An AI use policy is a short written document that tells your team which AI tools they may use, what data they can and cannot put into them, and who is accountable for the output. For a small UK business, two pages is enough. This guide gives you a free template to copy and adapt, plus how to roll it out and keep it current.
Most SMEs I talk to already have staff using ChatGPT, Copilot, or Gemini every day. The tools arrived before any rules did. A written policy is not about slowing people down. It is about giving them a clear boundary so a well-meaning employee does not paste your customer list into a public chatbot because nobody ever told them not to.
Why does my business need an AI use policy?
Because your team is already using AI, and without a policy every person is inventing their own rules. A one-page document sets the boundary on data, review, and accountability. It protects you from a data breach caused by good intentions, and it gives staff permission to use AI properly instead of doing it quietly on personal accounts.
The risks are concrete. Someone pastes customer personal data into a free tool that trains on inputs. A drafted contract clause goes out with an AI mistake nobody checked. A password ends up in a chat log. None of these need bad intent, just an absence of rules.
There is an upside too. A clear policy tends to increase good use of AI, not restrict it. When people know exactly what is allowed, they stop second-guessing and start getting value. The businesses that struggle are usually the ones where AI use is either banned outright (so it goes underground) or completely unmanaged (so it is a liability). A short policy is the middle path.
What should an AI use policy include?
A workable policy for a small business covers ten things: purpose and scope, approved tools, allowed versus forbidden data, human review and accountability, disclosure, security, a data protection pointer, ownership of output, consequences of misuse, and a review cadence. Each section can be a few lines. The goal is something people actually read.
Here is what each section is for and why it matters:
| Policy section | Why it matters |
|---|---|
| Purpose & scope | Says who the policy applies to and why it exists, so nobody claims they were unaware. |
| Approved tools | Gives staff a legitimate route, which stops workarounds on unmanaged personal accounts. |
| Allowed vs forbidden data | The single most important rule. Prevents customer and confidential data leaking into public tools. |
| Human review & accountability | Makes clear a person owns every AI output. AI drafts; a human signs off. |
| Disclosure | Sets expectations on when to tell colleagues or customers that AI was involved. |
| Security | No credentials, keys, or secrets in prompts. Simple, absolute. |
| Data protection & GDPR | Ties AI use to your existing legal duties and the ICO guidance. |
| Ownership / IP of output | Clarifies who owns AI-generated work and flags that AI output is not automatically copyrightable. |
| Consequences of misuse | Gives the policy teeth. Links breaches to your existing disciplinary process. |
| Review cadence | Names an owner and a date, so the policy keeps pace with tools that change monthly. |
The data question is worth its own table, because it is where most accidents happen. For more depth, read can I put company data into ChatGPT?.
| Allowed in public AI tools | Forbidden in public AI tools |
|---|---|
| Public marketing copy and blog drafts | Customer or employee personal data |
| Anonymised or invented examples | Payment, bank, or card details |
| General questions and research | Health or other special category data |
| Published company information | Passwords, API keys, and secrets |
| Code with no secrets or client data | Unpublished financials and forecasts |
| Formatting and summarising your own notes | Anything under NDA or legal privilege |
What does a free AI use policy template look like?
Below is a complete template. Copy the block, replace the bracketed placeholders with your details, delete what does not apply, and add anything your sector needs. It is written for a 5 to 50 person business and errs on the side of short. This is a starting point, not legal advice.
# [Company Name] — AI Use Policy
Version 1.0 · Owner: [Name, role] · Last reviewed: [Date] · Next review: [Date]
## 1. Purpose and scope
This policy governs how everyone at [Company Name] uses AI tools
(chatbots, assistants, code and content generators) in their work.
It applies to all staff, contractors, and freelancers, on any device
used for company work. Ask [Owner] if you are unsure whether it applies.
## 2. Approved tools
You may use these tools for work:
- [e.g. ChatGPT Team / Enterprise]
- [e.g. Microsoft Copilot]
- [e.g. Claude for Work]
Do not use other AI tools for company data without approval from
[Owner]. To request a new tool, ask [Owner]. Personal free-tier
accounts must not be used for anything beyond the "allowed data" list.
## 3. Data you may and may not put into AI tools
ALLOWED: public information, anonymised examples, your own draft notes,
general questions, and content already published by us.
FORBIDDEN: customer or staff personal data, payment or bank details,
health or special category data, passwords, API keys, unpublished
financials, and anything under NDA or legal privilege.
Rule of thumb: if you would not email it to a stranger, do not paste it
into an AI tool. Approved enterprise tools with a signed data agreement
may allow more — check with [Owner] first.
## 4. Human review and accountability
AI drafts; a human decides. You are personally responsible for any AI
output you use, send, publish, or act on. Check facts, figures, names,
and quotes before relying on them. AI makes confident mistakes. Do not
send AI-generated work to a customer or make a decision from it without
reading and verifying it yourself.
## 5. Disclosure
Be honest about AI use. Tell a colleague if AI produced work they are
reviewing. Tell a customer where our contract, their expectations, or
the law requires it, and whenever AI involvement would materially change
how they judge the work. When in doubt, disclose or ask [Owner].
## 6. Security
Never put passwords, API keys, access tokens, or other secrets into any
AI tool. Never connect an AI tool to company systems or accounts without
approval from [Owner]. Report any suspected leak of data into an AI tool
to [Owner] the same day.
