AI compliance isn't just a policy document.
It's a system.
A policy tells your team what to do. A compliance framework makes sure they actually do it — and gives you evidence if anyone ever asks.
Most businesses stop at the policy. The framework is what actually protects you.
- A document
- States the rules
- Given to employees once
- Sits in a folder
- No evidence of compliance
- A system
- Enforces the rules
- Regularly reviewed and updated
- Evidenced and auditable
- Demonstrates due diligence to ICO, regulators, and clients
A complete AI compliance framework has six components.
Acceptable Use Policy
The foundation document. Defines approved tools, prohibited uses, data rules, and employee responsibilities. Customised to your business.
Data Classification Matrix
Categorises every type of data your business handles (public, internal, confidential, restricted) and defines which AI tools each category can be processed by.
GDPR Compliance Position
For each AI tool you use: is it a data processor? Is there a DPA? Where is data stored? Does it train on your inputs? Documented and maintained.
Employee Training & Acknowledgement
Plain-English guidelines per team and role. Employees read, understand, and sign acknowledgement. You have a record.
AI Risk Register
A live document listing every AI tool in use, the risks associated with each, and the mitigations in place. Updated when tools are added or changed.
Incident Response Procedure
What happens if something goes wrong. Who is notified, in what order, within what timeframe. Required by UK GDPR for data incidents.
Regulated industries have additional obligations.
Legal (SRA regulated)
Client confidentiality, legal professional privilege, and SRA Code of Conduct obligations apply when using AI with client matter files. The SRA has published specific guidance.
Financial Services (FCA regulated)
The FCA expects firms to manage AI as an operational risk. Consumer Duty obligations extend to AI-assisted advice or communications.
Healthcare & Care
CQC and ICO requirements overlap. Special category health data has the highest level of GDPR protection. Any AI processing of patient or service user data requires explicit justification.
Education
If children's data is involved, additional safeguarding obligations apply. Ofsted may ask about AI use in safeguarding contexts.
Trading with Europe? The EU AI Act already applies to you.
The EU AI Act is not just a European regulation. It has explicit extraterritorial reach — if your AI systems produce outputs used inside the EU, you are in scope. That includes any UK business with Irish clients, EU supply chain partners, or EU-based customers.
Prohibited AI practices banned
Manipulative AI, social scoring, and mass biometric surveillance outlawed across the EU — including outputs from UK-based systems reaching EU users.
Fines now enforceable
EU regulators can issue fines today. Up to €35 million or 7% of global annual turnover for serious violations. No grace period on prohibited practices.
Full enforcement — 4 months away
High-risk AI rules (Annex III), Article 50 transparency obligations, and full national enforcement across all EU member states. This is the critical deadline.
AI in regulated products
AI embedded in medical devices, vehicles, and regulated machinery faces its own compliance deadline.
Who This Catches
UK businesses with any customers in Ireland or mainland Europe
B2B suppliers whose end clients serve EU customers
Businesses processing data about EU citizens
Any business planning EU expansion — build it now, not later
UK compliance. EU compliance. Or both.
Choose UK-only if you operate entirely within the UK. Choose UK + EU if you trade with Europe now or plan to.
UK Compliance Frameworks
- Acceptable Use Policy
- Data Classification Matrix
- GDPR Compliance Position (up to 5 AI tools)
- Employee Guidelines + Acknowledgement Forms
Turnaround: 7–10 working days · Valid for 12 months
Annual policy refresh available at £297 to keep pace with evolving regulation.
- Everything in Foundation Framework
- AI Risk Register (populated for your current tools)
- Incident Response Procedure
- Staff briefing session (60 min, remote)
- 12-month policy review reminder
Turnaround: 7–10 working days · Valid for 12 months
Annual reassessment + update available at £497 — required for ongoing regulatory alignment.
Best for: regulated businesses (FCA, SRA, ICO), businesses with 10+ employees, any business handling significant client data.
6-month minimum term, then rolling monthly with 30 days' notice.
