Staff at UK accountancy practices are already using AI tools. In many firms, this is happening without any written guidance on which tools are permitted, what data can be processed, or how outputs should be reviewed. That gap is a compliance risk, a consistency problem, and a missed opportunity to get more value from AI at the same time.
This article is part of Runbook's complete guide to AI implementation for UK accountancy practices. It covers what an AI policy for an accountancy practice needs to contain, why the standard office IT policy does not cover it adequately, and includes a template structure you can adapt for your own firm. If you are not yet sure whether your practice is ready to formalise its AI use, the free AI Readiness Scorecard gives you a personalised starting point in under five minutes.
Why a standard IT policy is not enough
Most practices that have thought about AI governance have pointed their staff at the existing IT or acceptable use policy and assumed it covers the new territory. It does not, for several reasons.
A standard IT policy deals with how staff use business equipment, internet access, and company systems. It was written before large language models existed. It does not address the specific risks that come with AI tools: data being submitted to an external model, outputs that can be plausible but factually incorrect, or the question of what constitutes acceptable use when a tool can draft a client communication in thirty seconds.
The ICO's published guidance on generative AI and data protection makes clear that organisations processing personal data through AI tools need to address those tools specifically within their data protection framework. For a UK accountancy practice, which handles sensitive financial and personal data as a matter of course, that means proper governance and controls around AI use are necessary to meet existing UK GDPR obligations. Professional body guidance from ICAEW and ACCA supports the same conclusion: both bodies have published material emphasising the importance of formal oversight and internal controls around AI, and neither treats informal, ungoverned AI use as adequate for a regulated practice.
Beyond compliance, a standalone AI policy does something the generic IT policy cannot do: it tells staff what they are actually allowed to do, removes ambiguity, and creates a foundation for consistent, confident AI adoption across the practice. Without it, you get a patchwork of individual habits that is difficult to manage and even harder to audit.
What an AI policy needs to cover
An AI policy for an accountancy practice does not need to be a lengthy document. The practices that get most benefit from having one keep it focused and practical. The following areas are the minimum required coverage.
Approved tools
The policy should name the AI tools your practice has evaluated and approved for use. This is not a list of tools staff may have heard of or seen advertised. It is a list of tools the practice has actively reviewed, tested, and where necessary, signed a data processing agreement with the provider.
For most UK practices in 2026, the approved list will include one or more of the following: ChatGPT Business or Enterprise (with a data processing agreement in place), Microsoft Copilot deployed through the appropriate Microsoft 365 commercial environment, or Claude Team or Enterprise. Free consumer tiers of these tools are generally not appropriate for use with client data and should be addressed explicitly in the policy.
Acceptable and prohibited uses
This is the section staff will read most carefully, and where the policy creates the most practical value. It should distinguish clearly between tasks that are approved, tasks that are approved with conditions, and tasks that are not permitted.
Typical approved uses for a UK accountancy practice include: drafting client emails and letters (with review before sending), summarising meeting notes, producing first drafts of internal documents, researching publicly available guidance, and generating prompt-based output for internal use. Our guide on using AI to write better client emails covers the practical workflow for one of the most common approved uses in detail.
Tasks that require additional conditions typically include anything where client data must be submitted to the tool. These require an approved tool with a data processing agreement, and should specify that free-tier tools cannot be used for this purpose.
Prohibited uses should include: submitting client data to unapproved tools, using AI-generated output in a client-facing communication or regulated document without qualified review, and using AI tools to produce technical advice that is issued to clients without a qualified person checking it.
Output review requirements
Every AI policy for a regulated professional services firm should include an explicit statement that AI output requires human review before it is used. This is not a caveat. It is a core operating principle. AI tools produce plausible-sounding output whether or not it is accurate. The policy should specify who is responsible for reviewing output in different categories: client communications, technical documents, and internal documents may each require different levels of sign-off.
Data protection responsibilities
This section should set out what staff can and cannot submit to an AI tool, and which tools are approved for use with personal or client data. It should reference your broader data protection policy rather than trying to replicate it, and should include a clear escalation route if a member of staff is uncertain.
Responsibilities and accountability
The policy should name who owns it, who is responsible for keeping it up to date, and how staff should raise concerns or report a problem. For most small practices, this will be a partner or the person with responsibility for compliance. The policy should also state the review frequency.
