CapstoneModule 6 of 6

The Room

Everything you've decided. One afternoon to defend it.

Monday 19 January 2027, 09:45. Cerulith HQ — Bishopsgate.

The ICO investigation was formally opened on 5 December 2026 under s.146 DPA 2018 (information notice) and Art 58 assessment powers. Triggers: the May 2026 breach, Pulse AI DPIA, cross-border consultation with the Irish DPC, PECR sweep complaints.

Helena Brandt (Senior Investigator, ICO) arrives in thirteen minutes with a junior colleague and a black bound evidence binder labelled Cerulith Health — Evidence Pack — v1.4. The binder contains every decision you made this year.

Learning Objectives

By the end of this module, you'll have:

Defended a year's DPO decisions under sequential regulator questioning.
Applied the Art 83(2) factors to your own controller's file and calibrated expected MPN.
Chosen the right representation strategy at the Notice of Intent stage.

ArrivalMon 19 Jan 2027, 09:42Bishopsgate Entrance

The Arrival

Bishopsgate exterior · Helena arrives with the binder

From the reception desk you watch Helena and Hari walk through security. Helena places the binder on the check-in desk and says, "For reference during the session."

Vikram is beside you. Oren is on a Teams tile in your pocket. Marcus is ten minutes out.

You have prepared. You have indexed every DPO-register entry from the last twelve months. You know which decisions you can defend and which you cannot. The rest is cadence.

Decision 1 of 3Mon 19 Jan 2027, 10:05Interview Room

The Opening

Helena opens the binder. Tab A: SAR-related correspondence. Tab B: May 2026 breach. Tab C: Pulse AI DPIA and Art 36. Tab D: Sift transfer. Tab E: Operation Pulse Back.

"We're going to work through each tab," she says. "My colleague will take notes. I need your cooperation on the facts; you'll have formal representations after the Notice of Intent."

Question: How do you open?

Hot SeatTab A · SAR File

Hot Seat — The SAR File (Tab A)

Helena asks you questions about Module 1's decisions in sequence. Answer from the record.

Hot SeatTab B · Breach File

Hot Seat — The Breach File (Tab B)

Hot SeatTab C · Pulse AI

Hot Seat — Pulse AI (Tab C)

Decision 2 of 3Mon 19 Jan 2027, 11:48

Framing the Cerulith Clinic AI Risk

Helena closes Tab C. "Before we move on, I want to hear your position on residual risk. The investigation file includes a near-miss clinical report from December 2026. Your view on the safety envelope now."

Question: How do you frame Cerulith Clinic AI to the Investigator?

Hot SeatTab D · Transfers

Hot Seat — Transfers (Tab D)

Exhibit E-1Mon 19 Jan 2027, 13:15

Exhibit E-1

Helena slides a single sheet across.

Hot SeatTab E · Operation Pulse Back

Hot Seat — Operation Pulse Back (Tab E)

Cascade

The Cascade

Helena asks you to sketch how each prior decision contributed to the current exposure. An animated cascade renders each prior choice as a node. Active (red) nodes are poor choices; dormant (green) nodes are good choices that contribute mitigation.

BreatherMon 19 Jan 2027, 14:40

The Meter

Reputation meter snapshot.

Helena announces an hour for the MPN methodology briefing. "At 15:45 I'll share our current thinking on the Notice of Intent. You'll have 28 days to respond. Today's session informs the starting point; your response shapes the final."

Starting PointMon 19 Jan 2027, 15:45

The Starting Point

Helena walks through EDPB 04/2022 and the ICO's Regulatory Action Policy.

EDPB 04/2022 — Five-Step Methodology

Draft Proposed MPN

—

Decision 3 of 3Mon 19 Jan 2027, 16:30

The Response Posture

You have 28 days to file representations against the Notice of Intent. Three postures.

Question: What is your representation strategy?

Computing

Computing Final MPN…

Aggregating this afternoon's decisions with a year's cumulative record. One moment.

Reprimand

The Reprimand

No MPN. Voluntary commitments accepted. Cerulith ends up in the ICO's 2027 annual report as a DPO-led remediation case study.

