How to Write an AI Policy for Your Business
When teams use AI, they need clear guidelines. Here's a balanced template you can use right away, whether you're 3 or 300 people.
Daniel Dahlén
February 4, 2026 • Updated May 27, 2026
"Can we use ChatGPT at work?"
The question comes up more and more often. And the answer is usually... silence. Or a nervous "don't know."
If you run a business and don't have clear guidelines for AI use, you have a problem. Not because AI is dangerous in itself. But because people are using it anyway, and without guidance, dumb things happen.
This guide helps you write an AI policy that works. Not one that nobody reads. Not one that bans everything. One that actually gives your team clear answers.
Why You Need a Policy (Even If You're Three People)
"We're a small company, do we really need a policy?"
Yes. Here's why.
People are already using AI. If you haven't given guidelines, they're guessing. And guesses lead to mistakes.
Customer data leaves your control. Someone pastes a customer email into ChatGPT to write a response. Now that information is processed by an external provider. Was that okay?
Legal liability is on you. If something goes wrong, it's the company that's responsible, not the employee who "didn't know."
Clarity reduces uncertainty. Instead of people wondering what's okay, they have a document to check.
It's about clarity, not control
A good AI policy doesn't ban usage. It makes clear what's okay, what requires thought, and what's forbidden. The point is that people should be able to use AI safely.
What Actually Happens When You Share Data with AI?
Before we dive into the policy, we need to understand what actually happens technically and legally when someone pastes information into ChatGPT or Claude.
You're Transferring Data to a Third Party
Every time you type something into a cloud-based AI tool, it's normally sent to the provider's servers or cloud infrastructure (OpenAI, Anthropic, Google, etc.). Even if model training is disabled, your data still:
- Travels over the internet to their servers
- Gets processed by their systems
- Sits in storage for a period that varies by provider, plan, and settings
- Falls under their terms of service and privacy policy
What "Opt-Out of Training" Actually Means
Many people think opt-out means their data is private. That's not quite true.
| Aspect | Model training disabled | Model training not disabled |
|---|---|---|
| Data sent to servers | Yes | Yes |
| Stored by provider | Yes (retention varies by plan) | Yes (retention varies by plan) |
| May be used for model training | Usually no, but check exceptions | Yes, or according to provider settings |
| May be reviewed or analyzed | Yes, e.g. for safety, support, or flagged content | Yes, e.g. for safety, support, or flagged content |
| You're sharing with a third party | Yes | Yes |
Opt-out is not the same as private. In practice, it usually means the content won't be used to improve the provider's general models. But the data is still processed by the provider, may be retained for a period, and may be subject to safety review, support workflows, and legal requirements. What matters is not just where the company is headquartered, but whether personal data is transferred outside the EU/EEA and what safeguards are in place (e.g. EU-US Data Privacy Framework, Standard Contractual Clauses, and technical controls).
The GDPR Perspective
When you paste personal data into an AI tool, the following happens legally:
- You (the company) are typically the data controller for your usage
- The provider is often a data processor in business/enterprise setups where they process on your behalf and a DPA is in place. In consumer services, the provider may process for their own purposes, making the role distribution different
- You always need a legal basis. In a workplace context, consent is rarely a good option (hard to claim it's truly voluntary). Legitimate interest or contractual necessity is often more realistic. In many cases you should do a risk assessment (and where needed a DPIA) before inputting personal data
- You need a Data Processing Agreement (DPA) with the provider in cases where they act as processor
Free versions and personal paid plans often lack the contractual terms, DPAs, and admin controls that companies need. Prefer business plans such as ChatGPT Business/Enterprise or Claude Team/Enterprise when personal data or customer data may be involved.
Trade Secrets and NDAs
Trade secrets require that the holder has taken reasonable measures to keep the information confidential. If you share secret information via a consumer service without proper agreements and controls, that can undermine this requirement, which may threaten trade secret status. If you have NDAs with clients or partners, sharing their information could be a breach of contract, regardless of what the AI provider does with the data.
The EU AI Act
Beyond GDPR, the EU AI Act is being phased in gradually. AI literacy and prohibited AI practices have applied since February 2, 2025. Most rules and several transparency requirements start applying on August 2, 2026. After the EU's political agreement on the AI omnibus, some high-risk requirements move later, including December 2, 2027 for certain high-risk areas and August 2, 2028 for high-risk AI embedded in regulated products.
The key things to know:
- AI literacy: Organizations using AI systems should, to the best extent possible, ensure staff have sufficient competence for how the systems are used. This is already a requirement.
- Prohibited uses: Certain types of AI use are banned, e.g. social scoring and some forms of manipulation.
- High-risk systems: If you use AI in contexts like HR recruitment, credit scoring, or similar, you may be subject to additional requirements for risk management, transparency, and documentation. Check the category and timeline before building AI into those processes.
What does this mean in practice?
