An Employee Pastes Customer Information Into ChatGPT

THE SCENARIO

A member of your team is working on a proposal for a client. They need to quickly summarise some background information, so they open ChatGPT and paste in the client's contact details, company information and a few financial figures. Within seconds they have a polished summary - and have shared confidential client information with a third-party AI system your business does not control.

How This Typically Happens

This happens because public AI tools are genuinely useful and easy to access. Employees are not trying to cause harm - they are trying to work efficiently. Without clear guidance and any visibility into how AI tools are used, it can happen many times a day across organisations that have no idea it is occurring. The behaviour is especially common in sales, operations and finance roles where summarising or reformatting information is a regular task.

Why Businesses Often Miss the Warning Signs

Most businesses have no way of detecting when staff access external AI tools during work hours. There are no alerts, no logs and no policy enforcement in place. By the time management becomes aware of the behaviour - if they ever do - it has often been happening for months. Because AI tools return useful results and nothing obviously goes wrong immediately, there is no internal signal that a problem has occurred.

Potential Consequences

Client information processed by third-party AI systems outside your control

Potential POPIA obligations triggered if the information included personal data

Loss of client confidence if they discover it

Reputational risk if the behaviour forms part of a complaint or claim

Regulatory scrutiny if the Regulator becomes aware of the practice

Questions Management Should Ask

Do you know which AI tools your employees are currently using during work hours?

Have you communicated a clear guideline about what information may and may not be included in AI prompts?

Would you know within a week if confidential client information had been shared with an AI tool?

Do you have any visibility into what types of information staff include when using AI tools?

Practical Steps to Improve Visibility

Make AI tool usage a standing agenda item at management level - ask your team directly which tools they are currently using

Establish a simple, clear guideline: real client names, ID numbers, financial details and sensitive business information should never be pasted into a public AI tool

Consider reviewing access to the most sensitive client information for roles that regularly use AI tools

Ask your IT support whether your current systems can provide any visibility into external tool usage

🔗

Most business owners are surprised to learn how frequently staff paste real company and client information into public AI tools. I...

Could This Scenario Happen In Your Business?

ComplyBar helps businesses find and understand hidden information risks before something goes wrong.

Built for POPIA support, AI governance, data leak prevention, employee risk awareness and audit evidence.

Start Your Risk Assessment Download Free Checklist

From R750 • Delivered online • No commitment required

More Scenarios

Human Risk

An Employee Emails Confidential Information to the Wrong Person

Read scenario →

Access Risk

A Former Employee Still Has Access to Company Files

Read scenario →

Information Visibility

You Receive a POPIA Information Request Tomorrow

Read scenario →

← View all business scenarios