Overview
Your staff are already using AI. Someone has to be in charge of how.
AI tools have arrived in almost every workplace, often without anyone deciding they should. Staff draft emails with chatbots, paste documents into summarisers and use AI features built into the software they already have. That creates real business risk: confidential data leaving the organisation, decisions influenced by inaccurate or biased output, and regulators who increasingly expect employers to show that AI use is understood and controlled. Under Article 4 of the EU AI Act, organisations in scope must ensure staff who use AI have an appropriate level of AI literacy, and UK regulators including the ICO expect data protection duties to be met however the processing happens.
This Level 3 course is written for the people who carry that responsibility. It takes you through the regulatory landscape in plain terms, then gets practical: how to find out what AI is actually being used in your business, how to risk assess a tool before approving it, how to write an AI use policy that staff will actually follow, and how to keep records that show a regulator, a client or a court that you took your duties seriously. You will also cover the data protection side in depth, including when an AI project needs a data protection impact assessment.
The course is fully online and self paced. Most learners complete it across several sessions, and you keep access for twelve months from enrolment. Pass the closing assessment and your NFAQ certified certificate is generated straight away, dated and named, ready to download and print.
What you’ll learn
What you’ll be able to do
By the end of this course you will be able to:
Explain where AI is used across a typical business and why unmanaged use creates legal, security and reputational risk.
Describe the UK regulatory approach to AI, the EU AI Act risk tiers and the AI literacy duty, and know when each applies.
Apply UK GDPR principles to AI tools, including lawful basis, data minimisation and transparency.
Risk assess an AI tool before approval, covering data flows, accuracy, bias, confidentiality and vendor terms.
Write and roll out an AI use policy with clear permitted uses, red lines and an approval route for new tools.
Run a proportionate procurement and onboarding process for AI tools, including contracts and data processing terms.
Supervise day to day AI use, keeping meaningful human review of AI-assisted output and decisions.
Recognise and respond to AI incidents, keep the records that prove accountability and review the policy as tools change.
Course content
Eight modules to work through
Each module builds on the last and ends with the material you need for the final assessment. Work at your own pace and return to any module during your twelve month access window.
1AI in the Workplace: The Manager’s ResponsibilityWhat AI tools actually do, where they already sit in your business and why governance lands on you.⌄
- What generative AI and machine learning tools actually do, and what they cannot do
- Where AI is already in your business: chatbots, built-in assistants, screening and analytics tools
- Shadow AI: the tools staff use without asking, and why banning rarely works
- The risk picture: data leakage, inaccurate output, bias, IP and reputational harm
- Why the law and regulators put responsibility on management, not on the tool
2The Legal and Regulatory LandscapeThe UK approach, the EU AI Act and the regulators who already have jurisdiction over your AI use.⌄
- The UK’s principles-based approach and the role of existing regulators
- The EU AI Act: prohibited practices, high-risk systems and the risk-tier model
- Article 4 AI literacy: who is in scope and what “sufficient AI literacy” means for your staff
- The ICO, the EHRC, the FCA and sector regulators: who cares about what
- Contractual and insurance consequences of ungoverned AI use
3Data Protection and AIHow UK GDPR applies when personal data meets an AI tool, and the rules your staff must follow.⌄
- How AI tools process personal data, and the difference between public and enterprise deployments
- Lawful basis, purpose limitation and data minimisation applied to AI use
- What must never be entered into a public AI tool, and why
- Model training on your inputs: reading vendor terms properly
- Transparency duties: telling people when AI is involved in processing their data
4Risk Assessing AI ToolsA practical framework for assessing any AI tool before you approve it.⌄
- A structured AI risk assessment: data, accuracy, bias, security, dependency
- Hallucination and error rates: judging what a tool can safely be used for
- Bias and discrimination risk, and where it does the most damage
- Confidentiality, trade secrets and intellectual property questions
- Vendor due diligence: hosting, retention, sub-processors and exit
5Writing an AI Use PolicyThe document that turns good intentions into enforceable rules.⌄
- What a workable AI use policy contains, and what to leave out
- Defining permitted tools, permitted uses and hard red lines
- The approval route for new tools and new use cases
- Disclosure rules: when staff must say AI was used
- Getting sign-up: communicating and enforcing the policy without driving use underground
6Approving and Onboarding AI ToolsProcurement, contracts and pilots that keep new tools inside your controls.⌄
- Building AI questions into procurement and supplier review
- Data processing agreements and where AI vendors fit in your GDPR paperwork
- Running a contained pilot before a full rollout
- Configuring enterprise AI tools: retention, training opt-outs and access control
- Bringing shadow AI into the tent: amnesty, assessment and approved alternatives
7Managing Staff Use Day to DayTraining, oversight and quality control once tools are approved.⌄
- Meeting the AI literacy duty: training that matches each role’s actual use
- Meaningful human review: what it looks like and how to evidence it
- Quality control of AI-assisted output before it reaches customers or decisions
- Proportionate monitoring that respects employee privacy
- Handling misuse: from coaching conversations to disciplinary action
8Incidents, Records and ReviewWhat to do when AI goes wrong, and the paper trail that protects you.⌄
- What an AI incident looks like: data leakage, harmful output, biased decisions
- Linking AI incidents into your existing breach and incident procedures
- When an AI incident is a personal data breach, and the 72 hour clock
- The records that demonstrate accountability: assessments, approvals, training logs
- Reviewing the policy: new tools, new features, new law and lessons learned
Who it’s for
Is this course a good fit?
This course is written for the people who decide, or should decide, how AI is used in their organisation. If AI use in your team would land on your desk when it goes wrong, this is the level of knowledge the role needs.
Directors & senior managers
Leaders accountable for how the organisation adopts AI and for the risk it carries.
Department & operations managers
Managers whose teams already use AI tools day to day, approved or not.
HR managers
People teams handling AI in recruitment, performance and employee relations.
Compliance & data protection leads
DPOs and compliance officers adding AI to their oversight remit.
IT & information security leads
Those who approve tools, configure them and manage the data they touch.
Business owners
SME owners who need one person in the business to properly own AI risk.
Assessment
How it’s assessed
The course is assessed by a single online multiple choice test taken after the modules. It can be retaken as many times as you need at no extra cost.
End-of-course assessment
Study details
You can pause and resume at any point, and your progress is saved automatically. There is no time limit on the assessment itself.
Certification
Your CPD-certified certificate
Level 3 AI Governance for Managers and Supervisors — CPD Certified
On passing the assessment, your NFAQ certified digital certificate is available to download and print immediately, with your name, the course title and the completion date. It is dated, named evidence that the people directing AI use in your business are trained to do it, the kind of record that supports your accountability obligations under UK GDPR and your AI literacy duty under the EU AI Act. We recommend refresher training every two years, or sooner given the pace of change in AI regulation.
FAQs


