As the UK advances its principle led approach to AI governance, new statutory duties are on the horizon, making this crucial for organisations to get ahead by establishing robust governance structures now.
UK AI Regulation: principles over prescriptive rules
The UK has adopted a principle based approach to AI regulation rather than introducing a single, comprehensive AI Act. Regulators such as the Information Commissioner’s Office (ICO), the Financial Conduct Authority (FCA), and Ofcom are embedding five core principles into their oversight frameworks:
- Safety
- Transparency
- Fairness
- Accountability
- Contestability
These principles may become statutory duties in the future – first proposed by way of the Artificial Intelligence (Regulation) Bill – which has stalled in the House of Lords. Nonetheless, this may not be the end of these principles and it is prudent for businesses to take proactive action to embed these principles into their practices; compliance through governance structures and documented processes is a great place to start.
The Data (Use and Access) Act 2025: a game changer for AI and Data
The Data (Use and Access) Act 2025 received Royal Assent in June 2025 and introduced reforms to UK data protection law and the ICO’s remit expanded to oversee automated decision making, digital identity schemes, and compliance with new obligations. In parallel, the Government is required by March 2026 to publish a full impact assessment report on the use of copyright protected works in the training and development of AI systems. This report must also evaluate the policy options set out in the Government’s copyright and AI consultation paper which occurred between December 2024 and February 2025, which explored a number of possible interventions. Among these was the proposal for an “opt-out” regime, enabling rights holders to withhold their works from AI training unless consent is explicitly granted and this appears to be the UK Government’s favoured approach. This “opt-out” regime would impact all businesses and copyright holders. I have provided more detail on AI and copyright law in a previous article; click here to read.
Why Businesses Must Act Now
In this evolving regulatory landscape, it is therefore crucial for organisations to get ahead and proactively prepare by establishing robust governance structures. These frameworks not only ensure that businesses keep pace with anticipated statutory duties arising from the Artificial Intelligence (Regulation) Bill and the Data (Use and Access) Act 2025, but also help organisations mitigate key compliance risks, demonstrate accountability, and build lasting trust with clients and stakeholders. Taking these steps now positions businesses to respond confidently to future regulatory developments while supporting responsible innovation in AI and data-driven initiatives.
Building an AI & Data Council: A Strategic Necessity
To manage these obligations effectively, businesses should begin considering how they will structure their internal governance around AI and data use. In practice, this often involves establishing a governance structure and although the model may differ between organisations, many are now exploring an internal AI & Data Council or similar function.
This governance body should typically:
- Appoint an AI & Data Lead responsible for compliance with the obligations flowing from the use of AI (i.e. data protection, accuracy, copyright, ethics, confidentiality).
- Establish terms of reference to govern the council.
- Form a multidisciplinary committee including legal, data protection, IT, risk, and business stakeholders.
- Implement assurance mechanisms, policies and processes.
How Stephens Scown Can Help
We support businesses in navigating this evolving landscape by:
- Governance Training: Tailored workshops covering AI principles, risk identification and mitigation, and ICO expectations.
- External Chair for AI & Data Council: Providing impartial expertise and strategic oversight.
- Programme Support: We have AI readiness packages to assist you but also can undertake bespoke tailored projects to address the unique needs and objectives of your organisation. Whether you require a comprehensive strategy review, development of specific governance frameworks, or hands-on support with implementation, our team can design solutions that align with your business priorities and regulatory requirements.
By acting now, businesses can anticipate regulatory change, mitigate risk, and build trust with clients and stakeholders, while positioning themselves to take advantage of innovation opportunities.
Contact our team today to discuss how we can help you establish an AI & Data Council, deliver governance training, and provide expert oversight to ensure compliance and resilience.