UK AI Compliance in 2026: What Professional Services Firms Need to Know About ADM, Copyright, and Enforcement

The UK's approach to AI regulation has never been a single, sweeping statute. It remains deliberately sector-led and pro-innovation, built on existing legal frameworks rather than a dedicated AI law. For professional services firms — accountants, solicitors, HR consultancies, marketing agencies — that means navigating a patchwork of obligations that is quietly tightening in several directions at once.

Mid-2026 brings a cluster of changes that demand attention. Automated decision-making rules are now live. Copyright liability is crystallising. Enforcement powers are being sharpened. And the EU AI Act deadline is bearing down. Here is what your firm needs to understand and act on now.

The Data (Use and Access) Act: ADM Rules Are Already in Force

The Data (Use and Access) Act 2025 (DUAA) is the most significant piece of data legislation since the UK GDPR, and its most consequential provisions for AI users are already in effect. Since 5 February 2026, the UK has operated under a "permission-with-safeguards" model for automated decision-making. Where decisions with legal or similarly significant effects are made using automated processing, firms must be able to demonstrate that meaningful human involvement is part of that process.

The ICO has been explicit about what this does not mean. A reviewer who routinely approves algorithmic outputs without genuinely interrogating them does not satisfy the requirement. Meaningful human involvement requires that the reviewer has the time to assess the decision, the understanding to challenge it, and the authority to override it. That is a considerably higher bar than many firms are currently meeting.

This is particularly acute in HR. The ICO has warned employers directly that using AI hiring tools without genuine human review constitutes a breach of data protection law. If your recruitment process relies on AI-generated candidate rankings or scoring, your oversight workflow needs to be documented and defensible — not simply present on paper.

Further DUAA provisions, including a new statutory regime for handling data protection complaints, commence on 19 June 2026. The regulatory architecture is still being assembled around you.

Copyright and AI Training: The TDM Exception Is Dead

In March 2026, the UK government published its long-awaited report on copyright and AI. The conclusion was unambiguous: the proposed broad text and data mining (TDM) exception for commercial AI training has been abandoned. The government will not intervene in the licensing market at this stage. Developers and AI vendors must rely on existing copyright law and licensing agreements.

For professional services firms, the practical consequence is straightforward but serious. If the AI tools your firm uses were trained on copyright-protected works without appropriate licences, exposure exists. That exposure does not sit only with the AI developer — it may extend to firms that deploy those tools commercially, depending on the nature of the content generated and the contractual terms in place.

Your obligations here are twofold. First, audit your AI supply chain. Understand which tools your firm uses, how those tools were trained, and what intellectual property representations your vendors have made. Second, secure robust contractual indemnities. If a vendor cannot or will not provide meaningful IP warranties, that is a risk your firm is absorbing, not them.

The death of the TDM exception means this is no longer a theoretical concern. It is a live contractual and compliance matter.

Enforcement Is Getting Sharper

The ICO is not standing still. It has consulted on draft enforcement procedural guidance that introduces a formal settlement procedure, offering penalty discounts of up to 40% for firms that engage cooperatively. That is a meaningful incentive — but it comes alongside compulsory interview powers that give the ICO considerably more leverage in investigations.

Equally significant is the DUAA's elevation of maximum fines for Privacy and Electronic Communications Regulations (PECR) breaches. Violations covering unlawful direct marketing and cookie practices now attract penalties up to £17.5 million or 4% of global turnover, bringing PECR in line with UK GDPR levels. For marketing agencies and any firm running email campaigns or managing consent on websites, this is a material change to your risk profile.

In the courts, the Upper Tribunal has upheld the ICO's appeal in the Clearview AI case, firmly establishing that UK GDPR applies extraterritorially to foreign companies that scrape data to monitor UK individuals. The jurisdictional reach of UK data law is broader than some organisations have assumed.

AI in Legal and Professional Work: Hallucination Cases Are Multiplying

The courts are sending a clear and consistent signal about AI-generated content in professional work. The Ayinde v Haringey case — in which fabricated citations generated by AI were submitted to the court — drew significant attention, but it is no longer an isolated incident. 2026 has brought further hallucination cases, including Re A, B, C, D and Brightwaters Energy, as well as the Unitel Direct Ltd case, where a commercial claim was dismissed partly because of uncertainties surrounding AI-generated telephone transcripts.

The professional duty here is unambiguous. AI research, evidence, and documentation must be verified by a qualified human before use. This is not a new principle — it is the ordinary standard of professional care applied to a new tool. What the emerging case law demonstrates is that the courts will not accept hallucinated or unverified AI output as an excuse, and that the reputational and legal consequences of failing to check are substantial.

If your firm uses AI for legal research, drafting, or client-facing work, your quality control processes need to explicitly address AI verification. That means documented checkpoints, not an assumption that fee earners are managing it individually.

EU AI Act: The August Deadline Is Not Optional

UK firms that deploy high-risk AI systems impacting the EU market must be fully compliant with the EU AI Act by 2 August 2026. High-risk systems include AI tools used in HR processes, credit scoring, and certain professional assessments — categories directly relevant to accountancy, legal, and HR consultancy practices.

UK compliance and EU compliance are two separate programmes. The EU AI Act carries its own conformity requirements, technical documentation obligations, and transparency rules that do not map neatly onto the DUAA or UK GDPR. If your firm has EU clients or operates across borders, you cannot treat one compliance exercise as covering both jurisdictions.

If you have not already scoped your EU AI Act obligations, the August deadline leaves limited time for a thorough gap analysis, remediation, and documentation.

Where Does This Leave Your Firm?

The honest answer is that most professional services firms are carrying more AI compliance risk than they realise. ADM obligations are live and being enforced. Copyright liability in the supply chain is unresolved for many vendors. PECR fines now carry GDPR-level consequences. And the courts are demonstrating real appetite to penalise professional misuse of AI.

The good news is that these are manageable risks with the right structure in place — clear policies, audited workflows, contractual protections, and documented oversight.

Ops Intel works with UK professional services firms to build practical, proportionate AI compliance programmes. Whether you need a supply chain audit, ADM oversight documentation, or a dual-track UK and EU compliance assessment, our team provides the expert guidance to get you there without unnecessary complexity.

Contact Ops Intel to discuss your AI compliance position.