UK AI Governance · ICO · Data Protection Act 2018

The ICO is auditing AI governance.
Most organisations have nothing on file.

UK GDPR and the ICO's AI guidance give regulators everything they need to audit your AI governance. Your team uses ChatGPT, Copilot, AI screeners, or generative design tools — and you need documentation. Stone & Carter delivers your ICO-aligned governance folder in 7 days.

Get in touchHow it works
ICO AI Framework alignedImplementation free until May 31Cancel anytime

Three questions. One answer.

AI in use?

ChatGPT, Copilot, AI hiring
tools — anything

UK operations?

UK-registered or
processing UK personal data

Personal data involved?

Staff, customer, or
candidate data

If all three: UK GDPR accountability obligations apply to your AI use today.

UK GDPR · DPA 2018 · ICO AI Guidance 2024

What the ICO actually expects. Straight from their published guidance.

"Organisations using AI in ways that affect individuals must be able to demonstrate they have assessed the risks, put appropriate safeguards in place, and ensured their people understand how to use these tools responsibly."

— ICO Guidance on AI and Data Protection, 2024

What the ICO wants to see

Documented staff training on AI risks, a data protection impact assessment for each AI tool in use, clear governance policies, and an evidence trail showing the programme is maintained. Not a one-off session — an ongoing record.

What they're actually finding

Organisations that have deployed AI tools without any formal governance, staff who paste personal data into consumer AI tools without understanding the data implications, and no documentation trail at all.

What comes next

The UK AI Bill will create a formal regulatory framework — likely in 2026. Organisations with documented governance programmes in place will have a significant advantage when mandatory requirements arrive.

Maximum ICO fine

£17.5M

or 4% of global annual turnover — whichever is higher

A £2M company faces up to £80,000 in exposure. A £10M company: £400,000. AI-related data protection failures are a stated priority for the ICO.

Stone & Carter Starter costs £150/month. That's £1,800/year — against £80,000–400,000 in exposure for a typical SME.

Your exposure

The ICO doesn't need a new AI law
to audit you.

UK GDPR, the Data Protection Act 2018, and the ICO's AI guidance already give the regulator everything it needs to ask how your organisation governs AI. Most companies can't answer.

Current enforcement

Now

ICO AI audits are already in progress

The ICO began proactive AI audits in 2024. They're using existing UK GDPR accountability powers — no new legislation required. If your team uses AI to process personal data, you're in scope.

The documentation gap

< 1%

of affected organisations have formal AI governance documentation

A GDPR training certificate isn't AI governance. The ICO expects documented policies, role-specific training, and a record showing staff understand AI risks — most companies have none of this.

The fine

4%

of global annual turnover — the maximum ICO fine

Up to £17.5M or 4% of global turnover — whichever is higher. AI-related data protection failures are a priority enforcement area. The ICO has signalled they will use maximum penalties on AI cases.

How it works

10 minutes from you. 7 days to documented.

You spend half an hour with us on day one. We do everything else. The Governance Folder is ready on day 7. Training runs automatically every week after that.

01

10-minute governance audit call

We map your AI tools, data flows, and staff exposure against ICO expectations and UK GDPR. You leave with a gap analysis — not a proposal for more consultancy.

02

We write your role-tailored curriculum

Five tracks — Finance, HR, Sales, Ops, Leadership — each built with UK-specific scenarios. Not generic GDPR slides. Real incidents from your sector, with ICO enforcement context.

03

Programme activates on day 7

Lessons land in inboxes. Two minutes a week. No LMS to install. No new login for staff. Your DPO has a real evidence trail from day one.

04

Governance Folder delivered at activation

The full evidence file is ready before a single lesson is completed. You have documentation on file from the moment your programme starts.

05

We maintain it as ICO guidance evolves

Quarterly curriculum reviews. As the ICO publishes new AI guidance, the AI Bill progresses, and FCA or sector-specific expectations shift, your programme updates. No legal retainer required.

Pricing

Less than a compliance lawyer's afternoon.

Every plan includes a fully populated AI Governance Folder, five role tracks, and quarterly curriculum reviews — maintained for as long as your regulatory obligation runs.

Starter

Up to 30 staff

£3/seat/mo
  • ICO-aligned AI Governance Folder — ready day 7
  • All 5 role tracks included
  • Email delivery, no LMS install
  • Quarterly curriculum reviews
  • Admin dashboard
Get in touch →
Most chosen

Growth

31–100 staff

£5/seat/mo
  • Everything in Starter, plus:
  • Completion analytics dashboard
  • Priority support — next business day
  • Custom role configuration
  • Expanded scenario library
  • Onboarding call with governance advisor
Get in touch →

All prices in GBP. VAT may apply. Implementation waived for contracts signed before May 31, 2026.

Hard questions

The objections worth taking seriously.

"Can't we just handle this internally?"+
You could — if your team has the ICO's AI guidance mapped to role-specific training content, can produce a documented evidence trail in the format the ICO expects, and has the bandwidth to keep it current. Most don't. Stone & Carter delivers the output: a populated Governance Folder on day 7, not six months of internal project work.
"We barely use AI."+
One employee using ChatGPT to draft a response that touches a customer's personal data is enough to put you in scope under UK GDPR. The ICO's accountability principle requires documented governance for AI that processes personal data — not just tools you've officially deployed, but everything your staff actually uses.
"What if ICO guidance changes?"+
It will. The ICO is still developing sector-specific AI guidance, and the UK AI Bill will formalise requirements further. Every Stone & Carter curriculum is reviewed quarterly as guidance updates. Your Governance Folder stays current — that's part of what the monthly fee covers.
Start here

Every day without documentation
is a day with no answer for the ICO.

The governance audit call is 10 minutes. We map your obligation, identify what you're missing, and tell you exactly what a programme for your organisation would cost. No slide deck. No commitment.

10 minutes · No commitment · Governance Folder ready within 7 days of signing