What We Do

IOLIS provides AI governance and data protection consultancy to commercial organisations, regulated bodies, and public interest organisations across the UK. We help boards and senior teams govern the use of AI systems and personal data – building the policies, assessments, registers, and oversight structures that turn legal obligation into workable practice. This page sets out what that looks like in more detail: the services we provide, how engagements are structured, and what working with us is actually like.

What services does IOLIS provide?

Our work falls into two related disciplines, built on the same underlying skill – identifying risk, designing proportionate controls, and giving decision-makers the assurance they need.

AI Governance – practical governance for organisations using generative AI, third-party AI platforms, or more structured deployments involving automation and agentic tools. This covers acceptable use policies, AI risk and impact assessments, governance frameworks, system registers, deployment sign-off processes, and incident response arrangements.

Data Protection – outsourced DPO services, Data Protection Impact Assessments, privacy notice and policy review, subject access request support, and advice on compliance with UK GDPR and the Data Protection Act 2018 – including where personal data is used in or alongside AI-enabled systems.

The two disciplines increasingly overlap. An AI tool that processes personal data raises both governance and data protection questions at the same time, and advising on them together – rather than in separate silos – is a large part of why organisations come to us.

How are engagements structured?

Most of our work takes one of three forms:

  • Retained support – an ongoing advisory relationship, such as acting as your organisation’s outsourced Data Protection Officer or retained AI governance advisor. You get continuity, a named point of contact, and someone who already knows your systems when a question or incident arises.
  • Defined projects – a piece of work with a clear scope and end point: a DPIA for a new system, an AI risk assessment, a governance framework build, a policy suite, or a privacy notice rewrite. Scoped and priced up front, delivered to an agreed timescale.
  • Reviews and assurance – an independent look at what you already have. This might be a health check of your current data protection arrangements, a review of how AI tools are actually being used across the organisation, or assurance work commissioned by a board that wants to understand its position before committing to change.

Many engagements start with the third and move into one of the first two – a review establishes where you are, and the follow-on work closes the gaps that matter.

What does working with IOLIS look like in practice?

We start with how tools and data are actually being used – not how the org chart says they should be. That means talking to the people doing the work, looking at the systems in use, and understanding what decisions the outputs feed into. From there, we build controls that fit the organisation in front of us: some need a light-touch framework and clear staff boundaries, others need formal structures, registers, assessments, and board reporting. Our job is to work out which, and to build it with you rather than hand over a template.

Everything we produce is written to be used. Policies are drafted in plain language that staff will actually read. Assessments end in decisions, not just findings. Frameworks come with named owners and review dates, because governance that nobody owns stops working within months.

Why does independence matter?

We are not tied to any software vendor, and we don’t sell the systems we advise on. That matters in a market where much “AI governance” advice is really a sales channel for a platform. It also matters for data protection work specifically: a DPO must be able to give unwelcome advice without conflict of interest, and independence from both the organisation’s internal politics and any vendor relationship is what makes that possible.

Where does IOLIS work?

We are based in Bridgend, South Wales, and work with organisations across the UK. Most engagements are delivered remotely, with clear written outputs and structured communication – which keeps advice documented, decisions traceable, and costs proportionate. We regularly support organisations operating under devolved Welsh frameworks alongside UK-wide obligations.

How do I start a conversation?

Tell us where your organisation is – whether that’s adopting AI tools for the first time, reviewing an existing data protection position, or responding to something specific – and we’ll suggest the most useful place to begin. Find the best way to contact us here.