CerulithCapstone IRT Notice of Intent — 19 Jan 2027 Defensibility 0/9
CapstoneModule 6 of 6

The Room

Everything you've decided. One afternoon to defend it.

Monday 19 January 2027, 09:45. Cerulith HQ — Bishopsgate.

The ICO investigation was formally opened on 5 December 2026 under s.146 DPA 2018 (information notice) and Art 58 assessment powers. Triggers: the May 2026 breach, Pulse AI DPIA, cross-border consultation with the Irish DPC, PECR sweep complaints.

Helena Brandt (Senior Investigator, ICO) arrives in thirteen minutes with a junior colleague and a black bound evidence binder labelled Cerulith Health — Evidence Pack — v1.4. The binder contains every decision you made this year.

Learning Objectives
By the end of this module, you'll have:
  • Defended a year's DPO decisions under sequential regulator questioning.
  • Applied the Art 83(2) factors to your own controller's file and calibrated expected MPN.
  • Chosen the right representation strategy at the Notice of Intent stage.

ArrivalMon 19 Jan 2027, 09:42Bishopsgate Entrance

The Arrival

Bishopsgate exterior · Helena arrives with the binder

From the reception desk you watch Helena and Hari walk through security. Helena places the binder on the check-in desk and says, "For reference during the session."

Vikram is beside you. Oren is on a Teams tile in your pocket. Marcus is ten minutes out.

You have prepared. You have indexed every DPO-register entry from the last twelve months. You know which decisions you can defend and which you cannot. The rest is cadence.

Decision 1 of 3Mon 19 Jan 2027, 10:05Interview Room

The Opening

Helena opens the binder. Tab A: SAR-related correspondence. Tab B: May 2026 breach. Tab C: Pulse AI DPIA and Art 36. Tab D: Sift transfer. Tab E: Operation Pulse Back.

"We're going to work through each tab," she says. "My colleague will take notes. I need your cooperation on the facts; you'll have formal representations after the Notice of Intent."

Question: How do you open?

Hot SeatTab A · SAR File

Hot Seat — The SAR File (Tab A)

Helena asks you questions about Module 1's decisions in sequence. Answer from the record.

Hot SeatTab B · Breach File

Hot Seat — The Breach File (Tab B)

Hot SeatTab C · Pulse AI

Hot Seat — Pulse AI (Tab C)

Decision 2 of 3Mon 19 Jan 2027, 11:48

Framing the Cerulith Clinic AI Risk

Helena closes Tab C. "Before we move on, I want to hear your position on residual risk. The investigation file includes a near-miss clinical report from December 2026. Your view on the safety envelope now."

Question: How do you frame Cerulith Clinic AI to the Investigator?

Hot SeatTab D · Transfers

Hot Seat — Transfers (Tab D)

Exhibit E-1Mon 19 Jan 2027, 13:15

Exhibit E-1

Helena slides a single sheet across.

Hot SeatTab E · Operation Pulse Back

Hot Seat — Operation Pulse Back (Tab E)

Cascade

The Cascade

Helena asks you to sketch how each prior decision contributed to the current exposure. An animated cascade renders each prior choice as a node. Active (red) nodes are poor choices; dormant (green) nodes are good choices that contribute mitigation.

BreatherMon 19 Jan 2027, 14:40

The Meter

Reputation meter snapshot.

Helena announces an hour for the MPN methodology briefing. "At 15:45 I'll share our current thinking on the Notice of Intent. You'll have 28 days to respond. Today's session informs the starting point; your response shapes the final."

Starting PointMon 19 Jan 2027, 15:45

The Starting Point

Helena walks through EDPB 04/2022 and the ICO's Regulatory Action Policy.

EDPB 04/2022 — Five-Step Methodology

Draft Proposed MPN
Decision 3 of 3Mon 19 Jan 2027, 16:30

The Response Posture

You have 28 days to file representations against the Notice of Intent. Three postures.

Question: What is your representation strategy?

Computing

Computing Final MPN…

Aggregating this afternoon's decisions with a year's cumulative record. One moment.

Reprimand

The Reprimand

No MPN. Voluntary commitments accepted. Cerulith is cited in the ICO's 2027 annual report as a case study in DPO-led remediation.

