UK GDPR, DPA 2018, and the Data (Use and Access) Act for AI Voice in 2026

The UK started 2025 by passing the Data (Use and Access) Act and finished it by ordering the ICO to write a statutory AI Code. The 2026 picture is clearer than the EU's: more flexibility on automated decisions, more pressure to publish how the AI works.

What the law says

The UK regime is the UK GDPR plus the Data Protection Act 2018, both amended by the Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025. DUAA rewrote the UK's automated decision-making rules. UK GDPR Article 22 used to mirror the EU prohibition on solely automated decisions with legal or significant effects; DUAA replaced that with new sections that permit such decisions provided the controller installs safeguards — meaningful information about the logic, the right to obtain human intervention, the right to contest, and additional protections for special-category data.

Section 124A of the DPA 2018, inserted by DUAA, requires the Information Commissioner to prepare a statutory Code of Practice on AI and ADM. SI 2026/425 fixed the scope: AI processing of personal data, automated decision-making within the meaning of Article 22, and integration of AI outputs into decisions that materially affect data subjects. The ICO opened a public consultation on draft ADM guidance on 31 March 2026 and published an AI and biometrics strategy. Existing ICO AI guidance — DPIA expectations, the AI risk toolkit, the data-protection-by-design checklist — remains in force.

What AI voice/chat must do

UK callers now have an explicit right to obtain human intervention in any solely automated decision with legal or significant effects, and a right to receive meaningful information about the logic. That means UK voice agents that triage benefits, hiring, credit, or insurance must publish a plain-English explanation of the model and stand up a human-review path within hours, not weeks. Special-category data (health, biometrics) still requires a DPA 2018 Schedule 1 condition on top of an Article 9 condition. Section 8 of the DPA 2018 still prohibits ADM in the law-enforcement context unless authorised. The ICO expects every consumer voice or chat product to have a DPIA, a record of processing, layered transparency, and a published retention schedule.

CallSphere posture

CallSphere is HIPAA and SOC 2 aligned, with 37 production agents, 90+ tools, 115+ DB tables, 6 verticals, and 50+ businesses at 4.8/5. UK-pinned tenants run on a UK or EU PostgreSQL region; the DPIA template carries a UK GDPR Article 35 worksheet plus a DPA 2018 Schedule 1 condition picker. Article 22 (UK) explanations are generated per workflow — the engine writes a one-paragraph plain-English summary of the logic, the data inputs, and the categories of effect. Human review is wired in via the Customer Service Voice Agent and the Behavioral-Health Voice Agent crisis pathway. ROPA, retention, and DSAR responses are automated end-to-end. Pricing is $149 / $499 / $1,499; the 14-day trial runs without a card; partners earn 22% lifetime through /affiliate; pricing detail on /pricing; contact at /contact.

flowchart LR
A[UK Caller] --> B[Voice Agent]
B --> C[Layered Notice]
B --> D[ADM Logic Page]
D --> E[Human Review]
B --> F[DPIA + ROPA]
F --> G[ICO Audit Trail]

Compliance checklist

1. Re-run the UK GDPR Article 22 analysis under DUAA — many use-cases newly permitted now require safeguard documentation.
2. Publish a meaningful-information page per workflow describing logic, inputs, outputs, and effect categories.
3. Build a human-intervention path the caller can invoke on the line and through self-service.
4. Refresh the DPIA against the ICO 2026 toolkit; align with the forthcoming statutory AI Code.
5. Record every inference, tool call, and decision with a tamper-resistant timestamp.
6. Confirm UK-onshore or adequacy-covered hosting for any model that processes personal data.
7. Apply DPA 2018 Schedule 1 conditions to special-category processing on top of Article 9.
8. Honour DSARs in one month; track and publish backlog metrics.
9. Train operations staff on the difference between a refusal under an exemption and information blocking.
10. Watch the ICO consultation on ADM guidance and adopt non-binding recommendations as if they were binding.

FAQ

Did DUAA loosen UK ADM rules? For some use-cases yes — solely automated decisions with significant effects can now proceed if safeguards are in place. The compliance burden moved from ban to safeguard documentation.

Is the statutory AI Code binding? The Code is not law, but the ICO can take it into account in enforcement and the courts will weigh it. Treat it as binding in practice.

Do we need a DPO for AI voice? If the core activity is large-scale monitoring or special-category processing, yes — UK GDPR Article 37 still applies.

Can we transfer UK data to the US? Use the UK Extension to the EU-US Data Privacy Framework or the UK IDTA with a Transfer Risk Assessment.

What about voice biometrics? Schedule 1 of DPA 2018 has narrow conditions; default to explicit consent or a dedicated substantial-public-interest condition.

Sources

• ICO AI and Data Protection Guidance: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/
• ICO Artificial Intelligence Hub: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/
• UK Data (Use and Access) Act 2025 — legislation.gov.uk: https://www.legislation.gov.uk/ukpga/2025/18
• ICO Draft ADM Guidance Consultation (March 2026): https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/03/
• ICO AI and Biometrics Strategy: https://ico.org.uk/about-the-ico/our-information/our-strategies-and-plans/ai-strategy/