Does my small business need an AI policy?

The word "policy" makes this sound like a corporate exercise: a twelve-page document, a consultant, an annual review meeting nobody attends. Forget all of that. For a small business, an AI policy is one page that answers the questions your staff are already answering for themselves, mostly without telling you.

Because that is the situation, whether or not you have looked: AI use in workplaces is widespread and largely unannounced. Someone in your business is already pasting things into ChatGPT, on their own account, possibly on their own phone, to get through the workload faster. Their instinct is good. Their judgement about what is safe to paste is untrained, because nobody has trained it. The risk is not the eager employee; it is the silence around them.

What actually goes wrong

Not robot uprisings. Mundane leaks and unchecked errors. A customer list pasted in to "draft some follow-up emails", on a personal account where the data may be retained or used for training, which is a UK GDPR problem you cannot see and cannot undo. Quotes, contracts or staff issues fed into free tools with the default settings. An AI-drafted answer to a customer, sent unchecked, containing a confident invention, which becomes your error the moment it ships. Every one of these is preventable with rules that fit on a page.

A ban does not prevent them. A ban moves the same behaviour onto personal phones, where you have no visibility and no settings control, and it throws away real productivity to do it. The choice is not between AI use and no AI use; it is between AI use you can see and AI use you cannot.

The one-page version

Five short sections, written in your own plain English:

1. Approved tools and accounts. Which tools, on whose account. A shared or business tier matters: the business versions generally keep your data out of model training by default. Pay the £20 rather than have staff improvise on free personal accounts.
2. What never goes in. Customer names and contact details, staff information, financials, anything a client sent you in confidence. One sentence covers most of it: "if you would not email it to a stranger, do not paste it into AI". Our answer on customer data in ChatGPT covers the why.
3. The checking rule. AI drafts, humans approve. Nothing AI-written reaches a customer, a contract or a published page unread. Facts and numbers get verified.
4. Disclosure. Where you do and do not tell customers AI is involved; see do I have to tell customers.
5. Who to ask. One named person for "is this OK?", so the question gets asked out loud instead of settled silently at someone's desk.

Then spend twenty minutes at a team meeting walking through it, with examples of what is encouraged, because half the point is permission: the policy that only forbids teaches people to hide.

I would rather every client of mine had this one page than another tool subscription. It costs an afternoon, it makes the ICO's expectations on AI and personal data survivable for a firm with no compliance team, and it converts the AI use already happening in your business from a quiet liability into a stated capability.