← Insights / Compliance

UK AI Compliance 2026: What the Data (Use and Access) Act Means for Your Business

The UK's regulatory landscape for artificial intelligence has shifted materially. The Data (Use and Access) Act 2025 (DUA Act) came into force on 19 June 2025, and its reforms to automated decision-making will take effect from 5 February 2026. If your organisation processes personal data in the UK —

Compliance 1 July 2026 6 min read

UK AI Compliance 2026: What the Data (Use and Access) Act Means for Your Business

The UK's regulatory landscape for artificial intelligence has shifted materially. The Data (Use and Access) Act 2025 (DUA Act) came into force on 19 June 2025, and its reforms to automated decision-making will take effect from 5 February 2026. If your organisation processes personal data in the UK — or serves clients who do — you need to understand what has changed, what is coming, and where your exposure now sits.

This is not a story about a future AI law. The compliance obligations are already here.


The End of Article 22: What's Actually Changing

Under the old UK GDPR, Article 22 created a near-blanket restriction on automated decision-making (ADM) that produced legal or similarly significant effects on individuals. The default was prohibition, with narrow exceptions.

The DUA Act replaces this with a new framework: Articles 22A to 22D. The shift is meaningful in both directions. Organisations now have broader lawful grounds to deploy ADM systems without meaningful human involvement, provided special category data is not involved. At the same time, the new framework introduces clearer, enforceable obligations — around transparency, the right to contest decisions, and the conditions under which special category data may be used in automated processes.

In practical terms, this matters to any professional services firm using AI to screen job applicants, segment clients, generate credit-style risk assessments, allocate workloads, or produce automated outputs that affect individual outcomes. If your tools touch personal data and generate decisions — even recommendations that are routinely accepted — you are operating in this space.

The ICO is updating its guidance on ADM and profiling to reflect the new framework, with final guidance expected in Summer 2026. A statutory Code of Practice on AI and Automated Decision-Making, required under the Data Protection Act 2018, is also in development. Organisations should not wait for that guidance to begin their assessment work.


The Fine Exposure Has Increased Significantly

The DUA Act has also revised the UK's penalty structure. Maximum fines for serious UK GDPR breaches now sit at £17.5 million or 4% of annual worldwide turnover, whichever is higher. That figure is unchanged from before. What has changed is the alignment of PECR — the Privacy and Electronic Communications Regulations — with these levels.

Previously, PECR violations, including failures around cookie consent and direct marketing, carried a maximum fine of £500,000. That cap no longer applies. Marketing agencies, email-led service firms, and any organisation running digital campaigns targeting UK individuals now face the same penalty ceiling as they would for a serious data breach.

Recent ICO enforcement illustrates the direction of travel. LastPass UK Ltd received a £1,228,283 penalty in November 2025 following a data breach affecting approximately 1.6 million UK customers. Reddit was fined £14.47 million for children's privacy failings and inadequate age assurance. Clearview AI and Serco Leisure faced enforcement actions for misuse of biometric technologies. These are not outliers — they reflect the ICO's stated enforcement priorities.


The UK Has No Standalone AI Act — But That Is Not the Whole Picture

Despite expectations, no dedicated UK AI Act has materialised, and the government has indicated there is no specific AI bill planned in the short to medium term. The UK continues to favour a sector-specific, principles-based approach, with existing regulators applying current law to AI within their respective domains.

For most professional services businesses, that means the ICO remains the primary AI regulator wherever personal data is involved. The ICO's updated strategy, "Preventing Harm, Promoting Trust," identifies several priorities for 2026: providing certainty on AI and ADM through guidance, setting clear expectations for ADM in recruitment, and scrutinising foundation model developers.

If you are an HR consultancy using AI-assisted shortlisting, a law firm deploying contract review tools, or an accountancy practice using AI to flag anomalies in client data, the ICO's priorities are directly relevant to your operations.


International Businesses Cannot Ignore the EU AI Act

For organisations with operations, clients, or data flows connected to the European Union, the EU AI Act creates a separate and overlapping compliance obligation.

The EU AI Act entered into force in August 2024 and is being phased in through to December 2027. Prohibitions on unacceptable-risk AI systems took effect on 2 February 2025. Obligations for general-purpose AI (GPAI) model providers began on 2 August 2025. The majority of remaining obligations — including requirements for high-risk AI systems — will apply from 2 August 2026.

Fines under the EU AI Act can reach €35 million or 7% of worldwide annual turnover for the most serious violations. Professional services firms advising EU-based clients, operating through EU offices, or deploying AI tools that interact with EU residents need to map their obligations under both regimes. The EU and UK frameworks are not identical. Compliance with one does not guarantee compliance with the other.

Firms in the US, Canada, the Middle East, and Asia-Pacific that serve UK or EU markets face the same dual-regime reality. Jurisdiction of operation is not the determining factor — reach into regulated markets is.


What Responsible Organisations Are Doing Now

The window between the DUA Act entering into force and its ADM provisions taking effect on 5 February 2026 was short. Organisations that have not yet assessed their automated decision-making practices are already behind the curve. Those without updated data protection impact assessments (DPIAs) for AI-enabled processes, clear records of the lawful bases they rely on under the new Articles 22A to 22D, and documented human oversight procedures are exposed.

The steps that matter most are neither complex nor theoretical. They require a structured audit of which AI tools process personal data, an honest assessment of what decisions those tools influence, appropriate documentation, and governance arrangements that will withstand scrutiny.

The ICO has been clear that it will set expectations for ADM in recruitment specifically. Firms in professional services — where recruitment, client assessment, and service delivery increasingly involve AI-assisted processes — should treat that signal as a direct message.


How Ops Intel Can Help

Ops Intel works with professional services firms across the UK, EU, US, Canada, the Middle East, and Asia-Pacific to translate AI compliance obligations into practical, proportionate action. Whether you need a gap analysis against the DUA Act's new ADM framework, support preparing for EU AI Act obligations, or a full AI governance review, our team provides expert guidance without unnecessary complexity.

If your business uses AI — or advises clients who do — the time to act is now.

Contact Ops Intel to book a compliance consultation.

Work with Ops Intel

Need help navigating AI compliance?

We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.

Call Now Claim Your Free Audit