Company Policy on the Use of Artificial Intelligence
Company: [Company Name] ยท Effective date: [Date] ยท Policy owner: [Name / Role] ยท Version 1.0
1. Purpose
This policy sets the rules for using artificial intelligence (AI) tools in our work. It supports our obligations under Article 4 of the EU AI Act (Regulation (EU) 2024/1689) and the GDPR, and protects our clients, our staff, and our business.
2. Scope
This policy applies to all employees, contractors, and temporary staff of [Company Name] who use AI tools in any work context โ including chatbots (e.g. ChatGPT, Copilot, Gemini), AI features inside business software, and AI-powered analysis or design tools, whether on company or personal devices.
3. Approved tools
- Only AI tools on the company's approved list may be used for work: [list approved tools here].
- Requests to use a new tool go to [Name / Role] for assessment before use.
- Free/public AI tools must be assumed to store and learn from anything you type into them.
4. Data protection rules (GDPR)
- Never enter personal data (names, addresses, phone numbers, emails, salaries, health details) into public AI tools.
- Never enter client-confidential or commercially sensitive information (contracts, pricing, designs) unless the tool is company-approved for that data class.
- Apply data minimisation: share with an AI tool only the minimum needed for the task โ strip names and identifying details first.
5. Human oversight & accountability
- AI output is a draft, not a decision. A competent person must review and approve all AI-assisted work before it is used or sent.
- You remain professionally responsible for work you sign off, whether or not AI helped produce it.
- Verify every fact, figure, citation, and calculation an AI provides โ AI systems can "hallucinate" convincing but false information.
- AI must not be used to make automated decisions about people (hiring, evaluation, discipline) without documented human review.
6. Transparency
- Be honest with clients about material AI use in deliverables when asked, and where required by contract or law.
- Label AI-generated content where it could reasonably be mistaken for human work with legal or safety significance.
7. Training
- All staff in scope must complete AI literacy training before using AI tools at work, and refresh it at least every 12 months.
- Completion certificates and the company training register are kept by [Name / Role] as compliance records.
8. Incidents
If personal or confidential data is entered into an unapproved AI tool, or AI output causes a work error, report it immediately to [Name / Role]. Fast reporting can prevent a data-protection breach from escalating; mistakes reported promptly will be treated constructively.
9. Breaches of this policy
Deliberate or repeated breaches may be handled under the company's disciplinary procedure. The purpose of this policy is protection, not punishment โ ask [Name / Role] whenever you are unsure.
Template provided by CompliAI Training (brainquest.ie/aiact) to accompany EU AI Act Article 4 literacy training. This is a starting point, not legal advice โ adapt it to your business and have it reviewed as appropriate.