AI and Data Protection: key legal developments in 2025 – 2026

The rapid integration of artificial intelligence into the workplace continues to reshape how organisations manage data, recruitment, and decision-making. Alongside this technological shift, UK and international regulators are introducing new legal frameworks designed to balance innovation with accountability.

As Monica Atwal and Katie Glendinning guided us through the latest developments surrounding the Employment Rights Bill and its implications for employers in our recent webinar, they also placed important focus on the fast-evolving landscape of AI and data protection. With new legislation and regulatory frameworks on the horizon, understanding how these changes interact with employment law is becoming increasingly vital for HR professionals and business leaders alike.

Three major developments stand out for employers in the year ahead: 1) the Data (Use and Access) Act 2025 (DUAA 2025) 2) the Information Commissioners Office (ICO)’s Code of Practice on AI 3) the EU AI Act, due to take full effect in 2026.

1. The Data (Use and Access) Act 2025

The DUAA 2025 represents one of the most significant modernisations of UK data protection law since the UK GDPR and the Data Protection Act 2018. Its provisions are being phased in between June 2025 and June 2026, providing greater flexibility for organisations deploying AI systems while enhancing protections for individuals, particularly children.

Key updates include:

• Relaxation of rules around automated decision-making

The Act eases existing restrictions on automated processing of personal data, giving organisations more scope to use AI-driven decision tools, such as those used in recruitment, employee performance reviews, or customer engagement. This provided that appropriate safeguards and human oversight remain in place. Organisations will be allowed to rely on a range of ‘lawful bases’ when making automated decisions.

• Revised approach to Data Subject Access Requests (DSARs)

Organisations will now have more time to define the scope of a DSAR before statutory time limits start to run. This change aims to reduce the administrative burden where data requests involve complex or large datasets, including AI-generated content.

• Heightened duties in relation to children’s data

Recognising the sensitivity of children’s personal data, the Act introduces stricter duties on organisations processing such information, ensuring that systems are designed and operated with children’s privacy and welfare as a central priority.

• New complaints procedure

The Act also increases the obligation on organisations to assist individuals who wish to make complaints about data use, reinforcing the government’s focus on transparency and accountability in the digital age.

2. Information Commissioners Office’s Statutory Code of Practice on AI and Automated Decision-Making

The ICO is expected to publish a statutory Code of Practice on AI and automated decision-making in the near future. This long-awaited Code will set out practical guidance for organisations using AI tools, with a particular focus on fairness, transparency, and accountability.

Employers can expect the Code to cover subject such as ensuring AI-driven decisions can be clearly understood and justified; establishing best practice for oversight and documentation of AI use; supporting organisations to identify and mitigate risks of unfair outcomes, especially in recruitment and HR processes.

Employers should begin reviewing their use of AI in workforce management, ensuring they can demonstrate compliance and transparency in how automated decisions are made.

3.The EU AI Act – Implications for cross-border employers

The EU AI Act is set to be fully implemented by 2 August 2026. Although will not be directly applicable in the UK, it remains highly relevant for businesses operating across EU and UK jurisdictions.

The Act introduces a risk-based regulatory framework categorising AI systems as minimal, limited, high, or unacceptable risk. Most AI tools used in employment, such as automated candidate screening, performance evaluation, and workplace monitoring, are likely to fall within the “high-risk” category.

Obligations for such systems include:

• Maintaining comprehensive technical documentation and risk assessments.
• Ensuring human oversight over automated decisions.
• Providing clear information to individuals affected by AI systems.

Non-compliance could attract significant fines, up to 7% of global annual turnover. UK employers with EU operations or employees should therefore ensure their AI systems align with the new EU standards alongside UK data protection obligations.

AI’s role in HR

As discussed in Clarkslegal’s recent article, Human Resources: A Shift Towards Artificial Intelligence and this webinar, AI is already transforming HR functions from recruitment analytics to employee engagement. Yet, this transformation also brings new risks. AI should enhance, not replace, human judgment. Employers must ensure that the drive for efficiency does not come at the expense of fairness, inclusivity, or compliance.

DUAA 2025 and EU AI Act – What to do next?

To prepare for these upcoming changes, employers should take steps to ensure pre-emptive compliance, such as:

1. Auditing existing AI and data practices for the DUAA 2025.
2. Review governance and accountability structures in anticipation of the ICO’s Code of Practice.
3. Assess cross-border operations for exposure to the EU AI Act’s requirements.
4. Train HR, compliance, and management teams to recognise the legal and ethical dimensions of AI in employment decisions.

The next 18 months will see a critical alignment of technology and regulation in the workplace. Employers that act now to strengthen governance and transparency around AI use will not only ensure compliance but also build trust and resilience in an increasingly data-driven environment.

At Clarkslegal, we advise employers on navigating these complex and fast-moving changes in AI governance, data protection, and employment law. Our team helps organisations implement compliant and ethical AI solutions, manage data responsibly, and prepare for forthcoming legislation such as the above-mentioned upcoming Acts and guidance.

If you would like tailored advice or further guidance on how these developments may affect your organisation, please get in touch with a member of our employment team.