A founder I spoke to recently discovered that three members of their team had been using ChatGPT to draft client reports for the better part of a year. Nobody had asked. Nobody had checked what data was going in. One of those reports contained a client’s financial projections. The founder wasn’t angry about the AI use. They were unsettled by the realisation that if anything had gone wrong, there would be no policy to point to, no training record, and no way to show the ICO that they had taken reasonable steps.
That’s the situation a lot of owner-managed businesses are in right now.
What is a simple employee AI policy?
An employee AI policy is a short written document that sets out which AI tools your staff can use, for which tasks, and what they must never put into them. For a small services firm, it doesn’t need to be a legal treatise. A clear two-to-three page document, written in plain English, with a named owner and a review date, is enough.
The document covers three main areas: the approved tools, naming the exact products and subscription tiers in use; the acceptable and prohibited uses, with specific examples; and the data-protection obligations staff must follow when working with AI. Some firms add a section on human oversight and one on breach reporting. Both are worth including. The ICO’s guidance on AI policies and procedures emphasises that organisations should document roles, escalation paths, and responsibilities from concept to deployment, not just headline rules.
For a 5-50 person services firm, eight natural sections tend to cover the ground: purpose and scope, approved tools list, acceptable use, prohibited uses, data protection and confidentiality, human oversight and accountability, transparency with clients and staff, and a training and review schedule. Each section needs only a few short paragraphs. The whole document should fit comfortably on two or three printed pages.
Why does your business need one now?
Research cited in the ICO’s AI guidance found that 71% of UK employees use generative AI tools at work without formal approval, and 22% have used them for finance tasks including budgeting and invoicing. When staff make data decisions without guidance in place, the consequences fall on the business owner, not the employee.
The regulatory picture has shifted. The UK’s Data (Use and Access) Act 2025 tightens rules around automated decision-making and data access, specifically in contexts where AI influences outcomes for individuals. The ICO has been consistent that UK GDPR accountability obligations do not disappear because an AI tool sits between you and a data subject. If a client’s information ends up in an unprotected third-party system because a staff member didn’t know they weren’t supposed to paste it there, that’s a potential personal data breach regardless of intent.
A survey by the Chartered Institute of Internal Auditors found that 47% of UK businesses either used or planned to use AI in decision-making, but only 28% had formal AI governance frameworks. That gap is where the risk lives. The Chartered Institute of Personnel and Development has recommended since 2023 that UK employers adopt clear AI policies covering purpose, acceptable use, transparency with staff, and safeguards around automated decision-making.
Cyber insurers have started paying attention too. Some UK cyber insurance policies now ask about generative AI controls, including staff policies, at renewal. A written policy is no longer just good practice. For a growing number of firms, it’s part of the risk profile that determines their coverage.
Where should your policy actually focus?
The most common mistake is writing a policy that sounds thorough but doesn’t name anything specific. Generic rules that don’t specify which tools are approved, which data categories are off-limits, or who is accountable are difficult to enforce and, as the ICO has consistently noted, do not meet the standard for clear, actionable internal procedures that UK GDPR accountability obligations require.
The prohibited-uses section is where the practical risk management happens. It should explicitly ban staff from entering personally identifiable information, HR records, financial data, confidential client documents, or source code into any public or free-tier AI tool. UK IT providers who have published AI policies for SMEs are consistent on this point: the free consumer version of any AI tool is not the right environment for company data, because data-protection controls and tenant isolation are substantially weaker than enterprise equivalents.
The approved tools section needs to be equally specific. “Enterprise tools only” is not enough. The policy should name the exact products and subscription tiers in use. Microsoft 365 Copilot within a controlled tenant is a different data-handling environment from a free ChatGPT account. The distinction matters under UK GDPR, and staff cannot be expected to know it unless the policy states it plainly.
Human oversight deserves its own section. The ICO has been consistent that organisations must be able to explain AI-assisted decisions that significantly affect individuals, including in recruitment, credit, and HR contexts. A clear statement that managers are accountable for every decision, with AI serving only as an assistant, is a solid starting point. Any automated scoring or triage process should have a named reviewer and a documented correction route.
When is a blanket ban not the right move?
A very small business that uses AI only for genuinely generic internal tasks, with no client or personal data involved, carries lower immediate regulatory risk than one whose team regularly uses AI on client work or finance processes. The ICO acknowledges that proportionality applies, and a micro-business with minimal AI use and strong existing data-handling habits may not need a standalone policy immediately.
Blanket bans tend to backfire. With 71% of UK staff already using AI informally, prohibiting all AI use without offering an approved alternative frequently pushes usage underground rather than reducing risk. The ICO and CIPD both emphasise governance and accountability as the right frame, not prohibition. A policy that says “no AI” without explaining what staff can use instead is likely to produce less safe behaviour, not more.
The EU AI Act is worth a mention if your firm serves EU customers or processes applications from EU candidates. Formally adopted in March 2024, it imposes specific requirements on high-risk AI uses including AI-based recruitment screening, credit scoring, and some HR analytics. UK firms are not subject to EU law directly, but those with EU-facing services will need to meet these standards on the European side of their work.
What else connects to your AI policy?
Your AI policy works best when it sits inside your broader data-protection framework and explicitly references your existing data-protection policy and UK GDPR obligations, specifically lawfulness, data minimisation, and security. The NCSC has published guidance on security outcomes for AI systems, stressing that organisations remain responsible for data protection when using third-party AI tools, including controlling what data staff submit through prompts.
The UK government’s 2023 AI White Paper set out five core principles for responsible AI use: safety, transparency, fairness, accountability, and contestability. A well-structured AI policy for a small business addresses all five in plain language, without needing to cite the White Paper explicitly. The connection matters if a client, insurer, or auditor asks whether your firm’s approach aligns with UK regulatory expectations.
Review cycles are worth scheduling in the document itself. The ICO has signalled further guidance on automated decision-making. The Data (Use and Access) Act 2025 is still working through its implementation phase. A policy written today will need a review in six to twelve months. A named review owner and a calendar reminder takes two minutes to add and protects you against the policy quietly becoming out of date.
If you’d like help thinking through what a first version would look like for your firm, that’s a conversation worth having. Book a conversation.