The checklist covers policy drafting, approved tool selection, data protection requirements, and a 90-day rollout plan. Everything you need to implement AI in your practice properly.
Data protection and GDPR considerations
This is the area where practices most commonly underestimate their exposure. The central question is straightforward: when a member of staff submits information to an AI tool, where does that information go, who can access it, and is the provider acting as a data processor under UK GDPR?
For the free consumer tiers of most AI tools, the answer to the last question is almost always no. Free-tier terms for tools like ChatGPT and Google Gemini have historically included clauses permitting the provider to use input data to improve the model. Even where this can be opted out of, the terms do not include a data processing agreement. Submitting identifiable client data through a free-tier tool is likely to create significant data protection risk and may put the practice in breach of its obligations if appropriate controls are not in place.
The paid business tiers of the major providers address this differently. ChatGPT Business and Enterprise, Microsoft Copilot deployed through the appropriate Microsoft 365 commercial environment, and Anthropic's Claude Team or Enterprise all offer data processing agreements that establish the provider as a data processor and commit to not using input data for model training. A DPA is an important baseline, but it is not the whole picture: firms also need appropriate governance, staff training, security controls, and a clear understanding of which use cases are suitable. Your policy should specify which tier is required for which category of data, and sit alongside your broader UK GDPR compliance framework.
Important: Runbook does not provide data protection or legal advice. The guidance above is for general information only. Before finalising your AI policy and approving tools for use with client data, consult a qualified data protection adviser or your professional body's guidance. The ICO publishes specific guidance on generative AI and data protection at ico.org.uk.
What counts as personal data in this context
For a UK accountancy practice, personal data includes any information that could identify a living individual: client names, addresses, National Insurance numbers, payroll data, tax reference numbers, personal financial information, and similar. It also includes combinations of information that together could identify someone, even if individually they seem innocuous. The threshold is lower than many practices assume.
The safest default position for a practice with a straightforward policy is this: no client personal data in an AI tool unless the tool is on the approved list, a data processing agreement is in place, and the task genuinely requires it. Most AI tasks in accountancy do not require personal data. A prompt asking an AI to draft a standard information request letter does not need to include the client's name and national insurance number to produce a useful draft.
Staff training on data protection and AI
A written policy is not sufficient on its own. Staff need to understand the reasoning behind the rules, not just the rules themselves. A short briefing when the policy is introduced, covering the key data protection principles and why they apply to AI tools, significantly improves compliance. The AI Implementation Checklist for UK Accountancy Practices includes a staff briefing framework as part of the rollout section.
AI policy template structure
The following is a template structure your practice can adapt. It is a starting point, not a finished document. The sections marked with square brackets require you to fill in your practice's specific decisions. Before issuing, have the policy reviewed by whoever holds data protection responsibility in your firm, and take qualified advice if you are uncertain about any section.
AI Policy Template: [Practice Name]
Version: [1.0] Date: [Month Year] Review date: [Month Year + 12 months]
Policy owner: [Name / Role]
1. Purpose
This policy sets out how [Practice Name] uses artificial intelligence tools in its work, the controls that apply to that use, and the responsibilities of staff. It applies to all partners and staff.
2. Approved tools
The following AI tools are approved for use within the practice: [list tools, including tier/licence level]. All other AI tools are not approved. Staff must not use unapproved tools for practice work.
3. Acceptable use
- Drafting client communications for review before sending
- Summarising meeting notes and internal documents
- Producing first drafts of internal documents and procedure notes
- Researching publicly available guidance and information
- [Add any practice-specific approved uses]
4. Prohibited use
- Submitting client personal data to any unapproved tool
- Using AI-generated output in a client-facing document without qualified review
- Using AI tools to produce technical advice issued to clients without qualified sign-off
- Using free-tier tools for any task involving personal data
5. Output review
All AI-generated output must be reviewed by a qualified or responsible person before use. AI tools produce plausible output that may be inaccurate. The person submitting the output for review is responsible for flagging where AI assistance was used.
