SYS · ONLINE /
▸ INSIGHTSEvidence-first guides for business owners
PAARL · ZA / EST. RESPONSE < 1H
IN / INSIGHTS

Your team already uses AI. Your policy says nothing. Here is what that risks

2026-06-10 · COMPLIANCE · 7 MIN READ

Survey after survey lands on the same split: a large majority of employees use AI tools at work, and a small minority of companies have any policy governing it. The gap between those two numbers is where the risk lives, and it is not hypothetical.

What actually goes wrong

  • Client data leaves your control. An employee pastes a client contract, a customer list, or medical details into a free chatbot to "summarise it quickly." Depending on the tool and its settings, that data may be retained, reviewed, or used for training. You have now disclosed personal information to a third party with no agreement in place.
  • Confidential strategy leaks. Pricing models, tender responses and HR matters get pasted into tools the company has never assessed.
  • AI output ships unchecked. A quote, a legal clause or a financial figure generated by a model goes out under your letterhead with a hallucinated number in it. The client relies on it. The model vendor's terms put that liability on you.
  • You cannot answer the question. A customer, auditor or regulator asks "do you use AI on our data, and how?" and nobody in the business can answer accurately. That alone fails due diligence reviews.

None of these require bad intent. They happen because nobody told staff what is allowed, so each person improvises.

Where POPIA bites

For South African businesses, the Protection of Personal Information Act applies regardless of company size. Three sections matter most for AI use:

  • Processing limitation. Personal information may only be processed for the purpose it was collected. Feeding customer data to an AI tool for an unrelated purpose, without consent, breaches this.
  • Operator agreements. If an AI vendor processes personal information on your behalf, they are an operator and you need contractual safeguards. A free consumer chatbot account is not that.
  • Cross-border transfers. Most AI tools process data outside South Africa. POPIA section 72 allows this only under specific conditions you are supposed to have checked.

The Information Regulator can fine up to R10 million for serious breaches. For an SME the realistic damage arrives earlier: a complaint, a breach notification, and clients who quietly leave.

Where the EU AI Act bites

If you sell to European customers or process their data, the EU AI Act applies to you as a deployer of AI systems even though you are not in the EU. The practical SME obligations are lighter than the headlines suggest, but they are real: know which risk class your AI use falls into, ensure human oversight for anything consequential, and be transparent when customers interact with AI. Prohibited-practice fines run to 7 percent of global turnover, and the deployer obligations have been in force since 2026.

What a usable policy contains

A policy nobody reads is worse than none, because it creates false assurance. Keep it to a few pages covering:

  1. Approved tools. Name them. Name the account type, because the free tier and the business tier of the same product often have opposite data-retention terms.
  2. Data rules. What may never be entered into any AI tool: client personal information, credentials, financials, anything under NDA. This is the paragraph that prevents the expensive mistake.
  3. Human review. AI output that reaches a client, a contract or a financial decision gets checked by a person who is accountable for it.
  4. Disclosure. When you tell clients AI was used, and who answers questions about it.
  5. A processing register. One table: which tool, what data, what purpose, where it is processed. This is also what POPIA expects you to be able to produce.
  6. An owner. One named person who approves new tools and reviews the policy twice a year.

The one-week version

You do not need a legal engagement to get from nothing to defensible. Ask your team what tools they already use, and promise amnesty so they answer honestly. Pick the two or three that matter, check their data terms, and write the six sections above. Then brief the team in fifteen minutes, in plain language. Done is better than perfect here: a short adopted policy beats a long draft sitting in legal review while staff keep improvising.

NEXT / MEASURED FOR YOUR BUSINESS

A practical, adoptable policy with a POPIA checklist, EU AI Act risk classification and a processing activity register, tailored to your sector.

Generate your AI policy for $27