For UK small businesses using AI
Your AI policy,
done properly.
54% of UK firms now use AI — but 76% have no written AI policy. Answer a three-minute assessment and get a tailored AI Acceptable Use Policy and AI Risk Register, aligned with UK GDPR, the Data Protection Act 2018 and ICO guidance.
No account needed · Nothing stored · Downloads for Word and Markdown
Common questions
Does my business legally need an AI policy?
No law says "you must have an AI policy" — but UK GDPR's accountability principle (Article 5(2)) requires you to demonstrate how you comply when processing personal data, and the ICO expects documented governance where AI is in use. A written policy is how a small business evidences that. Without one, any incident involving AI is much harder to defend.
Can staff paste customer data into ChatGPT or other free AI tools?
Not safely. Free consumer AI accounts typically sit outside any data processing agreement and may train on what is entered. Pasting customer or employee data into them is the most common AI-related route to a personal data breach for UK small firms. Business-tier tools with a data processing agreement — and a clear staff policy — are the fix.
What does BrightRule actually generate?
Two documents tailored to your answers: an AI Acceptable Use Policy (approved tools, prohibited uses, data handling rules, human oversight, incident reporting, review cycle and staff sign-off) and an AI Risk Register covering your flagged risks plus hallucination, data leakage, intellectual property and bias. Both download ready for Word. They are practical guidance, not legal advice.
What happens to my answers?
They're processed in memory to score your risk and draft your documents, then discarded. No account, no database, no cookies. See our privacy notice.
What does it cost?
The assessment, policy and risk register are free. Paid plans for ongoing compliance — staff acknowledgement tracking, DPIA support and automatic policy updates when regulation changes — are coming.