6. Data protection
No personal data may be submitted to an AI tool unless the tool is on the approved list with a current data processing agreement in place, and the task genuinely requires it. Having a DPA in place is an important baseline, but staff should also follow the practice's broader data protection policy and escalate any uncertainty. Where in doubt, consult [designated contact]. For detailed requirements, refer to the practice's Data Protection Policy.
7. Concerns and reporting
Any concerns about AI use, suspected data incidents, or uncertainty about whether a task is permitted should be raised with [designated contact] promptly.
8. Review
This policy will be reviewed annually, or when there is a material change to the tools in use, the types of data processed, or relevant regulatory guidance.
Rolling out the policy to your team
A policy that is drafted and filed without being communicated is not functioning as a policy. How you introduce it to the practice matters as much as what it contains.
Introduce it with a brief team session
A fifteen to twenty minute team meeting to introduce the policy is usually sufficient for a small practice. The goal is not to present the document line by line, but to explain the reasoning. Why does the practice need a policy now? What has changed? What are the two or three things everyone most needs to remember? Staff who understand the purpose of a rule are more likely to apply it correctly in ambiguous situations than staff who have simply been handed a document.
Make it easy to find
The policy should be saved somewhere every member of staff can access it without having to ask: a shared drive, the practice intranet, or a pinned note in your team communication tool. It should not require someone to email a partner to find out whether a particular use is permitted.
Set a review date and assign ownership
AI tools and the regulatory environment around them are both changing. A policy written in early 2026 may need meaningful updates by early 2027. Assign one person to monitor relevant guidance from the ICO, ICAEW, and ACCA, and to flag when a review is warranted. Without a named owner and a calendar date, reviews tend not to happen.
Link the policy to your broader AI implementation
A written policy is one component of a functioning AI implementation. It works alongside a defined set of approved tools, clear workflows for how AI is used in specific tasks, and some form of staff training. Practices that have these elements working together get materially better results from AI and are in a much stronger position if their approach is ever questioned by a client, regulator, or professional body. The AI Implementation Checklist for UK Accountancy Practices covers all of these components in a single, step-by-step framework.
Quick check: Before you publish your AI policy, confirm you have answered these four questions. Which tools are approved, including the specific tier or licence? What data categories can be submitted, and to which tools? Who reviews AI output before it is used in a client context? Who owns the policy and when is it next reviewed? If any of these are unanswered, the policy is not yet ready to issue.
Frequently asked questions
Does my accountancy practice legally need an AI policy?
There is no current UK legislation that specifically mandates a standalone AI policy for accountancy practices. However, existing obligations under UK GDPR, the Data Protection Act 2018, and your professional body's standards make proper governance and controls around AI use necessary. If staff are using AI tools to process client data without appropriate controls, the practice is likely to be exposed under its data protection obligations. A written AI policy is often the clearest and most practical way to ensure those controls are in place and applied consistently.
How long should an AI policy be for a small practice?
For a practice of under 20 staff, a focused document of two to four pages is sufficient. The goal is clarity and usability, not comprehensiveness for its own sake. A policy nobody reads or remembers is not a policy. Cover the key areas: approved tools, what can and cannot be processed, output review requirements, and how to raise concerns. Keep the language plain.
What AI tools should I list as approved in our policy?
Only list tools your practice has actively evaluated and, where relevant, signed a data processing agreement with the provider. Common approved tools for UK practices include ChatGPT Business or Enterprise, Microsoft Copilot deployed through the appropriate Microsoft 365 commercial environment, and Claude Team or Enterprise. Do not list tools as approved simply because they are well known. The questions to ask are: have you reviewed the terms, confirmed the tool is suitable for the data types you intend to process, and is a data processing agreement in place where required? A DPA matters, but it is the starting point for compliance, not the end of it.
Who should sign off an AI policy in a small accountancy practice?
In most small practices, the AI policy should be approved by a partner or director with responsibility for practice management or compliance. If your firm has a designated data protection lead, they should review the data-related sections before sign-off. The policy should be communicated to all staff at the time of issue and when it is updated.
How often should we update our AI policy?
Review it at least annually, and whenever there is a significant change to the AI tools you use, the types of data being processed, or the regulatory guidance that applies to your practice. The ICO and professional bodies including ICAEW and ACCA publish updated guidance on AI and data protection periodically. Assign one person in the practice to monitor this and flag when a policy review is needed.