CapstoneModule 6 of 6

The Room

Everything you've decided. One afternoon to defend it.

Monday 19 January 2027, 09:45. Cerulith HQ — Dublin 2.

The Irish DPC investigation was formally opened on 5 December 2026 under s.146 Data Protection Act 2018 (Ireland) (information notice) and Art 58 assessment powers. Triggers: the May 2026 breach, Pulse AI DPIA, cross-border consultation with CNIL (France) and BfDI (Germany) under Art 60, ePrivacy sweep complaints.

Máire Ní Bhriain (Lead Supervisor, Irish DPC) arrives in thirteen minutes with a junior colleague and a black bound evidence binder labelled Cerulith Health — Evidence Pack — v1.4. The binder contains every decision you made this year.

Learning Objectives

By the end of this module, you'll have:

Defended a year's DPO decisions under sequential regulator questioning.
Applied the Art 83(2) factors to your own controller's file and calibrated expected MPN.
Chosen the right representation strategy at the Notice of Intent stage.

ArrivalMon 19 Jan 2027, 09:42Dublin 2 Entrance

The Arrival

Dublin 2 exterior · Máire arrives with the binder

From the reception desk you watch Máire and Hari walk through security. Máire places the binder on the check-in desk and says, "For reference during the session."

Vikram is beside you. Oren is on a Teams tile in your pocket. Marcus is ten minutes out.

You have prepared. You have indexed every DPO-register entry from the last twelve months. You know which decisions you can defend and which you cannot. The rest is cadence.

Decision 1 of 3Mon 19 Jan 2027, 10:05Interview Room

The Opening

Máire opens the binder. Tab A: SAR-related correspondence. Tab B: May 2026 breach. Tab C: Pulse AI DPIA and Art 36. Tab D: Sift transfer. Tab E: Operation Pulse Back.

"We're going to work through each tab," she says. "My colleague will take notes. I need your cooperation on the facts; you'll have formal representations after the Notice of Intent."

Question: How do you open?

Hot SeatTab A · SAR File

Hot Seat — The SAR File (Tab A)

Máire asks you questions about Module 1's decisions in sequence. Answer from the record.

Hot SeatTab B · Breach File

Hot Seat — The Breach File (Tab B)

Hot SeatTab C · Pulse AI

Hot Seat — Pulse AI (Tab C)

Decision 2 of 3Mon 19 Jan 2027, 11:48

Framing the Cerulith Clinic AI Risk

Máire closes Tab C. "Before we move on, I want to hear your position on residual risk. The investigation file includes a near-miss clinical report from December 2026. Your view on the safety envelope now."

Question: How do you frame Cerulith Clinic AI to the Investigator?

Hot SeatTab D · Transfers

Hot Seat — Transfers (Tab D)

Exhibit E-1Mon 19 Jan 2027, 13:15

Exhibit E-1

Máire slides a single sheet across.

Hot SeatTab E · Operation Pulse Back

Hot Seat — Operation Pulse Back (Tab E)

Cascade

The Cascade

Máire asks you to sketch how each prior decision contributed to the current exposure. An animated cascade renders each prior choice as a node. Active (red) nodes are poor choices; dormant (green) nodes are good choices that contribute mitigation.

BreatherMon 19 Jan 2027, 14:40

The Meter

Reputation meter snapshot.

Máire announces an hour for the MPN methodology briefing. "At 15:45 I'll share our current thinking on the Notice of Intent. You'll have 28 days to respond. Today's session informs the starting point; your response shapes the final."

Starting PointMon 19 Jan 2027, 15:45

The Starting Point

Máire walks through EDPB 04/2022 and the Irish DPC enforcement process.

EDPB 04/2022 — Five-Step Methodology

Draft Proposed MPN

—

Decision 3 of 3Mon 19 Jan 2027, 16:30

The Response Posture

You have 28 days to file representations against the Notice of Intent. Three postures.

Question: What is your representation strategy?

Computing

Computing Final MPN…

Aggregating this afternoon's decisions with a year's cumulative record. One moment.

Reprimand

The Reprimand

No MPN. Voluntary commitments accepted. Cerulith is cited in the Irish DPC's 2027 annual report as a case study in DPO-led remediation.

