AI Data Security: The Policy You Need
"What data can we safely put into AI tools?"
This question comes up in every agency conversation. Lauren and Poppy from MCM asked it. Your team is probably asking it too.
The answer isn't complicated. But it needs to be deliberate.
The Problem
Most teams are using AI without any clear guidelines. Everyone's making their own judgment calls about what's safe to share. That's fine until it isn't.
The risk isn't that AI is inherently dangerous. The risk is that without a policy, you're relying on everyone's individual judgment - and judgments vary.
The Simple Rule
If you wouldn't put it on a public noticeboard, don't put it into an AI tool.
That covers 90% of cases. But agencies need something more concrete - something they can point to, train on, and show clients.
What a Good Policy Covers
Data That's Never Okay
Without explicit written approval:
- •Passwords, API keys, authentication tokens
- •Financial account details
- •Identity documents
- •Medical or health information
- •HR-sensitive matters
- •Full customer records (names + addresses combined)
- •Supplier contracts with confidential pricing
Human Review Required
Before:
- •Outputs are sent externally
- •Used in contracts or proposals
- •Affect pricing decisions
- •Published publicly under company name
Governance Basics
- •One person owns the policy
- •Incident reporting process (non-punitive)
- •Annual training and review
- •Documented exceptions only
Why This Matters for Clients
When a client asks "how do you use AI?", you want an answer. Not a defensive scramble.
Having a written policy does three things:
- •Protects you from accidental data exposure
- •Shows clients you've thought about this deliberately
- •Gives your team clear guidelines instead of guesswork
Get the Template
Credit to David Brown from Scottish Shutters for creating a practical, copy-and-paste policy template that actually works for small businesses.
Ads to AI members get access to a ready-to-use template based on David's work - just fill in your company name and you're done.
Not a member? The principles above will get you 80% of the way there. Write it down, share it with your team, and put it somewhere visible.
The goal isn't bureaucracy. It's clarity.
