Activity
AI-specific DPIA
A data-protection impact assessment written for the way LLMs actually work — training data, prompts, outputs, retention and the novel risks each one creates.
Eastbourne · UK
/ AI Consultancy / ComplianceA defensible answer when the regulator asks how you use AI.
Map AI workloads against UK GDPR, ICO guidance, ISO 27001 and NCSC CAF 4.0 — with the DPIAs, registers and evidence an auditor or regulator will actually recognise.
01/ What's involved
How we work through the regimes.
Most organisations already have an ISMS, a DPO and a security policy. The work is threading AI through what exists — not starting a parallel programme.
Activity
Lawful-basis register
For every AI workload, the lawful basis for processing, the data subjects involved, retention and the legitimate-interests balancing test where relevant.
Activity
NCSC CAF 4.0 mapping
How your AI use maps to the CAF objectives A–D. Where you sit on the maturity profile, where the gaps are and what evidence closes them.
Activity
ISO 27001 control alignment
AI-specific risks traced through Annex A controls and your SoA — so the management system covers what's actually new, not just what's already documented.
Activity
Sector regime layer
FCA SYSC, NHS DSPT, Cyber Essentials Plus — whichever sector regimes apply to you, mapped alongside the general ones so AI risk sits inside the regime you already report on.
Activity
EU AI Act applicability
The test a UK firm actually needs: are you placing an AI system on the EU market, or are its outputs used in the EU? If yes, the provider-vs-deployer split, the high-risk classification against Annex III, any GPAI duties and the Aug 2026 general-application milestone — written into a plan, not left to read-on-deadline.
Activity
Audit-ready evidence pack
Not a binder; a maintained evidence set — policies, decisions, logs, reviews — in the shape an auditor or regulator will actually ask for.
Activity
Secure-development evidence
Continuous code, dependency and container scanning via Aikido — feeding the SDLC, change-management and supplier-assurance controls your ISO 27001 / Cyber Essentials Plus auditor expects to see.
02/ What you get
Evidence you can actually hand over.
The test is simple: can you answer a regulator, an auditor or a client in writing within a week? Our deliverables are written so you can.
AI workload DPIA pack
Per-workload DPIA documents, residual-risk scoring and review dates — reusable as templates for future AI projects.
CAF 4.0 control map
A maturity view across the four CAF objectives, scored with evidence links, and a prioritised path to raise profile where it matters.
Policy & register set
Lawful-basis register, retention schedule, record-of-processing update and any sector-specific register you're required to hold.
Regulator-ready readout
A short, clear document answering "how is AI used here, what controls exist, and who's accountable" — drafted for the board and the ICO alike.
03/ Frameworks we map against
The regimes your auditor already knows.
We translate AI use into the language of the frameworks you already report on — so AI risk sits inside the management system, not outside it.
UK GDPR & DPA 2018ICO AI & data-protection guidanceNCSC CAF 4.0NCSC AI principlesISO 27001Cyber Essentials / PlusNIST AI RMFEU AI ActFCA SYSCNHS DSPT
/ Backed by
Delivered by M-Tech Labs with the compliance and security discipline of M-Tech Systems — Cyber Essentials certified, aligned to NCSC CAF 4.0 and progressing through the Assurix trustmark programme. Code is continuously scanned for quality and security with Aikido, with independent QA and penetration testing by Zoonou available where engagements call for it, and hosted on our own Nutanix / Fortinet platform — continuously pen-tested, current-version, UK-based. See secure development for the full picture.
Back to AI Consultancy/ Need it kept true?
A compliance engagement gets you to a defensible answer once. Continuous Compliance keeps that answer current as the platforms underneath ship default-on changes — Inforcer-enforced, monthly board-ready evidence, an audit-ready pack on demand.
/ Start a conversation
Get the compliance story written down once.
A compliance engagement leaves you with a DPIA pack, a CAF map and a regulator-ready readout — reusable every time a new AI workload arrives.