Boards, product teams and compliance functions increasingly face governance questions about AI-enabled products, automated decision-making, and data-intensive business models. These questions sit at the intersection of data protection law, emerging AI regulatory expectations, and practical commercial governance. Bratby Law provides direct legal advice on AI and data governance, grounded in UK GDPR, the Data Protection Act 2018, and the ICO‘s approach to AI and automated decision-making.

Who this is for

AI, data and governance advice is designed for businesses that need to address a specific AI or data governance question rather than ongoing embedded support. Typical clients include boards and audit committees reviewing AI governance arrangements; product teams assessing data protection compliance for AI-enabled features; scale-ups and technology businesses deploying automated decision-making systems; compliance teams preparing for regulatory scrutiny of AI use; and consultancies needing legal input on AI governance within client mandates.

Common governance triggers

Businesses typically need AI and data governance advice when launching or deploying an AI-enabled product or feature and needing to assess data protection compliance, including lawful basis, transparency, DPIAs and automated decision-making under Article 22. When a board or audit committee requires assurance that AI governance arrangements are adequate and documented. When responding to customer, regulator or investor questions about how AI is used in the business. When building or updating a data governance framework to cover AI training data, model outputs and decision audit trails. When assessing third-party AI tools and needing to evaluate the data protection and governance implications of procurement. When preparing for future UK AI regulation, including the ICO’s AI and data protection guidance and the government’s pro-innovation regulatory approach.

What we advise on

Our AI and data governance advice covers DPIAs for AI-enabled products and automated decision-making systems. Lawful basis analysis for AI training data collection, processing and model deployment. Transparency and explainability requirements under UK GDPR, including how to provide meaningful information about automated decisions. Controller and processor analysis for AI supply chains, including model providers, data processors and cloud infrastructure. Data governance frameworks that address AI-specific risks, including bias, accuracy, data quality and retention. Board-level AI governance policies, including accountability structures, risk registers and decision documentation. Third-party AI procurement assessments, including data protection due diligence on AI vendors and their models.

AI sits within Bratby Law’s data protection practice as data protection for AI-enabled products, not as a standalone AI practice. This means advice is grounded in the existing legal framework rather than speculative future regulation. Rob Bratby has over 30 years’ experience and current fractional GC appointments at UK Payments Initiative Limited, TelXL, Core and The One Touch Switching Company, where AI governance is an active operational concern.

Deliverables

Typical outputs include DPIAs for AI-enabled products with clear risk assessments and mitigation measures; data governance policies covering AI training, deployment and monitoring; board papers on AI governance and regulatory readiness; AI procurement due diligence reports; transparency documentation for automated decision-making; and advice notes on specific governance questions such as bias testing, data retention or cross-border AI processing.

When this model fits

Direct legal advice on AI and data governance is suited to businesses that have a specific governance question or project rather than an ongoing embedded legal need. Typical scenarios include a product launch, a board governance review, a procurement decision, or a regulatory response. For businesses needing ongoing data protection and AI governance support, a fractional GC model may be more appropriate.

Related practice areas

For UK GDPR compliance and the full data protection framework, see Data Protection. For AI and automated decision-making specifically, see AI and Automated Decision-Making. For commercial transactions, see Transactions.

Related engagement models

See also: Consultant Support for legal integration within consultancy mandates, and Tech Scale-Up Counsel for ongoing support. For an overview, see Direct Legal Advice.

The regulatory framework for AI

The UK has adopted a pro-innovation approach to AI regulation, relying on existing regulators (including the ICO, FCA and Ofcom) to apply existing legal frameworks to AI rather than creating a standalone AI regulator or comprehensive AI legislation. This means the primary legal obligations for AI governance currently arise under UK GDPR and the Data Protection Act 2018, particularly the provisions on automated decision-making (Article 22), data protection impact assessments (Article 35), and accountability (Article 5(2)). The ICO has published detailed guidance on AI and data protection, which we apply in our advisory work.

For businesses operating in both the UK and EU, the interaction between UK GDPR requirements and the EU AI Act creates additional complexity. The EU AI Act introduces risk-based classification of AI systems with specific compliance obligations for high-risk applications. While the EU AI Act does not apply directly in the UK, businesses serving EU customers or using EU-based AI providers need to understand the interaction between the two frameworks.

Frequently asked questions

Book a call

If your business needs AI or data governance advice, contact us.