## 7. Data protection and GDPR
Personal data in AI tools is still personal data under UK GDPR. Our
existing data protection duties apply in full. Do not use AI in a way
that processes personal data without a lawful basis. Follow ICO guidance
on AI and data protection (ico.org.uk). Direct any data protection
questions to [DPO or Owner].
## 8. Ownership and intellectual property
Work you create with AI tools for [Company Name] belongs to
[Company Name], subject to each tool's terms. Be aware that purely
AI-generated output may not attract copyright, and that some tools claim
rights over inputs or outputs. Do not paste third-party copyrighted
material into AI tools. Do not present AI output as original human work
where that matters (e.g. accreditation, legal, or client deliverables).
## 9. Consequences of misuse
Breaching this policy — especially the data and security rules — may
lead to disciplinary action under our standard procedures, up to and
including dismissal, and may have legal consequences. Honest mistakes
reported promptly will be handled supportively; concealment will not.
## 10. Review
[Owner] reviews this policy every six months, and sooner if a tool
changes its terms, we adopt a new tool, or ICO guidance changes.
Questions and suggestions go to [Owner].
Adapt this. Delete the sections that do not fit and add ones your sector needs. If you handle sensitive data or work in a regulated field, have a solicitor or your data protection officer review your version before you publish it.
How do I roll it out to my team?
Send the policy once with a short, plain-English note on why it exists, then talk through it in a team meeting so people can ask questions. Name one person as the owner so there is an obvious place to go. Add it to onboarding for new starters. Pair it with a couple of approved tools so people have a legitimate route.
A policy nobody reads changes nothing. A few things help it stick:
- Explain the why, not just the rules. People follow a policy they understand. "This stops us leaking customer data" lands better than a wall of clauses.
- Give them approved tools. If you forbid public ChatGPT but offer no alternative, staff will use personal accounts you cannot see. Approve at least one paid tool with a proper data agreement.
- Make asking easy. A named owner who answers questions without judgement prevents the quiet workarounds.
- Fold it into what exists. Reference your existing data protection and disciplinary policies rather than reinventing them.
If you want a wider view of where teams go wrong with AI, common mistakes UK businesses make with AI covers the patterns I see most.
How does this fit with GDPR and data protection?
Your AI policy sits on top of your existing data protection duties, it does not replace them. Personal data pasted into an AI tool is still personal data under UK GDPR, and the same lawful-basis and security rules apply. The ICO has published specific guidance on AI and data protection, and your policy should point to it rather than restate it.
The practical link is section 7 of the template. It ties AI use back to your lawful basis for processing and directs staff to your DPO or owner for anything unclear. If you process personal data at any scale, read AI and GDPR for UK small businesses before you finalise your policy, and check the ICO's AI guidance directly.
How often should I review it?
Review the policy every six months as a baseline, and immediately whenever you adopt a new tool, a vendor changes its data terms, or the ICO updates its guidance. AI tools change how they handle data far faster than most internal documents. A policy written eighteen months ago is almost certainly out of date on which tools train on your inputs.
Put a named owner and both a last-reviewed and next-review date at the top of the document, as the template does. That single habit is what stops a policy quietly going stale while everyone assumes it still reflects reality.
If you would rather not build and maintain this alone, a structured look at your current AI use is a good first step. Our free AI Readiness Assessment helps you see where AI is already in play and where the gaps are. If you want a deeper review of tools and data flows already in your business, the fixed-fee £8,000 AI System Audit goes further. No obligation either way.
FAQ
Does a small business really need a written AI use policy?
Yes, once anyone on your team touches tools like ChatGPT or Copilot. A short written policy sets the boundary on what data can go in, who checks the output, and what happens when someone gets it wrong. Without one you are relying on each person's private judgement, which varies wildly and leaves you exposed on data protection.
What should an AI use policy actually cover?
Purpose and scope, the tools you approve, what data is allowed versus forbidden, human review and accountability, when to disclose AI use, security rules on credentials, a GDPR pointer, ownership of AI output, consequences of misuse, and a review date. Keep it to two pages so people read it. Longer policies get ignored.
Is this template legal advice?
No. It is a practical starting point written for a 5 to 50 person business, not a substitute for advice from a solicitor or your data protection officer. Adapt it to your sector, your contracts, and your regulatory duties. If you handle sensitive personal data or work in a regulated field, have a professional review your version before you publish it.
What data should we never put into public AI tools?
Customer personal data, payment or bank details, health or other special category data, passwords and API keys, unpublished financials, legal advice, and anything under NDA. The safe default is: if you would not email it to a stranger, do not paste it into a public chatbot. Approved enterprise tools with a data processing agreement change this calculation.
How do we roll the policy out so people follow it?
Send it once with a short plain-English explanation of why it exists, walk through it in a team meeting, and give people a named person to ask questions. Add it to onboarding for new starters. Pair it with a couple of approved tools so people have a legitimate route rather than working around the rules with personal accounts.
How often should we review an AI use policy?
Every six months as a baseline, and immediately whenever you adopt a new tool, a vendor changes its data terms, or the ICO updates its guidance. AI tools change their data handling far faster than most policies. Put a named owner and a review date on the document so it does not quietly go stale.
Can we just copy this template and publish it?
You can copy it as a first draft, but do not publish it unchanged. Swap in your real tool names, your named policy owner, your escalation route, and any sector-specific rules. Delete sections that do not apply and add ones that do. A template you have adapted to how your business actually works beats a generic one nobody recognises.