UK AI Compliance Overhaul 2026: What Professional Services Need to Know About ADM, New Enforcement, and Your Liability

The regulatory ground beneath UK professional services has shifted decisively in 2026. Between new statutory frameworks, record-breaking fines, and courts reshaping intellectual property law, the message from regulators and judges alike is consistent: AI use in business is no longer a governance grey area. Compliance is now a legal obligation with enforceable consequences.

This briefing cuts through the noise. Here is what has changed, what it means for accountancy firms, solicitors, HR consultancies, and marketing agencies, and where your immediate priorities should lie.

The Data (Use and Access) Act 2025: A New Framework for Automated Decision-Making

The most significant structural change is the commencement of the Data (Use and Access) Act 2025 (DUAA) on 5 February 2026. Its core data protection provisions overhaul how UK organisations may use Automated Decision-Making (ADM) — which covers any AI-driven process that produces a decision, recommendation, or output affecting individuals without meaningful human input.

The old framework, built around a general prohibition on solely automated decisions, has been replaced. The DUAA adopts a permissive model: organisations can use ADM across broader lawful bases for non-sensitive data, but only where mandatory safeguards are in place. Those safeguards centre on three obligations — transparency, contestability, and what the legislation calls "meaningful human involvement."

Critically, the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026, which came into force on 12 May 2026, place a statutory duty on the Information Commissioner to publish a definitive Code of Practice on AI and ADM. This is not guidance — it is a legally mandated instrument that will set enforceable standards. Firms should treat its eventual publication as a compliance deadline requiring preparation now, not after the fact.

Alongside this, the ICO itself is completing its transition into a new corporate body — the Information Commission. The institutional architecture of UK data regulation is being restructured for the AI era.

What "Meaningful Human Involvement" Actually Requires

This phrase appears straightforward, but the ICO's position makes clear that most organisations are interpreting it too loosely.

The regulator has been explicit: a human reviewer must possess genuine authority and discretion to override an automated decision. The process of a manager briefly reviewing an AI-generated output before approving it — with no real scrutiny, no access to the underlying logic, and no realistic capacity to challenge the result — does not satisfy the requirement. Superficial rubber-stamping is legally insufficient.

For professional services, this has direct operational consequences. If your firm uses AI to screen job candidates, assess client risk profiles, generate compliance recommendations, or produce financial analysis that informs decisions about individuals, you must be able to demonstrate that the human in that loop is genuinely in control. That means documented review processes, trained staff, and systems that present AI outputs in a form that enables real evaluation — not just sign-off.

Enforcement Has Escalated: The Fines That Define the Landscape

The ICO issued its largest ever children's privacy penalties in February 2026: a £14.47 million fine to Reddit and a £247,590 fine to MediaLab (operator of Imgur). The central finding was that self-declaration age gates — where users simply tick a box to confirm their age — are legally insufficient protection. The platforms were also penalised for failing to conduct child-focused Data Protection Impact Assessments (DPIAs).

For firms whose services or platforms may be accessed by under-18s, this enforcement action establishes a clear evidential standard. Age assurance must be technically robust. DPIAs must be completed and documented before deployment, not retrospectively.

The ICO has also opened a formal investigation into Grok AI regarding the generation of non-consensual sexualised imagery using personal data — consistent with the DUAA's introduction of a new criminal offence for creating non-consensual intimate deepfake images, which took effect in February 2026. The regulatory and criminal frameworks are now aligned.

Processor Liability: The Advanced Computer Software Fine Changes Everything

Perhaps the most operationally significant enforcement development for professional services is the ICO's £3.07 million fine against Advanced Computer Software — its first major penalty directly targeting a data processor rather than a data controller.

Advanced Computer Software was fined for failing to implement basic cybersecurity measures, including multi-factor authentication, across systems it managed on behalf of NHS clients. The fact that it was a processor — not the organisation that originally collected the data — did not insulate it from direct financial liability.

The implications are twofold. First, if your firm processes data on behalf of clients (as many accountancy practices, HR consultancies, and legal firms do), you carry regulatory exposure in your own right. Second, the organisations that engaged Advanced Computer Software as a vendor now face the broader question of whether their supply-chain due diligence was adequate.

Firms must rigorously audit their third-party AI and IT vendors. Robust contractual protections, evidence of vendor security certifications, and regular technical reviews are no longer optional risk management — they are the baseline that regulators expect to see.

The Courts Reshape IP Law for AI

Two judicial decisions have reshaped how AI-related intellectual property is understood in England and Wales.

The UK Supreme Court's February 2026 ruling in Emotional Perception AI determined that Artificial Neural Networks are patentable under UK law, lowering the barrier for organisations seeking to protect proprietary AI tools and models. For firms investing in bespoke AI development, this opens a meaningful route to IP protection that was previously uncertain.

The High Court's November 2025 ruling in Getty Images v Stability AI took a more nuanced position on copyright. The court found that AI model weights are not "infringing copies" under UK copyright law — a partial victory for AI developers — but allowed trademark infringement claims to proceed where the model generated outputs containing visible watermarks belonging to third parties. For marketing agencies and any firm using generative AI to produce content or imagery, this ruling underlines that AI-generated outputs are not legally risk-free. Robust output verification processes are essential.

Your Immediate Compliance Priorities

Based on the regulatory and judicial developments above, professional services firms should act on three fronts without delay.

Audit your ADM processes. Map every AI-assisted decision that affects individuals — staff, clients, or third parties. Assess whether your human oversight arrangements genuinely satisfy the DUAA's safeguards, and document the process thoroughly.

Conduct a supply-chain security review. Following the Advanced Computer Software fine, your liability extends to your vendors. Review processor contracts, request evidence of cybersecurity controls, and ensure multi-factor authentication and equivalent protections are in place across your IT supply chain.

Implement AI output verification. Courts are sanctioning organisations that rely uncritically on AI-generated content. Establish internal protocols for checking AI outputs — particularly any material used in legal, financial, or client-facing contexts — before it is acted upon or published.

How Ops Intel Can Help

The 2026 regulatory landscape demands more than awareness — it requires structured, documented, and defensible compliance programmes. At Ops Intel, we work exclusively with UK professional services firms to navigate AI and data protection obligations. From ADM audits and DPIA frameworks to vendor risk assessments and staff training, we provide the practical expertise your firm needs to operate with confidence.

Contact Ops Intel today to arrange a compliance review and find out where your current AI use stands against the new legal standards.