The Compliance Loop

I came to my desk this morning thinking about a DPIA (Data Protection Impact Assessment). I needed one, eventually, for my business - Unusually Limited - and possibly one for some of the individual projects living under it. I'd built an agent called Vincent to help me stay legally on track, and Vincent obviously needed to know what my projects actually do before he could help draft a DPIA for the business as a whole.

That's when I noticed I already had something that knew what my projects do. Advisor - the agent I built who scans my ~/Dev folder and assesses each project - already produces structured analysis: what was built, whether it's a product, how the code looks, what needs fixing before shipping, what alternatives exist. Five sections. Every one of them is exactly the sort of thing a DPIA wants to know.

The next thought was the obvious one: could Advisor flag whether a project needs a DPIA, and if it does, draft what should go into it? And the one after that was the better question:

If my Advisor agent can write a DPIA at the end of a project, why couldn't ICO guidance be read into a project at the start? Then projects would be designed to be compliant from day one, instead of having compliance bolted on after the fact.

Two halves of a circle. The same loop, run in opposite directions.

I sat with this and ran the idea past Claude. We agreed on the shape: ICO guidance becomes a Claude Code skill that informs design; Advisor screens for DPIA-need and drafts the document; the DPIA lives in the repo and gets updated like a CLAUDE.md file; Vincent rolls everything up to the business level. Every component on its own is useful. The loop is what makes it powerful - guidance shapes design, design produces a record, and the record then polices new design.

Then Claude said, quite reasonably, that the ICO has a lot of guidance, and capturing all of it in one skill would be unwieldy.

I had to stop reading for a moment.

If the ICO's published guidance is too big for an AI agent to encode in one place, what are the rest of us - founders, designers, developers - supposed to do with it? We are meant to read it, understand it, and apply it correctly to whatever we are building. We are meant to do this on top of the actual work of building. The volume of compliance guidance has quietly grown to a size where no individual practitioner can hold it in their head, and yet the legal duty to apply it correctly hasn't moved at all.

That is the gap. AI coding doesn't just help you write code - it can read and apply guidance at the speed and scale that compliance actually requires. The thing that makes a compliance loop newly feasible is the same thing that makes AI coding interesting in the first place: an agent can carry context that a person can't.

So here is the design.

A subagent crawls every relevant page of ico.org.uk, slowly and patiently, no scraping shortcuts that get rate-limited. It acts like a human. It pulls the guidance back, reads it the whole way through, and distils the canonical core into a skill - not a copy of the ICO, but the bits a working developer or designer actually needs at the moment of decision. That skill becomes the touchstone. Future projects start with it loaded.

My Advisor agent grows a sixth section: a Data Protection Check that screens each project against the UK GDPR triggers for a DPIA. Most projects don't need one. The ones that do get a draft DPIA generated alongside the existing brief - the same shape as the other five sections, copyable into Claude Code, exportable as a markdown file. The DPIA lives in the repo. Like the CLAUDE.md file, it gets read every time Claude works on the project. New design decisions get checked against it. If a change would breach what is recorded, Claude flags it before the change lands.

Vincent reads the per-project DPIAs and rolls them up into a single picture of how Unusually Limited handles personal data. When the regulator asks - and the point of this is that one day they will - the answer is already written.

Some way down the road, perhaps, a draft DPIA reaches a state where a human has to sign it off before it gets stored. Maybe DocuSign, maybe something simpler. The point is not that the AI replaces the data controller; the data controller is still me, the responsibility still mine. The point is that the busywork of compliance - the reading, the drafting, the cross-checking, the updating, the noticing - moves to a place where it can happen continuously and at the speed of building, instead of in slow, painful annual reviews.

Compliance has been a paperwork tax for a long time. In the loop I am describing, it stops being paperwork and becomes a design discipline. The DPIA stops being a thing you write at the end and becomes a thing the project carries with it from the beginning. The ICO's guidance stops being a wall of pages you are supposed to have read and becomes a set of design checks Claude actually applies, every time, without forgetting.

Anyway...