Booking · May 2026
M-Tech Labs AI
Eastbourne · UK
/ AI Consultancy / Compliance

A defensible answer when the regulator asks how you use AI.

Map AI workloads against UK GDPR, ICO guidance, ISO 27001 and NCSC CAF 4.0 — with the DPIAs, registers and evidence an auditor or regulator will actually recognise.

Book a compliance reviewBack to AI Consultancy
01/ What's involved

How we work through the regimes.

Most organisations already have an ISMS, a DPO and a security policy. The work is threading AI through what exists — not starting a parallel programme.

Activity

AI-specific DPIA

A data-protection impact assessment written for the way LLMs actually work — training data, prompts, outputs, retention and the novel risks each one creates.
Activity

Lawful-basis register

For every AI workload, the lawful basis for processing, the data subjects involved, retention and the legitimate-interests balancing test where relevant.
Activity

NCSC CAF 4.0 mapping

How your AI use maps to the CAF objectives A–D. Where you sit on the maturity profile, where the gaps are and what evidence closes them.
Activity

ISO 27001 control alignment

AI-specific risks traced through Annex A controls and your SoA — so the management system covers what's actually new, not just what's already documented.
Activity

Sector regime layer

FCA SYSC, NHS DSPT, Cyber Essentials Plus, EU AI Act classification — whichever regimes apply to you, mapped alongside the general regimes.
Activity

Audit-ready evidence pack

Not a binder; a maintained evidence set — policies, decisions, logs, reviews — in the shape an auditor or regulator will actually ask for.
02/ What you get

Evidence you can actually hand over.

The test is simple: can you answer a regulator, an auditor or a client in writing within a week? Our deliverables are written so you can.

  1. 01

    AI workload DPIA pack

    Per-workload DPIA documents, residual-risk scoring and review dates — reusable as templates for future AI projects.

  2. 02

    CAF 4.0 control map

    A maturity view across the four CAF objectives, scored with evidence links, and a prioritised path to raise profile where it matters.

  3. 03

    Policy & register set

    Lawful-basis register, retention schedule, record-of-processing update and any sector-specific register you're required to hold.

  4. 04

    Regulator-ready readout

    A short, clear document answering "how is AI used here, what controls exist, and who's accountable" — drafted for the board and the ICO alike.

03/ Frameworks we map against

The regimes your auditor already knows.

We translate AI use into the language of the frameworks you already report on — so AI risk sits inside the management system, not outside it.

UK GDPR & DPA 2018ICO AI & data-protection guidanceNCSC CAF 4.0NCSC AI principlesISO 27001Cyber Essentials / PlusNIST AI RMFEU AI ActFCA SYSCNHS DSPT
/ Backed by

Delivered by M-Tech Labs with the compliance and security discipline of M-Tech Systems — Cyber Essentials certified, aligned to NCSC CAF 4.0 and progressing through the Assurix trustmark programme.

Back to AI Consultancy
/ Start a conversation

Get the compliance story written down once.

A compliance engagement leaves you with a DPIA pack, a CAF map and a regulator-ready readout — reusable every time a new AI workload arrives.

Book a compliance reviewAsk a scoping question