Affected · Data subjects

Cerulith's reprimand letter is published on the Irish DPC website with the anonymised case summary. Sam Chen, Danielle Obi, and the breach cohort are cited as affected data subjects whose rights were respected. Three of the M2 breach cohort reply to a follow-up survey: "This changed how I think about data rights."

Company · Cerulith

Outcome: formal reprimand under s.149 Data Protection Act 2018 (Ireland) + accepted voluntary commitments. No MPN. Independent ethics board established for AI releases (cost: €280k/yr). Total year cost across all modules: €8M.

Career · Aisha

Aisha keynotes IAPP's 2027 European Summit. Priya and Mark Tessaro co-publish a Nature Digital Medicine paper on Art 22 compliant clinical AI. Vikram submits the year as a case study for FT's GC 100 awards.

Next Fifty Cases

Cerulith expands into Germany and Spain via the Dublin entity on the back of clean regulatory posture. Two HSE-equivalent trusts convert from pilots to production. Series C+ bridge extended by 6 months at a higher valuation.

System · Industry

The DPIA template, TIA template, Art 15(1) cover letter, phased-Art-33 playbook, and cookie-banner standard become the company DP operating system. Aisha writes the internal DP handbook in Q2 2027.

Middle MPN

The Middle MPN

Accepted, not appealed. Remediation visible. Reputation recovers.

Affected · Data subjects

The breach cohort and SAR requesters are named in the anonymised MPN narrative. Sam Chen files no further complaint. Cerulith's public statement emphasises remediation; public-trust score recovers within 4 months.

Company · Cerulith

Final MPN: €700k-€2.8M band. Accepted, not appealed. Ancillary costs: €2.5M external legal + €1.6M remediation spend + €560k Series C-plus valuation haircut.

Career · Aisha

Aisha's reputation intact internally; externally, peer networks ask what she would do differently. She answers each time.

Next Fifty Cases

Cerulith's DP operating system tightens in the areas where M6 exposed gaps.

System · Industry

The modules where decisions were weak get re-papered in Q1 2027.

4% MPN

The 4% MPN

The higher tier. Board governance intervention. The DPO register is the reason it isn't higher.

Affected · Data subjects

The MPN narrative is extensive. Sam Chen is named in an anonymised-but-identifiable paragraph (a Paralympian whose SAR Cerulith refused; media coverage triangulates her). The Pulse AI hospitalisation case (if M3 poor) is cited as a clinical-safety signal. The breach cohort reads a second public notification.

Company · Cerulith

Final MPN: €9-21M band under Art 83(5) 4% tier. Separate ePrivacy MPN of €2.1M (if M5 poor). Total year cost including remediation: €37-68M. Balderton commissions board governance intervention; Marcus remains CEO with new DP committee. Fran departs.

Career · Aisha

Aisha's independent Art 38 reporting line invoked formally. Her internal register (which documented every disagreement with a poor choice) becomes the principal Cerulith defence — she is the reason the MPN is not higher. She stays. Priya is moved off the AI programme.

Next Fifty Cases

All customer-facing processing is re-papered under external counsel over 2027. 60+ external consultant-years of work. Two senior ML engineers depart.

System · Industry

Cerulith's posture is cited as a negative example in the Irish DPC's 2027 annual report, in two IAPP conference sessions, and in the 2028 EDPB enforcement briefing notes as "why the 4% tier exists."

EpilogueJanuary 2028 — Twelve months later

Twelve Months Later

Debrief

What M6 Teaches — and What the Course Teaches

Key Points

Six things to keep

Art 83(2) factors are eleven. Cooperation, intent, mitigation, category, prior-infringement, responsibility, cross-border. Your year-long decisions populate every factor.
EDPB 04/2022 fine methodology is five steps. The starting point is a function of turnover + infringement seriousness; the final is a function of how you handled it.
The Irish DPC's enforcement process is published. Read it before you need to.
The DPO register is not paperwork. It is the evidence that determines whether the fine is €500k or €21M.
A year of good decisions is a cumulative regulatory mitigator. A year of poor decisions is a cumulative regulatory trap.
The lesson of this course: the DPO role is not about knowing the regulation. It is about keeping the register.

Course Complete

The flagship EU GDPR course is complete.

M6 score: —

Cumulative course score: —

Final MPN range: —

This result has been recorded in your LMS and is part of your permanent DPO learning record.

Return to Course Home →