- Your compliance framework maintained as AI regulation evolves
- Quarterly review of tools, policies, and regulatory changes
- Annual full re-assessment included
- Unlimited tool additions and policy changes covered
- Priority response if you receive an ICO enquiry or data subject request
- New legislation updates applied as standard
Best for: businesses that want zero compliance risk, ongoing, without thinking about it.
EU AI Act Coverage
For UK businesses trading with Ireland or mainland Europe. Full enforcement hits August 2026 — 4 months away.
- EU AI Act risk tier classification for all AI tools in use
- Gap analysis against Annex III high-risk obligations
- Article 50 transparency requirements assessment
- Documented EU compliance position
- Supply chain risk review
Turnaround: 10–14 working days
Best for: businesses already actively trading with EU clients who need standalone EU compliance.
- Everything in Full Compliance Framework (UK)
- EU AI Act risk classification + Annex III gap analysis
- Article 50 transparency obligations
- Cross-border data governance documentation
- Supply chain compliance review
- Staff briefing covering both UK and EU obligations
- Saves £400 versus purchasing separately
Turnaround: 10–14 working days · Valid for 12 months
Best for: any business operating across UK and EU markets — the most comprehensive option available.
- For existing Ops Intel UK Full Compliance clients only
- Upgrades your existing framework to cover EU AI Act
- No duplication of work already completed
- EU risk classification + Article 50 compliance
- Updated documentation covering both jurisdictions
Turnaround: 7–10 working days
Best for: existing clients expanding into EU trading. Contact us to confirm eligibility.
Enquire — £900 →Managed EU Compliance Add-on
Added to any UK Managed Compliance plan. Covers ongoing EU AI Act monitoring as August 2026 enforcement beds in, quarterly reviews, and proactive updates as member states publish national enforcement guidance.
Four steps to a complete framework.
Audit
We inventory your current AI tools and data flows — what's being used, by whom, and what data is involved.
Draft
We write every document, customised to your business — policy, data matrix, GDPR position, risk register, incident procedure.
Brief
We walk your team through everything — plain-English guidelines, acknowledgement forms signed and filed.
Maintain
Annual review, tool additions, policy updates — keeping your framework current as AI evolves.
Quick answers.
Do we need a framework or just a policy?
Depends on size and sector. For a 2-person business using ChatGPT occasionally: a policy is probably enough. For a solicitors' firm with 8 staff using multiple AI tools with client data every day: the full framework is appropriate. We'll tell you honestly on the call.
Can this be used if the ICO investigates us?
Yes. One purpose of the framework is to demonstrate due diligence. If the ICO investigates a data incident, having documented policies, training records, and a risk register is material evidence of responsible data handling.
How often does it need updating?
The AI landscape changes fast. We recommend reviewing your policy and risk register every 12 months minimum, or whenever you adopt a significant new AI tool. The Managed Compliance add-on handles this automatically.
We're UK-only right now — do we need EU coverage?
If you have no clients, suppliers, or data subjects in EU member states (including Ireland), the UK framework is sufficient for now. However, if there's any chance you'll expand into EU markets in the next 12–24 months, building EU compliance in from the start is significantly cheaper than retrofitting it later. The EU Extension at £900 is available to existing UK Full Compliance clients when you're ready to make that move.
Does the EU AI Act really apply to a small UK business?
Yes — if your AI systems produce outputs used inside the EU. The Act's extraterritorial scope is explicit. A UK solicitor with one Irish client using AI to assist with their work is in scope. A UK marketing agency with one EU-based client is in scope. The fines are proportional for SMEs, but proportional is not zero — and the reputational risk of an enforcement action is the same regardless of company size.
Is this legal advice?
No. Our compliance frameworks are general compliance guidance documents and do not constitute legal advice. Ops Intel is not a law firm and is not authorised by the Solicitors Regulation Authority or Financial Conduct Authority. We recommend seeking independent legal advice for specific regulatory questions relating to your circumstances. Our frameworks are designed to demonstrate due diligence and reasonable steps — the standard most regulators apply when assessing SME compliance.
Don't wait for an incident to get compliant.
Book a 30-minute call. We'll assess what your business actually needs and give you a clear quote.
Book a Free Compliance Call →Free 30-minute call · Written quote before work starts · Delivered within 2 weeks · UK-based team