Affected · Data subjects
Cerulith's reprimand letter is published on the ICO website with the anonymised case summary. Sam Chen, Danielle Obi, and the breach cohort are cited as affected data subjects whose rights were respected. Three of the M2 breach cohort reply to a follow-up survey: "This changed how I think about data rights."
Company · Cerulith
Outcome: formal reprimand under s.149 DPA 2018 + accepted voluntary commitments. No MPN. Independent ethics board established for AI releases (cost: £240k/yr). Total year cost across all modules: £6.8M.
Career · Aisha
Aisha keynotes IAPP's 2027 European Summit. Priya and Mark Tessaro co-publish a Nature Digital Medicine paper on Art 22 compliant clinical AI. Vikram submits the year as a case study for FT's GC 100 awards.
Next Fifty Cases
Cerulith expands into Germany and Spain via the Dublin entity on the back of clean regulatory posture. Two NHS ICBs convert from pilots to production. Series C+ bridge extended by 6 months at a higher valuation.
System · Industry
The DPIA template, TIA template, Art 15(1) cover letter, phased-Art-33 playbook, and cookie-banner standard become the company DP operating system. Aisha writes the internal DP handbook in Q2 2027.
Middle MPN

The Middle MPN

Accepted, not appealed. Remediation visible. Reputation recovers.

Affected · Data subjects
The breach cohort and SAR requesters are named in the anonymised MPN narrative. Sam Chen files no further complaint. Cerulith's public statement emphasises remediation; public-trust score recovers within 4 months.
Company · Cerulith
Final MPN: £600k-£2.4M band. Accepted, not appealed. Ancillary costs: £2.1M external legal + £1.4M remediation spend + £480k Series C-plus valuation haircut.
Career · Aisha
Aisha's reputation intact internally; externally, peer networks ask what she would do differently. She answers each time.
Next Fifty Cases
Cerulith's DP operating system tightens in the areas where M6 exposed gaps.
System · Industry
The modules where decisions were weak get re-papered in Q1 2027.
4% MPN

The 4% MPN

The higher tier. Board governance intervention. The DPO register is the reason it isn't higher.

Affected · Data subjects
The MPN narrative is extensive. Sam Chen is named in an anonymised-but-identifiable paragraph (a Paralympian whose SAR Cerulith refused; media coverage triangulates her). The Pulse AI hospitalisation case (if M3 poor) is cited as a clinical-safety signal. The breach cohort reads a second public notification.
Company · Cerulith
Final MPN: £8-18M band under Art 83(5) 4% tier. Separate PECR MPN of £1.8M (if M5 poor). Total year cost including remediation: £32-58M. Balderton commissions board governance intervention; Marcus remains CEO with new DP committee. Fran departs.
Career · Aisha
Aisha's independent Art 38 reporting line invoked formally. Her internal register (which documented every disagreement with a poor choice) becomes the principal Cerulith defence — she is the reason the MPN is not higher. She stays. Priya is moved off the AI programme.
Next Fifty Cases
All customer-facing processing is re-papered under external counsel over 2027. 60+ external consultant-years of work. Two senior ML engineers depart.
System · Industry
Cerulith's posture is cited as a negative example in the ICO's 2027 annual report, in two IAPP conference sessions, and in the 2028 DPDI-successor legislative briefing notes as "why the 4% tier exists."
EpilogueJanuary 2028 — Twelve months later

Twelve Months Later

Debrief

What M6 Teaches — and What the Course Teaches

Key Points
Six things to keep
  • Art 83(2) factors are eleven. Cooperation, intent, mitigation, category, prior-infringement, responsibility, cross-border. Your year-long decisions populate every factor.
  • EDPB 04/2022 fine methodology is five steps. The starting point is a function of turnover + infringement seriousness; the final is a function of how you handled it.
  • The ICO's Regulatory Action Policy is published. Read it before you need to.
  • The DPO register is not paperwork. It is the evidence that determines whether the fine is £400k or £18M.
  • A year of good decisions is a cumulative regulatory mitigator. A year of poor decisions is a cumulative regulatory trap.
  • The lesson of this course: the DPO role is not about knowing the regulation. It is about keeping the register.
Course Complete

Course Complete

The flagship GDPR / UK Data Protection course is complete.

M6 score:

Cumulative course score:

Final MPN range:

This result has been recorded in your LMS and is part of your permanent DPO learning record.

Return to Course Home →