For most companies using ChatGPT and Claude as productivity tools, the requirements are manageable. But it's good to be aware of the rules, especially if you use AI in decisions that directly affect people.
Personal Accounts vs Business Accounts
This is a crucial distinction that many miss.
What You Get with Personal Accounts
- Basic functionality
- Terms usually written for the individual, not the company
- Often no DPA for the company's processing of personal data
- Limited admin control, offboarding, and central policy enforcement
- Model training and retention settings that vary by provider and plan
What You Get with Business Accounts
ChatGPT Business/Enterprise and Claude Team/Enterprise:
- No model training on workspace or customer data by default under business terms
- Data Processing Agreement (DPA) through business terms or contract
- Security and compliance documentation, e.g. SOC 2
- Admin control over users
- Identity and access controls such as SSO, SCIM, or domain management depending on plan
- Retention, audit logs, and support levels that vary between Business, Team, and Enterprise
Price Comparison (approximate prices, subject to change)
| Tool | Official price level* | Best for |
|---|---|---|
| ChatGPT Free | $0 | Personal use |
| ChatGPT Plus | $20/month | Individual professionals |
| ChatGPT Business | $20/user/month billed annually, $25 monthly (currency varies) | Teams (minimum 2 users) |
| Claude Free | $0 | Personal use |
| Claude Pro | $20/month | Individual professionals |
| Claude Team Standard | $20/user/month billed annually, $25 monthly | Teams (minimum 5 users) |
*Excluding VAT/tax where applicable. Prices, currencies, and features change often, so always check the provider's current pricing page before writing procurement material.
Recommendation
For companies with employees: use business versions when AI is used at work. The cost is low compared to the risk of missing contracts, admin control, offboarding, and data protection routines. But the plan itself does not give you a GDPR legal basis. It only makes it easier to meet your own obligations.
The Three Questions Your Policy Must Answer
Forget long legal texts. Your policy needs to answer three questions:
1. Which AI Tools Can We Use?
List approved tools explicitly:
- ChatGPT (via company account or personal?)
- Claude
- Microsoft Copilot
- Google Gemini
- Industry-specific tools
Be clear about whether personal free accounts are okay or if you require business versions.
2. What Can We Share with AI Tools?
This is the core question. Categorize information:
Green (okay to share):
- Public information
- Generic questions without company-specific data
- Information that's already on your website
Yellow (think first):
- Internal material that isn't secret
- Drafts and ideas
- Aggregated data without personal information
Red (do not share without a specifically approved process):
- Personal data (customer info, social security numbers, health information)
- Passwords and login credentials
- Confidential agreements
- Non-public financial information
- Trade secrets
3. Who Is Responsible for What?
Clarify responsibility:
- Every employee is responsible for following the policy
- Managers are responsible for their team knowing the policy
- A named person (or function) owns questions and updates
Checklist: What Can Be Shared?
Here's a practical checklist for everyday decisions:
Before pasting something into an AI tool, ask yourself:
☐ Does this contain personal data? (names + context, email addresses, phone numbers) ☐ Would the customer be uncomfortable if they knew I shared this? ☐ Is this information competitors shouldn't have? ☐ Is there an NDA or agreement covering this information? ☐ Is this something that should only exist internally?
If you answer yes to any question: Either remove the sensitive information first, or don't share.
GDPR and personal data
If you paste personal data into ChatGPT or Claude, you're processing personal data with a third party. You always need a legal basis, and in a workplace context consent is rarely a good option (hard to claim it's truly voluntary). Legitimate interest or contractual necessity is often more realistic. In practice: anonymize or remove personal data before using AI tools.
Template: Copyable AI Policy
Here's a template you can customize. It's intentionally short so people actually read it.
[Company Name] AI Policy
Version: 1.0 Date: [Date] Owner: [Name/role]
Purpose
This policy provides guidelines for responsible use of AI tools at work. The goal is to benefit from AI while protecting customer data and trade secrets.
Approved Tools
The following AI tools are approved for work-related use:
- [List your approved tools]
Other tools may be used after approval from [responsible person].
What Can Be Shared with AI Tools
Okay to share:
- Public information
- Generic questions without customer data
- Own texts and drafts (without sensitive info)
Requires thought (remove sensitive info first):
- Internal material
- Business ideas and strategies
Forbidden to share:
- Personal data (customer names, contact info, etc.)
- Passwords and login credentials
- Confidential agreements and documents
- Financial information that isn't public
Responsibility
- Every employee is responsible for following this policy
- When uncertain, ask [responsible person]
- AI-generated content should always be reviewed before external use
Violations
Violations of this policy are handled according to [your normal procedure].
Copy, customize, use.
How to Optimize Your Company's AI Setup
A policy is good, but the right technical setup makes it easier to follow. Here's a practical guide.
