ChatGPT crossed 100 million users within two months of launch. In South Africa, it is now a standard tool for professionals in accounting, law, HR, healthcare, and financial services. The problem is not the tool itself — the problem is what staff are pasting into it.
How ChatGPT and AI Tools Process Your Data
When an employee pastes text into ChatGPT, that text is sent to OpenAI's servers (based in the United States) for processing. Depending on the account type:
- Free consumer accounts: Conversations may be used to train future models. Data is retained.
- ChatGPT Plus (paid): Users can disable training. Data is still sent to US servers.
- ChatGPT Enterprise / API: OpenAI does not use data for training. Data processing agreements are available.
Most South African employees are using free or personal paid accounts. There is no data processing agreement between the organisation and OpenAI for these accounts.
What POPIA Says About This
Under POPIA, when an employee pastes personal information into ChatGPT using a consumer account, the organisation has potentially violated multiple conditions of lawful processing:
- Processing limitation: The personal information is being processed by a third party (OpenAI) that was not disclosed to the data subject
- Security safeguards: The organisation has no control over how OpenAI stores or uses the data
- Purpose specification: The data subject provided their information for a specific purpose — not to be processed by an AI system
- Operator obligations: If the organisation is using an operator (a third party to process data on its behalf), it must have a written agreement with that operator. Consumer AI accounts have no such agreement.
Real Examples of POPIA-Risky ChatGPT Use
- An accountant pastes a client's financial statements for analysis: contains names, ID numbers, banking details
- An HR manager pastes a disciplinary record for letter drafting: contains an employee's personal information and medical information
- A doctor pastes patient notes for summarisation: contains special personal information (health data)
- A lawyer pastes a client affidavit for editing: contains personal information and legally privileged content
- A payroll administrator pastes a salary schedule: contains employees' names and financial information
In every case, the employee was trying to be efficient. In every case, a POPIA violation may have occurred.
Microsoft Copilot and Other Tools
ChatGPT is not the only risk. Microsoft Copilot, Google Gemini, Notion AI, and dozens of specialist AI tools have the same issue for consumer versions. Microsoft 365 Copilot (the enterprise version, licensed per-user) does have data processing agreements and keeps data within the Microsoft tenant — but only if properly configured and licensed. The free Copilot in Edge or on the web does not.
What Organisations Must Do
- Write an AI acceptable use policy that specifies which tools are approved and what data may not be input
- Publish an approved tool list distinguishing consumer tools (no personal data) from enterprise tools (with data processing agreements)
- Train all staff on why AI tool data input is a POPIA issue, with examples from their specific role
- Deploy technical controls where possible: browser extensions that detect and alert on uploads to AI platforms
- Audit periodically to identify AI tool usage on managed devices
Find out where your business stands on this risk.
ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used. A structured assessment gives management the visibility to know - not just assume.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.