shield_person Raneem Ghalion Book a Call
Service

AI Use Policy & Governance for Canadian Small Business

A clear, one-page (or short) AI use policy your team will actually read — defining what AI tools they can use, what data goes in, and what to do when they're not sure. Drafted, reviewed, and rolled out, with PIPEDA in scope where it should be.

Book a discovery call What a policy covers

What goes in the policy

Short, plain English, focused on the decisions employees actually face.

check_circle

Approved tools list

Which AI tools your team is allowed to use, which are case-by-case, and which are explicitly off-limits — with the reasoning for each so the policy stays defensible when employees push back.

block

Data handling rules

Concrete examples: what's safe to paste, what needs redaction first, what must never leave the local network. Written for your business, not generic.

privacy_tip

PIPEDA & sector obligations

Plain-language reference to the Canadian privacy obligations that actually apply to your organization — without legalese the team will skip past.

support

"Who to ask" escalation

The most-used part of any AI policy. A clear path for the dozens of grey-area decisions employees face every week: who to ask, how fast they'll respond, what to do meanwhile.

event_repeat

Review cadence

AI tools change fast. The policy includes a built-in 6-month review trigger and a short checklist so updates don't require a full re-engagement.

The engagement

A short, structured 2–3 week engagement. Designed to fit small-org budgets.

  1. 01

    Discovery

    Three to five short interviews with leadership and the people doing the work. We surface how AI is already being used and what worries you most.

  2. 02

    Draft

    A first complete policy delivered in week 2 — covering approved tools, data handling, PIPEDA context, escalation, and review schedule.

  3. 03

    Review & finalize

    One round of stakeholder feedback, revisions, and a final version ready for board or leadership sign-off.

  4. 04

    Rollout

    A 45-minute team session walking through the policy, answering questions, and making sure the rules are actually understood — not just signed.

Frequently asked questions

What should an AI use policy include for a small Canadian business?expand_more

At minimum: which AI tools are approved, what kinds of information employees can and cannot paste into them, how to handle client or patient data, what to do when in doubt, and who to ask. For Canadian businesses, the policy should reference PIPEDA obligations around personal information handling.

How is this different from a general security policy?expand_more

A security policy is mostly about keeping bad actors out. An AI use policy is about your team's day-to-day decisions: which tool to use, what to share with it, when to escalate. They serve different purposes and shouldn't be merged.

Who should approve the policy?expand_more

Leadership (the person ultimately accountable), the operations lead (who owns enforcement), and ideally one line-of-business representative who actually uses AI day-to-day. Funders or boards may also need to sign off.

How long does drafting take?expand_more

A focused engagement for a small organization (under 50 staff) is typically 2–3 weeks: discovery interviews, draft, stakeholder review, revisions, and rollout plan.

What happens after the policy is signed?expand_more

A policy that nobody reads is worthless. Rollout matters as much as drafting — that's why every engagement includes a short team session to walk through it, plus simple ongoing-review milestones so the policy doesn't go stale.

Give your team rules they'll actually follow.

A 30-minute scoping call. We'll talk through your team, the data you handle, and whether a policy engagement is the right next step.

Book a Call