AI tools are already being used in day-to-day work, whether officially or not. Staff may be using tools like ChatGPT to draft emails or summarise documents without realising the risks.
For smaller food businesses, this creates a challenge. You may not have an IT or legal team, but you still need to protect your business, your customers, and your data.
The good news is you do not need a complex policy to get started. A simple, clear set of rules is often enough.
Start with your goal
Before writing anything, be clear on what you are trying to achieve. In most cases, it comes down to two things:
- Protect sensitive information
- Allow staff to use AI in a safe and helpful way
This helps you avoid going too far in either direction. Banning everything is unrealistic. Allowing everything is risky.
Define what tools are allowed
Be clear about which tools staff can use.
For example, you might allow tools like Microsoft 365 Copilot if you already use Microsoft 365, and restrict public tools unless there is a specific reason to use them. The reasoning behind this is covered in why Copilot is often approved.
Keep this simple. A short list of “allowed” and “not allowed” tools is enough to start.
Set clear rules on data
This is the most important part of your policy.
Give staff a simple rule they can remember:
If the information should stay inside the business, do not put it into a public AI tool.
You can make this more practical with examples:
- Do not enter customer details
- Do not share supplier information or pricing
- Do not paste internal documents or audit notes
Simple examples are much easier to follow than legal language.
Explain what AI can and cannot be used for
Help staff understand where AI is useful and where it is not.
For example:
- OK to use: drafting emails, summarising general information, generating ideas
- Not OK to rely on: food safety decisions, compliance advice, final audit wording
This sets expectations without blocking useful use cases.
Make it clear that outputs must be checked
AI can make mistakes. This needs to be stated clearly.
A simple rule works well:
Always review and check AI-generated content before using it, especially for anything important.
Even when an answer sounds confident, it might not be correct. For more on this, see what are AI hallucinations?.
Keep it short and easy to read
A common mistake is making policies too long or too formal. If people do not read it, it will not work.
Aim for one page. Use plain language. Avoid technical terms.
You can always expand it later as your use of AI grows.
Talk to your team
Once you have a basic policy, share it with your staff.
Explain why it exists, not just what it says. Most people are happy to follow rules if they understand the reason behind them.
Encourage questions. This will help you spot gaps or confusion early.
Review and improve over time
AI is changing quickly. Your policy does not need to be perfect on day one.
Start simple, then update it as:
- New tools are introduced
- Risks become clearer
- Your team becomes more confident using AI
The key point is this: doing something simple now is far better than doing nothing.
A clear, practical AI policy helps your team use these tools safely, without slowing them down.