Most professionals using AI are one investigation away from a serious problem — and they don't know it.
Not because they're careless. Because the gap between using AI in good faith and using it lawfully is wider than anyone tells you — and it doesn't close by itself.
Built in three layers.
Because compliance isn't a single step.
AI tools are now part of everyday professional practice. Most people using them are doing so carefully, in good faith, trying to work more efficiently and serve their clients better.
The problem isn't intention. The problem is the gap between using AI tools and using them lawfully — and that gap doesn't close by itself.
The AI Safe Suite is structured in three tiers. Each one addresses a different layer of your compliance position. Each one does something the others cannot. Together, they give you a framework that holds up — not just on paper, but under scrutiny.
Most professionals are surprised by what UK GDPR actually demands when AI enters the picture. Not because the law is unreasonable — but because nobody explained it clearly in the context of tools people are already using every day.
Tier 1 changes that.
The AI Safe Starter Pack gives you a thorough, plain-English explanation of your legal obligations as a data controller using AI tools with client data. It covers consent, lawful basis, data transfers, Special Category Data, and breach reporting — not in the abstract, but in the context of the specific tools and workflows your profession uses.
Alongside it, your Industry Action Guide translates the legal framework into your specific profession. With completed examples, correctly separated consent forms, and a step-by-step week-one action plan, it shows you what compliance looks like in practice — for your work, not someone else's.
Tier 1 is where everyone starts. It's the foundation the other tiers are built on.
What you can prove after Tier 1: that you understood your obligations and took concrete steps to meet them.
Tier 1 - UNDERSTAND
Know what the law requires and why it applies to you.
Understanding your obligations is not the same as meeting them. Knowing what a compliant operation looks like is not the same as having the legal infrastructure to demonstrate it.
That's what Tier 2 provides.
The AI Safe Legal Pack gives you four operational documents: a Data Processing Agreement template covering all Article 28(3) obligations, a 72-hour breach response plan with ICO notification template, a Legitimate Interests Assessment framework with a fully worked example, and an AI Decision Record system that captures contemporaneous evidence as you work.
Every AI tool you use with personal data needs a Data Processing Agreement in place. Every decision influenced by AI needs a record at the time it's made. Every lawful basis you rely on needs prior documentation. The Legal Pack gives you the tools to meet all three requirements — and the Companion Guide walks you through implementing each one in plain English.
Tier 2 is for any professional who uses AI with personal data and wants more than understanding — they want a defensible position.
What you can prove after Tier 2: that you had legal agreements in place, a documented lawful basis for every processing activity, and a tested breach response ready to execute.
TIER 2 – OPERATE
The legal documents to prove you're doing it properly.
Tiers 1 and 2 address the obligations that are already clear and already enforced. Tier 3 addresses what's coming — and for many professionals, what's already here without them realising it.
AI imaging tools can turn photographs into biometric data. AI-generated marketing content carries consumer protection and criminal law exposure most businesses haven't considered. Smart glasses and AI earbuds worn in client-facing settings may constitute unlawful surveillance under RIPA 2000. AI tools that generate advice or recommendations can blur the line between professional judgment and scope of practice in ways that create liability.
The AI Safe Risk & Data Pack addresses all four areas with dedicated policies, six scenario walkthroughs applying the AI Risk Check to real decisions, and a regulatory watch appendix that tells you where enforcement is heading and what to monitor.
Tier 3 is for businesses that would rather be ahead of a regulatory development than responding to it.
What you can prove after Tier 3: that you identified emerging risks before they became enforcement issues, and had documented policies in place to manage them.
TIER 3 – PROTECT
Stay ahead of the risks most businesses haven't identified yet.
Each tier is a layer. The first tells you what the law requires. The second gives you the legal infrastructure to prove you're meeting it. The third protects you against the risks most businesses haven't mapped yet.
They are designed to be implemented in sequence. You can start with Tier 1 today — the week-one action plan in your Industry Action Guide tells you exactly what to do first. When those foundations are in place, Tier 2 gives you the documents to operate properly. Tier 3 gives you the policies to stay ahead.
The organisations that fare best in regulatory investigations are rarely those with the most sophisticated AI systems. They are the ones who can show that they thought carefully about what they were doing, documented their decisions, and operated their framework in practice — not just on paper.