Step 1: Choose the Right Tools and Plan
For teams of 2-20 people:
- ChatGPT Business or Claude Team
- One admin who manages accounts
- Shared guidelines for everyone
For larger organizations (20+):
- ChatGPT Enterprise or Claude Enterprise
- SSO integration with your identity provider
- Centralized administration and logging
Step 2: Configure Correctly
- Create a company account (not individual paid plans)
- Invite users via the admin panel
- Verify that a DPA is in place through business terms or a separate agreement
- Turn off optional data sharing settings if you want to be extra careful
Step 3: Implement Technical Guardrails
Option A: Trust policy + training
- Works for most small companies
- Requires people to follow the guidelines
Option B: Use API + custom application
- Build an internal tool that filters sensitive data
- More control, but requires technical expertise
Option C: Specialized enterprise solutions
- Tools like Microsoft 365 Copilot process customer data within the Microsoft 365 service boundary and follow the user's existing permissions
- More expensive but higher control
Step 4: Create Templates and Custom Instructions
Help your team use AI effectively:
- Custom Instructions in ChatGPT to define context and tone
- Projects in Claude to gather relevant information
- Internal prompt templates for common tasks
This reduces the risk of people needing to share sensitive context every time.
Checklist for Optimal Setup
☐ Business account with DPA in place ☐ All users invited via admin (no personal accounts) ☐ No model training on workspace data under the business terms verified ☐ Policy documented and communicated ☐ Training completed ☐ Responsible person designated for questions ☐ Calendar reminder set for semi-annual review
How to Implement the Policy (Without People Ignoring It)
A policy nobody reads is worthless. Here's how to make it real:
1. Keep It Short
One page. Two max. Nobody reads ten pages.
2. Explain Why
"We want you to be able to use AI. This policy exists to make that safe." Not "You must follow the rules."
3. Go Through It in a Meeting
Don't just send an email. Take 15 minutes at the next meeting. Answer questions.
4. Make It Accessible
Put it where people actually find it. Not in a folder nobody opens.
5. Give Concrete Examples
"If you want to summarize a customer meeting, remove the customer's name and company first." Concrete beats abstract.
6. Update Regularly
The AI landscape changes fast. Plan to review the policy every six months.
Start with dialogue
Before writing the policy, ask your team: How are you using AI today? What feels uncertain? Their answers help you write a policy that addresses real questions.
TLDR
- You need an AI policy even if you're a small team. People are using AI anyway.
- Opt-out ≠ private. Your data may still be sent, processed, and stored. It normally should not be used for model training.
- Business accounts matter. They provide better contracts, admin control, and data protection, but the legal basis is still your responsibility.
- Three questions to answer: Which tools? What can be shared? Who's responsible?
- Green/yellow/red for categorizing information makes it easy to understand.
- Implement it properly. Go through it in a meeting, give examples, update semi-annually.
A good policy doesn't ban AI. It makes it possible to use it safely and with better legal control. An AI policy is part of a broader AI strategy that helps your business use AI the right way.
Sources Checked
- European Commission AI Act timeline and AI Act overview
- AI Act Article 4 on AI literacy and Annex III on high-risk AI
- OpenAI on ChatGPT Business, OpenAI pricing, and OpenAI Business data privacy
- Anthropic on DPA, model training, and Claude Team
- Microsoft 365 Copilot architecture
- IMY on legal basis in working life, European Commission on personal data breaches, and Swedish trade secrets law
Frequently Asked Questions
Is opt-out enough to protect our data?
No. Opt-out usually only means your data is not used for model training. It may still be sent to the provider's servers, processed, stored, and subject to their terms. Retention varies by provider, plan, and settings. For personal data in a business context, you normally need business accounts with DPA and admin control.
Do we need business accounts or are free versions enough?
Legally speaking: free versions and personal paid plans often lack DPA and admin controls. When the provider processes personal data as your processor, you need an agreement under GDPR. For companies with employees, business versions are therefore recommended.
What happens if an employee accidentally shares customer data?
The company is normally responsible for the processing, not the individual employee. That's why a clear policy is important: it documents that you had guidelines, and it reduces the risk of it happening. If there is a personal data breach that is likely to create risk for people, you may need to report it to your data protection authority within 72 hours after becoming aware of it.
Is it safe to use AI for sensitive industries (healthcare, legal, finance)?
It depends on how you set it up. Regulated industries often have additional requirements (patient data privacy, attorney-client privilege, financial regulations). Use enterprise solutions with higher security, clear contracts, and approved processes. Do not share protected information unless you have first checked legal basis, contracts, permissions, and security requirements.
How often should we update our AI policy?
Every six months at minimum. The AI landscape, tools, and legislation change quickly. Set a recurring reminder in your calendar.
Need help developing an AI policy customized for your business? Book a call and we'll put together something that works for you.
Need help with AI?
We help businesses implement AI solutions that actually work. Book a free consultation.
Book consultation