AI Governance 9 May 2026

What UK SMEs need in an AI policy

AI policies aren't just for large corporations. Here's what a practical, proportionate AI policy looks like for a small or medium-sized business in the UK — and why having one matters more than you might think.

← All articles

If you run a small business and your team is already using ChatGPT, Copilot or any other AI tool — even informally — you probably need an AI policy. Not a 40-page legal document, but a clear, written agreement about how AI gets used in your business, what it can and can't be used for, and who's responsible when things go wrong.

This article explains what a practical AI policy should include, written for business owners rather than legal teams.

Why an AI policy matters for SMEs

Most small businesses assume AI policies are something only big companies need. That's changing fast.

If an employee uses an AI tool to draft a client email and it contains inaccurate information, who is responsible? If someone pastes customer data into ChatGPT to summarise a complaint, has your business just breached GDPR? If a staff member uses AI to produce a report that's presented to a client as their own work, is that a problem?

These aren't hypothetical edge cases — they're questions UK businesses are already navigating. Having a clear policy means your team knows the answers before something goes wrong, not after.

What a proportionate AI policy should cover

You don't need a lengthy document. For most SMEs, a single-page policy covering the following areas is enough to get started.

1. Acceptable use

Be clear about what AI tools staff are allowed to use and for what purposes. You might allow general tools like ChatGPT or Copilot for internal tasks like drafting, summarising and research, while restricting their use for anything that involves sensitive client data or financial decisions.

A simple rule of thumb: if you wouldn't be comfortable with the output being published under your business name without a human review, it shouldn't be submitted without one.

2. Data handling

This is the most important section for GDPR compliance. Staff should understand that free AI tools typically use your inputs to improve their models unless you opt out or use a paid enterprise plan with stronger data protections.

Your policy should specify:

  • What types of data should never be entered into AI tools (customer names, financial data, personal information)
  • Which tools have been approved by the business and why
  • What to do if someone is unsure whether sharing something is appropriate

3. Accuracy and human review

AI tools make mistakes. They hallucinate facts, misunderstand context, and produce confident-sounding errors. Your policy should make clear that AI-generated content must always be reviewed by a human before it's used externally — whether that's a client email, a quote, a proposal or anything published on your website.

4. Intellectual property

Content generated with AI sits in a legal grey area in the UK. Your policy should acknowledge this and set expectations: staff should not rely solely on AI-generated content where originality matters, and should understand that AI outputs may not be protected by copyright.

5. Transparency

Decide whether your business will disclose when AI has been used to produce client-facing content. There is no single right answer, but having a consistent position avoids awkward conversations later.

What you don't need

You don't need to ban AI. Blanket bans are largely unenforceable and put you at a competitive disadvantage — staff will use these tools anyway, just without any guidance about how to do so safely.

You also don't need to address every possible AI scenario. Focus on the tools your team is actually using today and the risks most relevant to your business.

A starting point

If you haven't written anything yet, start with a short paragraph for each of the five areas above. Share it with your team, discuss it together, and review it every six months as the tools and regulations evolve.

If you'd like support putting together an AI policy that's practical and proportionate for your business, or if you want guidance on the governance side of AI adoption more broadly, that's exactly what we help with.

Orchestrate Digital provides AI governance and policy support to SMEs across North East England, North Yorkshire and Cumbria. Get in touch to discuss what's right for your business.

Want help putting this into practice?

We work with SMEs across North East England, North Yorkshire and Cumbria. Book a free, no-obligation conversation.

Book a Free Chat →