Other legal pages

AI Policy

1. Definitions

Artificial Intelligence (AI): Any system or functionality that performs tasks normally requiring human intelligence, such as language generation, prediction, design assistance, or image creation.

AI Tool: Any software, feature, or service that applies AI to support, automate, or enhance business processes.

Client Data: Any information, materials, or content supplied by a client to Rouge for the purpose of delivering contracted work.

Personal Data: Any information relating to an identifiable person, in line with UK GDPR definitions.

Project Definition Document (PDD): Rouge’s project-specific control document recording agreed scope, functionality, and approved use of AI.

Approved Use: Any AI use sanctioned under this policy, recorded in a PDD where applicable, and overseen by the AI Policy Lead.

Prohibited Use: Any AI use that breaches this policy, occurs outside authorised tools, or risks client confidentiality or GDPR non-compliance.

 

2. Purpose

This policy sets out Rouge Media’s principles, rules, and procedures for the responsible use of Artificial Intelligence (AI) technologies. It ensures that all use of AI across the business is safe, transparent, ethical, and compliant with UK GDPR and Rouge’s internal Data Processing Agreement (DPA).

The policy applies to all employees, contractors, and third-party service providers acting on behalf of Rouge Media.

 

3. Scope

This policy covers:

  • The use of AI-enabled features within approved business tools (e.g. Adobe Creative Cloud, Figma, Microsoft 365, and similar)
  • The creation or use of AI-generated outputs in internal and client projects
  • Any processing of client or personal data within AI-related workflows
  • The recording of AI use for client projects in the Project Definition Document (PDD)

It excludes experimentation or private use of AI tools unconnected to Rouge business activities.

This AI Policy sits alongside Rouge Media’s Data Protection, Cyber Security, and Confidentiality policies, and supports our ongoing compliance with ISO 9001 (Quality Management), ISO 27001 (Information Security), and Cyber Essentials certification requirements.

 

4. Governance and Oversight

Rouge Media operates under a Responsible AI Framework built around accountability and transparency.

  • The AI Policy Lead (currently Andy Woods) oversees AI governance, compliance, and policy updates
  • Department Heads are responsible for ensuring all AI activity within their teams aligns with this policy
  • Any new AI tools or significant use cases must be reviewed and approved by the AI Policy Lead before deployment
  • All AI processing involving client data must comply with Rouge’s DPA and be logged in the relevant project’s PDD table

AI use logs will be reviewed quarterly to verify compliance. Any exceptions to this policy must be authorised in writing by the AI Policy Lead.

 

5. AI Tool Vetting and Approval

All new AI tools or services must be assessed and approved by the AI Policy Lead before business use. Rouge will evaluate each tool for:

  • Data protection and security – including encryption, access control, and vendor data handling practices
  • Legal and compliance alignment – with UK GDPR, Rouge’s DPA, and relevant contractual obligations
  • Operational resilience – covering vendor uptime commitments, backup provisions, and disaster-recovery capability
  • Transparency and model behaviour – including whether the vendor trains models on customer data

Approval and review records will be retained by the AI Policy Lead and revisited annually or when a major system update occurs.

 

6. Approved AI Tools and Applications

Only approved tools may be used for business or client work.

Currently Approved:

  • Figma (AI features) – for design assistance, UX review, and asset organisation
  • Adobe Creative Cloud (AI features in Photoshop, InDesign, Acrobat, Premier, After Effects and Illustrator) – for video and image generation, PDF analysis, editing, and automation within licensed Adobe environments
  • Microsoft 365 Copilot – for document drafting, communication support and data organisation within Rouge’s secure Microsoft tenancy
  • ChatGPT Pro – for internal ideation, document drafting, communication support, and anonymised content refinement
  • Other tools may be added following review and documented approval.

Prohibited Use:

  • Use of free or personal AI accounts for company or client work
  • Use of AI tools without confirmed data protection standards (e.g. data used for model training)
  • Uploading any client, personal, or confidential data into non-approved AI systems.

 

7. Principles of Responsible AI Use

Rouge’s approach to AI follows seven ethical and legal pillars:

  1. Us, + AI: AI supports but never replaces human creativity and judgement
  2. Transparency: Clients are informed when AI is used on their projects
  3. Accountability: Human oversight and approval are required for all AI-generated outputs
  4. Fairness: AI tools must not be used to produce discriminatory or biased outcomes
  5. Privacy and Security: AI use must comply with UK GDPR and Rouge’s DPA obligations
  6. Quality and Reliability: All outputs are to be reviewed and validated by a qualified Rouge team member
  7. Ethical Use: Rouge will not use AI to misrepresent, impersonate or distort individuals or brands without their consent.

 

8. Client Data and Privacy Controls

Where AI is used in relation to client materials or data:

  • The use must be agreed in writing with the client and recorded in the AI Use Log within the PDD
  • Only material owned by, licensed to, or supplied by Rouge or the client may be used as AI input
  • Personal or identifiable client data must never be input into an AI tool unless covered by a signed DPA
  • Any processing that could constitute ‘automated decision-making’ under UK GDPR requires explicit client approval and documented safeguards.

 

9. Recording AI Use in Projects

When AI is proposed or used within a client project, it must be recorded in the AI Use Log of the Project Definition Document (PDD). Example:

DateTaskActionAgreed byCarried out by

 

10. Employee Responsibilities

All staff must:

  • Use only approved AI tools and accounts
  • Review and validate AI-generated content before delivery or publication
  • Refrain from sharing confidential data with AI systems
  • Report any suspected misuse, bias, or data breach immediately to the AI Policy Lead
  • Complete training and follow advice on ethical and compliant AI use annually.

Non-compliance may result in disciplinary action.

 

11. Intellectual Property and Ownership

All AI-assisted or AI-generated content created by Rouge employees during work remains the property of Rouge Media.

Where AI is used for client deliverables, Rouge confirms that:

  • All outputs are created using appropriately licensed tools
  • IP rights are assigned or transferred to the client in line with MSA and project contracts
  • No generative AI tool retains or reuses Rouge or client content for model training.

 

12. Integration with the Data Processing Agreement (DPA)

Rouge’s DPA governs all processing of client data performed on their behalf. This AI Policy aligns with that agreement by ensuring:

  • Any AI system that processes personal data must operate under DPA-equivalent terms with data encryption, access control, and deletion policies
  • Sub-processors (e.g. third-party AI vendors) are only engaged following due diligence and written approval
  • Data handling follows principles of minimisation, purpose limitation, and secure deletion.

 

13. Risk Management and Breach Response

If any AI-related activity results in, or risks, unauthorised data exposure or misuse:

  • The AI Policy Lead must be notified immediately
  • Rouge will follow its standard Data Breach Procedure under the DPA
  • Clients will be informed without undue delay where their data is affected.

Periodic internal reviews will assess AI risks and the adequacy of controls.

 

14. Review and Updates

This policy will be reviewed annually, or sooner if:

  • Legislation changes (e.g. updates to UK GDPR or AI-specific regulation)
  • New AI tools are adopted
  • An AI-related incident or near-miss occurs.

All staff will be notified of updates and re-trained as required.

By using AI in their work, all Rouge employees confirm that they have read, understood, and agreed to comply with this policy.

Updated 11th March 2026