Affected · Data subjects

Reprimand letter goes up on the ICO site with the anonymised summary. Sam Chen, Danielle Obi, and the breach cohort named as data subjects whose rights were respected. Three reply: "This changed how I think about data rights."

Company · Cerulith

Formal reprimand under s.149 DPA 2018 plus voluntary commitments. No MPN. Independent AI ethics board (£240k/yr). Year cost: £6.8M.

Career · Aisha

Aisha keynotes IAPP's 2027 European Summit. Priya and Mark Tessaro co-publish in Nature Digital Medicine on Art 22 clinical AI. Vikram submits the year for FT's GC 100.

Next Fifty Cases

Cerulith expands into Germany and Spain via the Dublin entity off the clean posture. Two NHS ICBs go from pilot to production. Series C+ bridge extended six months at a higher valuation.

System · Industry

DPIA template, TIA template, Art 15(1) cover letter, phased-Art-33 playbook, cookie-banner standard: all of it becomes the DP operating system. Aisha writes the handbook in Q2 2027.

Middle MPN

The Middle MPN

Accepted, not appealed. Remediation visible. Reputation recovers.

Affected · Data subjects

The breach cohort and SAR requesters are named in the anonymised MPN narrative. Sam Chen files no further complaint. Cerulith's public statement emphasises remediation; public-trust score recovers within 4 months.

Company · Cerulith

Final MPN: £600k-£2.4M band. Accepted, not appealed. Ancillary costs: £2.1M external legal + £1.4M remediation spend + £480k Series C-plus valuation haircut.

Career · Aisha

Aisha's reputation intact internally; externally, peer networks ask what she would do differently. She answers each time.

Next Fifty Cases

Cerulith's DP operating system tightens in the areas where M6 exposed gaps.

System · Industry

The modules where decisions were weak get re-papered in Q1 2027.

4% MPN

The 4% MPN

The higher tier. Board governance intervention. The DPO register is the reason it isn't worse.

Affected · Data subjects

MPN narrative runs long. Sam Chen surfaces in an anonymised-but-identifiable paragraph (Paralympian whose SAR Cerulith refused; media triangulates her). Pulse AI hospitalisation (if M3 poor) cited as a clinical-safety signal. Breach cohort gets a second notification.

Company · Cerulith

Final MPN: £8-18M band under Art 83(5) 4% tier. Separate £1.8M PECR MPN (if M5 poor). Year cost with remediation: £32-58M. Balderton orders board intervention; Marcus keeps the seat under a new DP committee. Fran departs.

Career · Aisha

Her independent Art 38 reporting line is invoked formally. The register (every poor-choice disagreement, documented) becomes the principal defence. She is the reason the MPN isn't higher. She stays. Priya moves off AI.

Next Fifty Cases

All customer-facing processing re-papered under external counsel through 2027. 60+ consultant-years. Two senior ML engineers leave.

System · Industry

Cerulith shows up as a negative example in the ICO's 2027 annual report, two IAPP sessions, and the 2028 DPDI-successor briefing notes as "why the 4% tier exists."

EpilogueJanuary 2028 — Twelve months later

Twelve Months Later

Debrief

What M6 Teaches — and What the Course Teaches

Key Points

Six things to keep

Art 83(2) factors are eleven. Cooperation, intent, mitigation, category, prior-infringement, responsibility, cross-border. Your year-long decisions populate every factor.
EDPB 04/2022 fine methodology is five steps. The starting point is a function of turnover + infringement seriousness; the final is a function of how you handled it.
The ICO's Regulatory Action Policy is published. Read it before you need to.
The DPO register is not paperwork. It is the evidence that determines whether the fine is £400k or £18M.
A year of good decisions is a cumulative regulatory mitigator. A year of poor decisions is a cumulative regulatory trap.
The lesson of this course: the DPO role is not about knowing the regulation. It is about keeping the register.

Final module complete. Take the end-of-course quiz to finish. Take the Final Quiz →

Course Complete

The flagship GDPR / UK Data Protection course is complete.

M6 score: —

Cumulative course score: —

Final MPN range: —

This result has been recorded in your LMS and is part of your permanent DPO learning record.

Return to Course Home →