Do I read this correctly, that you recognise that your CIC is breaching the UK GDPR, through failure to comply with Article 28, but nevertheless the CIC is willing to proceed on a "risk" basis?
(For what it is worth, I'd have thought that the risk of enforcement action or a claim from a data subject is indeed incredibly low.)