AI Policy

Your team is using AI tools.
Do you have a policy for it?

If the answer is no — or "I'm not sure" — you're not alone. Most UK small businesses are using AI tools every day without any defined rules, GDPR position, or employee guidelines. That's a compliance gap.

Get Your AI Policy → What's the risk?
The Basics

An AI policy tells your team what they can and can't do with AI tools.

It's a document — usually 3–8 pages — that defines the rules for using AI in your business. It doesn't stop your team using AI. It stops them using it dangerously.

Approved tools

Which AI tools are permitted. Which aren't. Why.

Data rules

What can and cannot be put into an AI tool. Client data, financial data, personal data — each has different rules.

Output rules

AI output must be reviewed by a human before use. No AI-generated content published without checking.

GDPR position

Is the AI tool a data processor under UK GDPR? Has a Data Processing Agreement been signed?

Employee responsibility

Who is accountable when something goes wrong. Spoiler: it's not the AI.

Review schedule

AI moves fast. The policy needs updating. Who does that, and when?

What Happens Without One

The consequences of having no AI policy aren't theoretical. They're happening now.

01

GDPR fines

An employee puts client names, addresses, and financial details into ChatGPT. That's a personal data breach under UK GDPR. The ICO can fine up to £17.5 million or 4% of global turnover — whichever is higher.

02

Professional conduct

Solicitors, accountants, and financial advisers have professional obligations around client confidentiality. Using AI tools with client data without a policy — and without client consent — may breach SRA, ICAEW, or FCA rules.

03

Data used for AI training

Some AI tools use your inputs to train their models. Without a policy, your client data, commercial secrets, or proprietary processes could end up in someone else's AI system.

04

Employment disputes

Using AI to inform decisions about employees — performance reviews, redundancy selection — without disclosure is a legal risk. Employment tribunals are already seeing these cases.

05

Reputational damage

Your clients trust you with their data. If it came out that their information had been processed by a third-party AI tool without their knowledge, how would that conversation go?

06

IP and copyright issues

AI-generated content may not be protected by copyright. If you're using AI to create content or materials for clients, there are ownership questions that need answering.

Is this you?

If any of these apply to your business, you need an AI policy.

  • Your team uses ChatGPT, Copilot, Gemini, or any AI writing or productivity tool
  • You handle client personal data (names, addresses, financials, health information)
  • You're in a regulated sector (legal, financial services, healthcare, education, property)
  • You use AI to generate client-facing content, proposals, or advice
  • You've never asked "where does our data go when we use these tools?"
  • You don't have a written policy for how employees use AI
Options

Three ways to get this sorted.

AI Policy Document
£197 one-off
  • Customised AI Acceptable Use Policy (3–5 pages)
  • Plain-English employee summary (1 page)
  • Covers: approved tools, data rules, output rules, employee responsibility
  • Delivered as PDF and editable Word document

Turnaround: 3–5 working days

Recommended
AI Policy Pack
£297 one-off
  • Everything in AI Policy Document
  • GDPR Data Processing Addendum (for each AI tool you use)
  • Employee AI Guidelines (practical dos and don'ts, one page per team)
  • 30-minute briefing call to walk through the documents with your team

Turnaround: 5–7 working days

AI Compliance Review
£497 one-off
  • Everything in AI Policy Pack
  • Full audit of current AI tool usage in your business
  • GDPR risk assessment for each tool
  • AI risk register (ongoing record of tools, risks, mitigations)
  • Recommendations report

Best for: regulated businesses (legal, financial, healthcare) or businesses with 10+ employees

Questions

Quick answers.

Do small businesses really need an AI policy?

Yes. If you handle personal data and use AI tools, UK GDPR applies. The ICO has published specific guidance on AI and data protection. "We're small" is not a defence.

How long does it take?

The AI Policy Document takes 3–5 working days. The full AI Compliance Review takes 7–10 days. We ask you to complete a short questionnaire about which tools your team uses so we can customise everything.

What if our tools change?

The policy includes a review schedule. If you take the Compliance Review, we'll recommend reviewing annually or whenever you add a significant new AI tool. We can handle that review for you.

Is this legal advice?

No. We produce policy documents and compliance guidance, not legal advice. For specific legal questions we recommend speaking with a solicitor. We can refer you to one if needed.

Get your AI policy sorted this week.

Book a 30-minute call. We'll confirm what your business needs and have your documents ready within the week.

Book a Free Call →