Three Rules for AI at Work That Actually Matter

Over the past few years, a familiar pattern has played out. Cloud storage arrived and companies spent months chasing down files left sitting open on the internet. Staff started using their own phones for work, and sensitive documents started walking out the door. Remote access got switched on during the pandemic with no thought given to how it was configured.

Now it’s AI’s turn.

According to the UK Government’s Cyber Security Breaches Survey, around 31% of UK businesses are using AI tools or actively moving towards them. Of that group, only 24% have any documented process for managing the security risks. That means roughly three-quarters are making it up as they go.

What staff are actually doing

Nobody does this with bad intentions. But when there are no house rules, this is what happens:

• Spreadsheets with supplier bank details get pasted into ChatGPT to tidy up the formatting
• Confidential tender documents go into an AI tool to help draft a response, taking your pricing and margins along for the ride
• Job applications with home addresses and employment histories get fed into an AI hiring tool without a second thought Under UK GDPR, your business is responsible for how personal data is processed, regardless of which tool it ends up in. When staff paste customer names, addresses, or financial details into an unvetted third-party AI service, that data has left your control. The ICO’s guidance on AI and data protection is clear that organisations must have appropriate safeguards in place. If something goes wrong and the ICO comes asking questions, the first thing they’ll want to see is whether you had a documented policy. For most businesses right now, the answer is no.

Three rules. That’s genuinely all you need.

You don’t need a governance framework. You need three sentences on a page that every member of staff has read:

1. Don’t paste customer personal data into any AI tool without explicit approval. Names, addresses, email addresses, phone numbers, financial details, health information. Full stop.
2. Don’t paste confidential documents into unapproved AI tools. Contracts, financial papers, board minutes, strategy documents, anything the business considers sensitive.
3. If AI generates something going to a client, regulator, or public audience, a person must review and approve it first. No output goes out unchecked. Print it. Pin it in the kitchen. Email it to the team. Add it to your staff handbook. That’s the job done for most businesses.

Which tools to actually approve

Once the rules exist, decide which AI tools your business formally signs off on. For each one, four questions are worth asking:

• Where does data go when you type it in? Is it stored, and for how long?
• Does the provider use your inputs to train their models?
• Does their data processing agreement meet UK GDPR requirements?
• What happens to your data if you stop using the tool? For many small businesses, the simplest answer is to stick with AI that’s already built into tools you already trust. If you’re on Microsoft 365, Copilot works within your existing Microsoft environment and is covered by the data processing agreements you already have in place. That’s considerably less risky than staff signing up for arbitrary external services on their own.

For professional services firms across North Wales, whether you’re an accountancy practice in Ruthin or a legal firm in Caernarfon, being able to say you have a documented AI policy, approved tools, and human review on outputs is increasingly the baseline clients and auditors expect. The businesses that have sorted this now will be ahead when the ICO starts paying closer attention, and it is paying closer attention.

Three rules. One email. One conversation. Start this week.