AI Tool Risk
Are Employees Using ChatGPT With Confidential Information?
Most business owners are surprised to learn how frequently staff paste real company and client information into public AI tools. It happens daily across South African organisations - and management usually has no idea.
2
What This Looks Like In Practice
"A law firm administrator is preparing a client proposal. To save time, she opens ChatGPT and pastes in the client's company details, financial position and ID information, then asks the tool to draft an executive summary. The result is excellent. The client's information is now held by a third-party AI provider the firm never contracted with - and management has no idea it happened."
Client personal information processed by an AI provider outside your control
Potential POPIA violation - the client never consented to AI processing their data
No visibility into what the AI provider does with that information long-term
Reputational damage if the client discovers their data was shared
Regulatory exposure if a complaint reaches the Information Regulator
4
Questions Management Should Ask
?
Do you know which AI tools your employees are currently using during work hours?
?
Have you communicated a clear guideline about what information may and may not be included in AI prompts?
?
Would you know within a week if confidential client information had been shared with an AI tool?
?
Do you have any visibility into what types of information staff include when using AI tools?
Under POPIA, processing personal information through a third party requires a written operator agreement specifying purpose and security obligations. Public AI tools - ChatGPT, Google Gemini, Microsoft Copilot in consumer form - do not qualify as POPIA-compliant operators under most standard terms of service. Using them to process personal information constitutes unauthorised third-party processing, breaching POPIA's purpose specification and further processing conditions. Many AI providers also retain input data for model improvement or human review, extending the exposure well beyond the initial interaction. Browser-based governance tools can detect when employees paste or upload to AI tool domains and generate an audit trail, giving management visibility without content surveillance.
6
Practical Steps to Improve Visibility
1
Establish an AI acceptable use policy and brief all staff - a single written guideline distributed at a team meeting makes intent visible and creates accountability
2
Create a 'never paste' rule: client names, ID numbers, salary figures, financial records and health information must never be entered into a public AI tool
3
Identify which roles have the highest exposure - sales, finance, HR and operations teams typically interact with the most sensitive information
4
Where AI tools are used for work, evaluate enterprise editions that include data processing agreements - these differ fundamentally from consumer versions
5
Enable audit logging on your cloud platforms so management has evidence of information handling when it is needed
Section 7 - Assessment
Find Out Where Your Business Stands
ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.
From R750 • Delivered online • No commitment required