Four Things Your Acceptable Use Policy Must Cover in 2026

by Rowan Turner - Wed 24 Jun 2026

The way we work has changed dramatically over the last few years. Staff aren’t just using office PCs and email... they’re working remotely, on personal devices, across multiple cloud platforms, and increasingly with AI tools woven into everyday tasks. Without a clear Acceptable Use Policy (AUP), UK SMEs and charities risk data breaches, compliance headaches and awkward HR conversations when something goes wrong.

 

TL;DR

• In 2026, staff use multiple devices, remote access, cloud apps and AI tools, so a clear Acceptable Use Policy is essential for SMEs and charities.

• Your AUP should cover four key areas: devices and remote working (including BYOD), accounts and passwords, data handling and cloud/AI tools, and staff behaviour, monitoring and consequences.

• Keep the policy concise, practical and aligned with UK GDPR and your other IT policies, then review it regularly as your technology and working patterns evolve.

• Mark One can help you review your current setup and policies, through IT health checks, Microsoft 365 and network security reviews, and practical cyber awareness support.

 

An Acceptable Use Policy sets out how people in your organisation can use IT systems, data and devices safely and responsibly. Done well, it’s not a long, legalistic document that nobody reads – it’s a practical, everyday guide that supports staff and helps your organisation stay secure and compliant. Many businesses already have fragments in place (password rules here, a remote working note there), but haven’t pulled everything together into one clear policy reflecting how their team actually works in 2026.


Here are four areas your Acceptable Use Policy really should cover this year.

1. Devices, remote working and BYOD

For most organisations, the days of “only office desktops” are long gone. Laptops, tablets, phones and home PCs are part of everyday working life, and that brings risk as well as flexibility.

Your AUP should clearly explain:

• Which devices are allowed to access company systems – for example, company-issued devices, carefully controlled personal devices (BYOD), and any rules around home PCs or shared family devices.
  

Minimum standards for those devices: up‑to‑date operating systems, disk encryption where possible, screen lock, no shared logins, and sensible malware protection.

• Expectations for remote working: using secure Wi‑Fi rather than open public hotspots, locking screens in shared spaces, and avoiding work accounts being used on devices that children or friends also use.
  

• What happens when someone leaves: returning equipment, securely wiping or removing company data from personal devices, and making sure access to systems is revoked promptly.

Bringing this together in an AUP helps your team understand where the boundaries are, and it gives you a framework to back up with technical controls such as secure remote access, endpoint protection and sensible network security. At Mark One, we often start this conversation through an IT MOT or network review, so the policy matches the reality of your devices and connections, not an idealised diagram.


2. Accounts, passwords and access

Identity is at the heart of modern cyber security... who has access, to what, and when. A good Acceptable Use Policy makes this crystal clear for staff.

It should set expectations such as:

• Accounts are individual, not shared. Each person has their own login and access based on their role, rather than “generic” accounts passed around the team.
  

• Strong authentication is non‑negotiable. That means decent password or passphrase standards, encouraging password managers, and multi‑factor authentication (MFA) for core systems like Microsoft 365 and remote access.
  

• Passwords are never shared or reused between systems, and staff must not try to bypass security features like MFA for convenience.
  

• Access changes are handled properly when people move roles or leave, with prompt removal of old accounts and regular reviews of permissions.
  

If this sounds familiar, that’s because it’s closely aligned with other guidance we give around phishing resilience, Microsoft 365 security and principle of least privilege. Building these rules into your AUP means staff know what’s expected of them, and it signals that identity and access are central parts of your cyber security strategy... not bolt‑on extras.

 

3. Data handling, cloud apps and AI tools

Most organisations now rely on cloud platforms and collaboration tools... from Microsoft 365 and CRMs to sector‑specific systems for finance, case management or donor records. At the same time, AI tools are becoming part of daily workflows, whether officially approved or quietly adopted by individuals.

Your Acceptable Use Policy should:

• Identify the main categories of data you hold (for example, client, donor, service‑user, staff, finance) and stress that handling must comply with UK GDPR and data protection law.
  

• Make clear which cloud services and collaboration tools are approved for business use, and ban storing sensitive information in personal email, consumer cloud accounts or unapproved apps.
  

• Set rules for sharing data, including using secure channels, appropriate access controls in Teams and SharePoint, and not exposing sensitive documents via overly broad links or public sites.
  

• Address AI tools explicitly in 2026... what they can be used for, what must never be pasted into public AI services, and the need to verify outputs before acting on them.

This section is a natural place to reference your wider backup, disaster recovery and incident response planning. Good data handling makes it easier to protect and restore the right information when something goes wrong, and reduces the chances of accidental exposure in the first place. When we work with SMEs and charities on cyber resilience, we often find that tightening data practices through an AUP delivers quick wins alongside technical changes.

 

4. Behaviour, monitoring and consequences

Finally, your Acceptable Use Policy should talk about how people behave on your systems – and what happens when the policy is breached. This isn’t about heavy‑handed surveillance, it’s about keeping everyone safe and setting fair, consistent expectations.

Key points to cover include:

• Professional behaviour online: no illegal content, hate speech, harassment or material that could damage the organisation’s reputation, even if accessed via work devices or accounts.
  

• Reasonable monitoring; explain what level of logging and security monitoring is in place (for example, email filtering, sign‑in alerts, malware scanning) and why... to protect systems, data and staff, not to pry into day‑to‑day activity.
  

• Reporting issues; encourage staff to report suspected phishing, data leaks or policy concerns promptly, and make it clear that raising concerns is a positive action, not something to fear.
  

• Consequences of serious or repeated breaches; link at a high level to your HR processes and staff or volunteer handbook, rather than listing every possible sanction in the AUP itself.

When this section is written in plain language, it helps build trust. People understand what’s acceptable, what’s not, and how security measures fit into the bigger picture of protecting colleagues, clients and the organisation’s mission. Combined with good training and realistic phishing awareness work, it turns the AUP from “another policy document” into something staff actually use.

 

Making your Acceptable Use Policy real

A strong Acceptable Use Policy doesn’t have to be long or complicated. In fact, a clear, concise document that people can read and understand quickly is usually more valuable than a dense policy nobody revisits after induction. It should sit alongside your other key documents – data protection, remote working, BYOD, social media – and be reviewed regularly as technology and working patterns change.

In 2026, that review should include remote working arrangements, the spread of cloud apps, the growing use of AI tools and any recent incidents or near‑misses that revealed gaps in how people use IT day to day. For many SMEs and charities, a simple starting point is to map what staff actually do with devices and data, compare it with current policies, and then update the AUP so it reflects reality rather than an outdated assumption.

At Mark One, we help organisations connect their policies with their technology – through health‑checks like our IT MOT, network and Microsoft 365 reviews, backup and disaster recovery planning, and practical cyber awareness work. If you’re not sure your current rules match how your team really works, or you’d like a fresh pair of eyes on your Acceptable Use Policy, we’re here to help start that conversation.