As businesses increasingly adopt AI technologies, privacy and data protection implications have become more pronounced. For example, in South Africa, POPIA has established strict guidelines for collecting, storing, and using personal information.

As a result, employers must know how their employees’ use of generative AI may put them in breach of POPIA.

In this post, we’ll explore how your employees’ use of generative AI technology can put you in breach of POPIA and what you can do to mitigate those risks.

How employees are using generative AI

Employees can use generative AI, like OpenAI’s ChatGPT, to generate content such as emails, reports, and social media posts.

However, this technology requires access to data, including personal information, to train the algorithms that power it and produce the outcomes the employee seeks—e.g., a quick email.

POPIA and personal information protection

Employees may inadvertently put you in breach of POPIA if they input personal information into generative AI without the necessary consent or authorisation.

Risks associated with employees’ use of generative AI

You are responsible for ensuring that your employees know the risks of generative AI and the importance of complying with POPIA. Your responsibilities include providing training on properly using and protecting personal information and implementing policies and procedures that ensure compliance with POPIA. You should also conduct regular systems audits to ensure that employees use generative AI appropriately and are not putting the company at risk.

Employer responsibility and liability

It’s also crucial to note that under POPIA, employers are ultimately responsible for protecting personal information, even if an employee causes the breach.

Therefore, by implication, you may be liable for any damages resulting from a breach of personal information caused by an employee’s use of generative AI.

Proactive measures for compliance with POPIA

To avoid breaches of POPIA, you should take measures such as:

1. Implementing strict policies and procedures for the use of generative AI and personal information

2. Providing comprehensive training to employees on POPIA compliance and the use of generative AI

3. Conducting regular audits of the systems and data to ensure compliance

4. Establishing clear lines of responsibility for the protection of personal information

5. Ensuring that employees have the necessary authorisation or consent before using personal information with generative AI

Actions you can take next

- Protect your reputation by asking us to train your employees on using generative AI lawfully

- Set clear standards and guidelines for using generative AI by asking us to draft an AI policy for your organisation

- Manage the data protection risks of your AI projects by joining our data protection programme