What is an AI use policy?
An AI use policy is a short written document that tells your staff which AI tools they may use, what data they may put into those tools, and when a human must check the result before it goes out. Think of it as the house rules for AI at work.
A useful comparison is the food-safety rules in a kitchen. Nobody reads them for pleasure, but they let everyone work quickly and confidently because the boundaries are clear. An AI policy does the same job for the digital side of your business.
It is not a legal contract and it is not a technical manual. For a small business, a good AI policy fits on two or three pages and can be read in five minutes.
Why does your small business need one in 2026?
You need an AI policy because your staff are already using AI, with or without your permission. In Hong Kong, surveys in 2026 found that a large majority of employees who use AI at work bring their own consumer tools, most of it outside any company rule. That quiet, unmanaged use has a name: shadow AI.
The danger is not the tool. It is the data. When an employee pastes a customer list, a supplier contract, or a payroll sheet into a free chatbot to save time, that information can leave your control in a single click.
One security review of AI use over a 60-day period found that 38% of AI interactions triggered a risk warning, and the most common category was personal data being exposed.
The reason this matters more in 2026 than a year ago is speed. AI tools have become so easy that a staff member can adopt a new one in the time it takes to open a browser tab. Your business is not choosing whether to use AI; it is choosing whether that use is visible and safe or invisible and risky.
There is a local reason too. Hong Kong's Privacy Commissioner for Personal Data (PCPD) published a "Checklist on Guidelines for the Use of Generative AI by Employees" to help organisations set internal rules while staying compliant with the Personal Data (Privacy) Ordinance. In its 2026 compliance checks across 60 organisations, the PCPD found AI adoption had climbed to 95%, and recommended staff training, impact assessments and clear governance. A written policy is how you show you have done this.
What should an AI use policy include?
A practical AI policy for a small business covers six things: which tools are approved, what data is allowed, when a human must review the output, who to ask for exceptions, basic training, and what happens if the rules are broken.
Here is what each part means in plain language:
1. Approved tools. List the specific AI tools your business allows, for example a paid business-tier chatbot. Anything not on the list needs approval before use.
2. Data rules. State clearly what must never be typed into a public AI tool: customer personal data, staff records, financial figures, signed contracts, passwords, and anything a client gave you in confidence.
3. Human review. Require a person to check AI output before it is used in customer messages, hiring decisions, legal or accounting work, official records, or anything published outside the company.
4. Approval and exceptions. Name one person, often you, the owner, who decides when a new tool or a new use is allowed.
5. Training. Give staff a short briefing so they understand the rules and why they matter. A policy nobody has read protects nobody.
6. Consequences. Explain, calmly, what happens if the rules are ignored, and ask each person to sign that they have read the policy.
How do you write an AI policy in five steps?
You write an AI policy by first mapping how AI is already used in your business, then setting rules around the real risks you find. The whole exercise takes a focused afternoon for most small firms.
Step 1: Map what is already happening. Ask your team, without blame, which AI tools they use and for what. You will almost always find more than you expected.
Step 2: Find where sensitive data is exposed. Look at each use and ask whether customer or financial data is going into a tool you do not control.
Step 3: Decide your approved list. Pick one or two tools you are comfortable with, ideally business versions that do not train on your data, and make them the default.
Step 4: Write the rules in your own words. Keep it to a few pages. Use plain sentences a new hire could follow on day one.
Step 5: Brief the team and review every quarter. AI tools change fast, so a policy written once and forgotten becomes wrong within months.
What are the most common mistakes small businesses make?
The biggest mistake is banning AI outright. A blanket ban does not stop use; it pushes it underground, where you cannot see it or protect it. Staff who have felt the time savings will simply find workarounds.
A second mistake is copying a giant corporate policy off the internet. A 30-page document written for a bank will confuse a 12-person retail shop and end up unread in a drawer.
A third mistake is writing the policy and never mentioning it again. Industry reviews suggest that businesses combining a clear policy with training and practical alternatives see up to a 70% drop in risky, unmanaged AI use within six months. The policy only works when people know it exists and have an approved tool to actually use.
What does an AI policy look like for a real Hong Kong business?
For most Hong Kong SMEs, an AI policy is short and practical, and it changes depending on the kind of data the business touches every day. The rules that matter for a restaurant are not the same as those for a property agency.
Consider a restaurant owner with 15 staff. The team wants to use a chatbot to reply to online reviews and draft social media posts. Here the risk is low, so the policy can be permissive: staff may use the approved tool freely for marketing copy, but must never paste a customer's phone number, booking details, or a supplier's pricing into it. One line covers it.
Now consider a small property agency. Agents are tempted to feed client budgets, identity card numbers, and mortgage details into a free tool to draft listings and letters faster. This is exactly the kind of personal data the PDPO protects. The policy here must be stricter: no client personal data in any public tool, and any AI-drafted contract or advice must be checked by a licensed agent before it reaches the client.
A retail shop sits in between. Using AI to write product descriptions or plan a promotion is fine. Using it to analyse a spreadsheet of named loyalty-club members is not, unless the data is stripped of names first. The policy simply spells out that line.
In all three cases the document is the same length, two or three pages. What changes is the data list in the middle. That is why copying someone else's policy rarely works: the value is in describing your own data honestly.
How does an AI policy save you money?
An AI policy saves money in two ways: it prevents the costly mistakes that come from mishandled data, and it lets your team adopt AI faster because they finally know what is allowed. Uncertainty is expensive; clear permission is not.
The downside risk is concrete. A single leak of customer personal data can trigger a PDPO complaint, reputational damage, and lost clients, costs that dwarf the price of writing a two-page document. Industry reviews link clear policies plus training to as much as a 70% fall in unmanaged AI use within six months.
The upside is quieter but just as real. When staff know which tool is approved and what it can be used for, they stop hesitating and start saving hours. A policy is not only a shield against risk; it is a green light that tells your team it is safe to move.
Frequently asked questions
Do I need a lawyer to write an AI policy?
No. Most small businesses can draft a workable policy themselves using the six elements above. You may want a professional to review it if you handle large volumes of sensitive personal or medical data.
How long should the policy be?
For a small business, two to three pages is ideal. If a new staff member cannot read and understand it in five minutes, it is too long.
How often should I update it?
Review it every three months. AI tools and their data settings change quickly, and a rule that was safe in January may need adjusting by summer.
Will an AI policy slow my team down?
The opposite, when it is done well. A policy that only says "no" creates hesitation. A policy that names an approved tool and clear green-light uses removes the guesswork, so staff spend less time wondering whether something is allowed and more time getting work done.
The takeaway
An AI use policy is not red tape. It is the simplest, cheapest way to let your team enjoy the speed of AI while keeping your customers' data and your reputation safe. Start small, write it in plain language, and treat it as a living document.
The goal is not to slow your business down. It is to give everyone the confidence to move faster, knowing where the lines are. We understand AI. UD stands with you.
Ready to put AI to work, safely?
Knowing the rules is the first step. The next is knowing exactly where AI can help your business, and how to deploy it without exposing your data. UD has walked Hong Kong businesses through this for 28 years, and we will walk you through it step by step, from a simple readiness check to a safe, working setup.