This is not theoretical risk. Recruitment tools, client onboarding platforms, document automation systems, and AI-assisted analytics are all capable of processing UK personal data in ways that attract ICO scrutiny. The ICO's November 2024 audit report on AI tools in recruitment identified specific failures around fair processing, data minimisation, and security. Those findings are a reliable indicator of where future enforcement attention will fall.

Court Precedents: Both a Proof of Concept and a Warning

Two developments from the courts illustrate the dual nature of AI deployment risk in professional services.

In June 2026, Garfield AI became what is believed to be the first AI-assisted legal practice to win a trial in an English court. The model involved AI handling document preparation and initial legal steps, with a human barrister presenting the case. This demonstrates that AI can contribute meaningfully to legal workflows and withstand judicial scrutiny — provided the human oversight layer is genuine and competent.

The counterpoint arrived in July 2026, when the Crown Prosecution Service apologised after submitting AI-generated court documents that cited non-existent legal authorities. The reputational and procedural damage was significant. For any professional services firm — legal, financial, or consultancy — this incident is a direct operational warning. AI-generated content that enters a formal process, whether a court submission, a tax filing, a compliance report, or a client advice letter, must be subject to rigorous human verification before it leaves your organisation. Speed and efficiency gains from AI are only legitimate if accuracy is maintained.

The Broader Regulatory Architecture: What International Firms Must Track

The UK's approach remains principles-based and sector-specific rather than prescriptive, but the regulatory architecture around it is thickening. In September 2024, the UK signed the Council of Europe Convention on AI, committing to human rights protections, democratic norms, and risk assessments for AI systems. The Cyber Security and Resilience Bill, introduced in November 2025, will extend cybersecurity obligations to systems incorporating AI components — a consideration for any firm whose AI tools form part of critical operational infrastructure.

The UK government has also signalled its intention to introduce targeted legislation for developers of the most powerful AI models, though this has not yet materialised in statute.

For firms with any operational connection to EU markets, the EU AI Act is already producing obligations. It entered into force in August 2024, with phased requirements applying from February 2025 and high-risk system requirements taking effect from August 2026. Professional services businesses that use AI in HR decisions, credit assessments, legal analysis, or client profiling may find their tools classified as high-risk under the EU framework, triggering conformity assessments, documentation requirements, and human oversight obligations. Non-compliance fines under the EU AI Act can reach tens of millions of euros or a percentage of global turnover. Firms operating across UK and EU jurisdictions face a dual compliance obligation that cannot be managed through a single policy document.

What Professional Services Firms Should Do Now

The practical priorities are clear.

Map your AI use cases. Identify every AI tool in use across the business — including tools embedded in software you already use, such as CRM platforms, document management systems, and HR software. Classify each by the type of data processed and the nature of decisions it informs or makes.

Conduct or update Data Protection Impact Assessments. DPIAs are now essential for any AI system that makes or informs significant decisions about individuals. If you have not conducted one for your AI tools, you are already behind the ICO's expected standard.

Establish human verification protocols. Any AI-generated output that is presented to clients, submitted to regulators, or used in formal proceedings must be reviewed and verified by a qualified human professional before it is relied upon.

Review your vendor contracts. If you use third-party AI tools, your data processing agreements must reflect current obligations. Vendor accountability for data handling is not optional.

Monitor the ICO Code of Practice. Once finalised, this Code will define compliance expectations for ADM in the UK. Build review of the final Code into your compliance calendar for late 2026.


The compliance window is narrowing. Regulatory standards are being codified, enforcement is intensifying, and the courts are beginning to engage with AI directly.

Ops Intel helps professional services firms navigate AI compliance with clarity and precision. From AI use case mapping and DPIA support to cross-jurisdictional compliance frameworks covering the UK, EU, and beyond, our team provides the practical guidance businesses need to operate with confidence.

Get in touch with Ops Intel to discuss your AI compliance position.

Work with Ops Intel

Need help navigating AI compliance?

We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.

Call Now Claim Your Free Audit