northwales.ai
Compliance16 January 2026

A one-page AI policy template for North Wales SMEs

Every business using AI should have a written policy. For most SMEs, one side of A4 is enough. Here is a template you can adapt in an hour.

If your team uses AI tools, you should have a written policy. Even a one-page one. Not because the law requires it for every SME, but because the day someone pastes a client's personal data into a free ChatGPT account, the question "what was our policy?" gets asked, and the answer needs to exist.

The good news: a useful policy is short. Most North Wales SMEs do not need a 20-page document of legalese. They need one side of A4 that anyone can read in two minutes and act on.

Here is the template. Adapt it to your business in an afternoon.

Section 1: Why we have this policy

Two sentences. Something like: "We use AI tools to save time and improve our work. This policy sets out which tools are approved, what we use them for, and what must never go into them." That is enough.

Section 2: Approved tools

List the AI tools the business has approved. Be specific about the tier. Examples:

  • ChatGPT Plus or ChatGPT Team (paid only)
  • Claude Pro or Claude Team (paid only)
  • Microsoft Copilot for Microsoft 365 (paid only)
  • Google Gemini Business (paid only)

The reason for "paid only" is that paid business tiers contractually do not train on your data. Free tiers usually do, unless turned off in settings. The data privacy guide covers this in detail.

If staff want to use a tool not on the approved list, they ask first. That is the rule.

Section 3: What never goes into AI

The three categories that should never enter even an approved AI tool without specific clearance:

  1. Personal data covered by GDPR - client names with contact details, staff records, health or financial data, anything that identifies a real person. The exception: anonymised data, where names are replaced with placeholders before pasting.
  2. Confidential business information - draft strategy, draft tenders, trade secrets, anything that would damage the business if it leaked. Use a paid business tier with a Data Processing Agreement, or do not use AI at all.
  3. Anything covered by NDA - client work where the contract restricts third-party processors. Check the NDA. If unsure, ask.

Section 4: Always review the output

AI is not always right. It can hallucinate - state confidently incorrect information. The rule: anything an AI produces that is going to a client, a regulator, a court, or anywhere external must be read and edited by a human before it leaves the business.

Internal use - "summarise this for me", "draft a first version" - is lower-risk. External use is a high bar.

Section 5: The human is responsible

AI is a tool. The person using it owns the output. If the AI produces a wrong number in a quote, "the AI did it" is not an acceptable explanation to the client. The same is true of legal advice, tax advice, design specs and everything else.

Add a single sentence to the policy: "Anyone using an AI tool is responsible for what comes out of it. The tool is not."

Section 6: Who to ask

Name a person. Usually the business owner or operations manager. The line is: "If you are unsure whether something is OK to put into AI, ask [name] first. The rule is to ask before, not apologise after."

This single line prevents most of the AI policy problems I see in real businesses. People know who to ask, so they ask.

Adapting for regulated industries

If you are in financial services, healthcare, legal services or another regulated industry, your industry regulator may have specific AI guidance that goes beyond this template. The FCA, ICO, SRA and others have all published positions. The template above is a foundation. Specific industries need specific add-ons.

If you are in professional services in North Wales and want a hand drafting your version, that is the kind of work a discovery call can scope.

When to update the policy

Every six months as a minimum. AI tools change quickly. New approved tools, retired old ones, updated training opt-out settings - all need to be reflected. Diary it.

And if a staff member spots something that does not fit the policy, treat that as feedback rather than a violation. The policy exists to be useful. If it is unclear, fix the policy.

The honest scope

This template will not satisfy a sophisticated regulator on its own. It will protect a small North Wales business from the most common AI-policy failures: untrained staff using free consumer tools for sensitive work, no human review of AI output, no clear accountability when something goes wrong.

For most SMEs, that is the bar that matters. If you would like to walk through your specific situation, the third session of the AI Breakfast Club covers governance and policies in detail.

Frequently asked questions

Written by Gary Cheers, AI consultant and trainer at northwales.ai. Have questions about your business? Book a free 30-minute discovery call.
All articles

More from the blog

Compliance

Is ChatGPT safe to use? What North Wales businesses need to know about AI and data

A plain-English answer to the question every business owner asks: "Is it actually safe to use ChatGPT for work?". Yes, with a few rules. Here are the rules.

Read article Compliance

Building an AI risk register for your small business

Most AI risk registers are bloated and useless. The version that actually helps a small business fits on one page and covers eight specific risks.

Read article

Ready to talk about AI for your business?

Book a Free Discovery Call