Living document · Updated June 2026

UK Enterprise AI
Compliance Changelog.

A monthly-updated log of regulatory change affecting voice AI and enterprise AI deployment in the UK and EU. Each entry names the regulator, dates the change, summarises the obligation in plain language, and tells you what to do about it. Sources covered: ICO, FCA, EU AI Act, NHS DTAC, and notable UK/EU court decisions. Last updated 2026-06-01.

What this changelog covers

  • ICO — UK GDPR guidance, automated decision-making, biometric and voice data.
  • FCA — Consumer Duty as applied to AI-mediated customer interactions, Dear-CEO letters, regulatory perimeter changes.
  • EU AI Act — staged obligation milestones, GPAI rules, codes of practice.
  • NHS DTAC — Digital Technology Assessment Criteria changes affecting AI in clinical and care settings.
  • Courts — material UK/EU rulings that change voice-AI deployment risk.

Updates

  1. EU AI Act

    GPAI obligations under EU AI Act — second wave applies from 2 August 2026

    The second wave of EU AI Act obligations on General-Purpose AI (GPAI) systems comes into force on 2 August 2026. Voice AI deployments that incorporate third-party GPAI models become accountable for upstream transparency obligations (training-data summaries, copyright disclosures, model documentation). Deployers should document which GPAI providers underpin each agent and confirm provider compliance attestations are on file.

    What to do: Add a GPAI provenance column to your model inventory. Request the provider transparency summary from each LLM vendor in your stack and store the date received.

  2. ICO

    ICO publishes refreshed guidance on automated decision-making in customer phone calls

    The ICO refreshed its guidance on UK GDPR Article 22 (automated decision-making with legal or similarly significant effects) as it applies to voice AI handling customer service, claims intake, and credit-related calls. The clarification narrows the read-out of "human in the loop" — passive monitoring is no longer sufficient; reviewers must have the authority and time to alter the outcome before it is communicated to the caller.

    What to do: For any voice-AI workflow that materially affects a customer (claim acceptance, credit, account closure), confirm the human reviewer is empowered to override before customer notification, and that review SLAs are documented.

  3. FCA

    FCA Dear-CEO letter to consumer credit firms on AI in customer interactions

    The FCA wrote to consumer credit firms reiterating that Consumer Duty applies in full to AI-mediated customer interactions, including outbound voice campaigns. Specific call-outs: foreseeable harm assessments for vulnerable customers, clarity of disclosure that the customer is speaking with an AI agent, and the ability for the customer to request escalation to a human at any point without friction.

    What to do: Audit the opening disclosure on every outbound campaign and inbound IVR. Confirm an escalation phrase ("speak to a person") is recognised and honoured by the agent without justification.

  4. NHS DTAC

    DTAC v3.2 adds explicit voice-AI section

    The NHS Digital Technology Assessment Criteria (DTAC) v3.2 adds a dedicated voice-AI subsection covering clinical safety case requirements, recording-consent flows, and human-handover SLAs for clinical triage use cases. Suppliers responding to NHS procurement should expect explicit voice-AI questions in DTAC submissions from Q3 2026.

    What to do: Update your DTAC response template with the new voice-AI subsection responses. Have clinical safety case (DCB0129) ready for clinical-adjacent voice deployments.

Need help operationalising any of these?

Talk to a placement lead. 30 minutes. No deck.

Book a call See operating-model service