Lawyer reviewed templates
How to Draft a Acceptable Use Policy in the UK
If you need to know how to draft a acceptable use policy uk, you are in the right place. An Acceptable Use Policy (AUP) sets out the rules governing how employees, contractors, or users can interact with your systems, networks, and digital assets. In the UK, getting this document right matters — not just for internal discipline, but because it intersects with UK GDPR, the Computer Misuse Act 1990, and your employment contracts. A poorly written AUP leaves you exposed if someone misuses company systems and you need to take action. This guide walks you through every clause you need, what UK law requires you to address, and where founders typically go wrong. Whether you are a SaaS business, a professional services firm, or a growing startup, a clear AUP protects your business and sets expectations from day one. Atornee can generate a UK-compliant draft in minutes, but this guide helps you understand what you are signing off on.
Why this matters
The Atornee approach
What you get
Before you sign checklist
FAQ
Is an Acceptable Use Policy legally required in the UK?
There is no single law that mandates an AUP by name, but several UK legal obligations effectively require one in practice. UK GDPR requires you to have documented policies around data handling. The Computer Misuse Act 1990 creates criminal liability for system misuse, and having a clear AUP helps establish what authorised use looks like. Employment law also expects clear written rules before you can fairly discipline someone. So while it is not technically mandatory, operating without one creates real legal exposure.
What must an Acceptable Use Policy include under UK law?
At minimum, a UK AUP should cover: the scope of systems and users it applies to, permitted and prohibited uses, monitoring practices and the legal basis for them under UK GDPR, data handling responsibilities, consequences of breach, and how the policy links to your employment contracts or terms of service. If your team uses personal devices for work, you also need a BYOD section. Missing any of these creates gaps that are hard to close after an incident.
Can I use a US Acceptable Use Policy template for my UK business?
No — and this is a common mistake. US templates reference laws that do not apply in the UK, omit UK GDPR requirements, and often use legal language that does not reflect English contract law. More practically, if you try to enforce a US-style AUP against a UK employee, an employment tribunal will look at whether the policy was clear, reasonable, and compliant with UK law. A US template is unlikely to pass that test.
Do I need to tell employees I am monitoring their systems use?
Yes. Under UK GDPR, monitoring employees is a form of data processing and requires a lawful basis, transparency, and proportionality. Your AUP must clearly disclose what monitoring you carry out, why, and on what legal basis. Covert monitoring is only lawful in very limited circumstances. The ICO has published specific guidance on employee monitoring that is worth reading before you finalise this section.
Does an Acceptable Use Policy need to be signed by employees?
Technically a signature is not always required, but you need evidence that employees have received, read, and acknowledged the policy. A signed acknowledgement form, a confirmed email, or a logged acceptance in your HR system all work. Without this, enforcing the policy in a disciplinary situation becomes significantly harder. Make acknowledgement part of your onboarding process and keep records.
When should I get a solicitor to review my Acceptable Use Policy?
If your business handles sensitive personal data, operates in a regulated sector, or has a complex workforce structure involving contractors across multiple jurisdictions, a solicitor review is worth the cost. Similarly, if you have already had an incident involving system misuse or a data breach, get legal advice before updating your AUP — you want to make sure the revised document does not inadvertently create new liability. For most straightforward SMEs, a well-drafted template reviewed by a founder with this guide is a reasonable starting point.
Related Atornee Guides
Cheap Contract Solicitor Alternative (UK)
Useful if you want to understand broader options for managing contract and policy documents without full solicitor fees.
Cheap Solicitor for NDA (UK)
If your AUP covers confidential systems or data, pair it with an NDA for contractors and third-party users.
Atornee Use Cases
See how UK businesses in different roles use Atornee to manage policies and legal documents end to end.
External References
GOV.UK Business and Self-employed
Official UK government guidance on business operations, including employment and compliance obligations.
ICO Guidance for Organisations
The UK data protection authority — essential reference for the monitoring and data handling sections of your AUP.
UK Legislation
Primary source for the Computer Misuse Act 1990 and other statutes your AUP must align with.
Trust & Verification Policy
Authored By
Atornee Editorial Team
UK Policy Document Research
Reviewed By
Compliance Review Desk
UK Business Legal Content QA
"This content is based on analysis of UK employment law, UK GDPR requirements, and the Computer Misuse Act 1990 as they apply to business policy documentation. It reflects common drafting issues identified across SME and startup AUP documents in the UK context."
References & Sources
Ready to generate your document?
Review, edit, and export your legal document in minutes. Stop wasting time reading templates from 2010.
Generate Acceptable Use Policy Now- No hidden fees
- Instant PDF/Word Export
- Lawyer Reviewed Templates
By continuing, you agree to our Terms. This is AI-generated guidance, not legal advice.