AI Governance Consulting

AI systems that process personal data carry regulatory obligations. Addressing governance now protects your reputation later.

Every AI system that processes personal data falls under UK GDPR. Automated decision-making, profiling, large language models used on customer data: all of it triggers specific legal obligations that most organisations haven't yet addressed. The regulatory direction is clear: the EU AI Act is in force, the ICO is publishing guidance on AI and data protection, and the gap between what organisations are doing and what regulators expect is widening. Proactive governance now prevents costly remediation and reputational exposure later.

Scope

What AI governance means in practice

Data Protection Impact Assessments specifically designed for AI systems: covering training data, model outputs, automated decisions, and data retention.

Compliance assessment against UK GDPR automated decision-making provisions, including the right to human review and meaningful explanation requirements.

AI governance framework development: practical structures your organisation can actually follow, not theoretical documents your team will never reference.

Risk assessment for AI deployment: identifying where personal data enters, how it's processed, what decisions are made, and where the regulatory exposure sits.

Vendor assessment for AI tools and platforms: evaluating the data protection implications of third-party AI services before you commit.

Board-level briefings on AI risk and regulatory direction: giving leadership the clarity to make informed decisions about AI deployment and governance.

Process

How the engagement works

AI Systems Review

Penby maps your current and planned AI usage: what systems are in place, what data they process, what decisions they influence, and where the gaps in governance sit. This establishes a clear picture of the work ahead.

Framework Development

Penby builds the governance structures your organisation needs: DPIAs for each AI system, policies for procurement and deployment, processes for monitoring and review. Everything documented, everything defensible.

Ongoing Advisory

AI governance isn't a one-off exercise. As you adopt new systems and regulations evolve, Penby provides standing advisory: reviewing new deployments, updating impact assessments, and ensuring your governance keeps pace with both the technology and the regulatory expectations.

Eligibility

Who this is for

Any organisation using or planning to use AI systems that process personal data. That includes public sector bodies adopting automated processing, businesses deploying large language models internally, and organisations using AI for customer service or automated decision-making. Or any organisation where the board, compliance team, or CTO has started asking questions about AI risk that nobody can yet answer with confidence.

Also see: Fractional DPO →