Free download · ChatGPT policy

ChatGPT Usage Policy Template for UK Businesses (Free, Editable)

The ChatGPT-specific policy template UK businesses can adopt or adapt in 30 minutes. Covers Enterprise / Team / Plus / consumer tiers, data classification, Custom GPTs, and incident response.

Free PDF · No signup · UK

Download the PDF. Print it. Bring it to your next leadership-team meeting.

What's inside

  • Purpose, scope, effective date. Standard policy header for ChatGPT-specific governance.
  • Approved ChatGPT tiers. Pre-populated table covering Enterprise, Team, Plus, and consumer tiers — with permitted-data-tier guidance per ChatGPT tier.
  • Prohibited use. Specific clauses for pasting personal data, automated decisions, external sharing, personal-account use.
  • Data tier framework. Four data tiers (Public, Business, Confidential, Restricted) with ChatGPT-tier mapping per data tier.
  • Incident response. What to do when staff accidentally paste sensitive data into a non-enterprise ChatGPT conversation.
  • Custom GPTs governance. Pre-approval requirements, named ownership, audit trail, external sharing controls.
  • Sign-off and acknowledgement. Staff acknowledgement form ready for HR rollout.

Who this is for

UK businesses where staff are already using ChatGPT — often through personal accounts, often with company data flowing into OpenAI's logs. The template retro-fits governance onto that reality.

How to use this

Search-replace [Company] and [Policy owner] placeholders. Decide whether to provision ChatGPT Enterprise / Team for everyone, restrict it to specific cohorts, or ban non-enterprise tiers. Publish, train, require sign-off, review annually.

Frequently asked

Should we have a ChatGPT-specific policy or one general AI policy?

Either. Most UK businesses with significant ChatGPT usage benefit from a specific policy — the data-tier mapping is detailed enough that bundling dilutes it. Smaller businesses with mixed AI tool usage often prefer one general policy with a ChatGPT section.

Is this template legal advice?

No. It's starting-point policy language. Have it reviewed by qualified counsel before final adoption, particularly under sector regulation.

What's the difference between ChatGPT Enterprise and Team?

Enterprise has full IT admin controls, SSO, DPA, longer retention controls, and zero-data-retention by default. Team is a lighter-weight tier with reduced admin controls. Both are appropriate for Tier 1 data; Enterprise is appropriate for Tier 2 with caution; neither replaces the need for sector-specific assessment for Tier 3.

How does this handle Custom GPTs?

Custom GPTs that act on company data require pre-approval per the template. The justification: each Custom GPT is effectively a new data flow with a new data scope — the policy treats it as a vendor change.

How often should we review this?

Annually, plus on any material trigger — OpenAI tier changes, sub-processor disclosure changes, regulatory guidance.

Related Arx Certa services

If the gaps this resource surfaces for your business need outside help to close:

  • AI services — implementation reviews, AI policy work, vendor due diligence, and pilot scoping.
  • Cybersecurity — security overlay for AI use, UK GDPR / NCSC alignment, vendor risk assessment.
  • Database — data foundations work AI projects depend on.
  • Infrastructure — cloud, identity, network and integration foundations.

Score your AI readiness in 4 minutes

The Arx Certa AI Readiness Scorecard quantifies the foundations this resource describes — across governance, data, infrastructure, security and use case. Free, 12 questions, personalised report.

Get your AI readiness score → 4 minutes · 12 questions · Personalised report

Related insights