top of page
Search

POPIA COMPLIANCE & RESPONSIBLE USE OF ARTIFICIAL INTELLIGENCE (AI)

ree

Once upon a time, communication was deliberate. A phone call meant dialing a rotary line, often through a switchboard operator. Letters were handwritten. Conversations were private. If someone wanted to reach you, they needed your permission and your physical address.


As decades passed, technology evolved. Telephones became mobile. Messaging became instant. Social media turned private lives into public timelines. And now, artificial intelligence (AI) allows us to ask questions, generate content, and even manage business tasks with just a few typed words.


But with this evolution came vulnerability. The right to privacy, once protected by distance and discretion, is now threatened by accessibility and automation. What was once a choice, to share or not to share, is now a risk we carry every time we click, post, or input data.


This shift from private exchange to public exposure is what gave rise to the Protection of Personal Information Act (POPIA). These laws exist because the tools we use every day have outpaced our understanding of how to protect ourselves. Unless we actively manage how information flows through our businesses, we risk violating the very rights POPIA was designed to uphold.


The Purpose of POPIA: Protecting People, Not Just Data

POPIA exists to protect personal information such as names, contact details, medical records, and financial data from being misused, mishandled, or exposed. It applies to every business, regardless of size or sector. Whether you run a single-chair salon or manage a national brand, if you collect, store, or share personal data, you are legally obligated to comply.


POPIA is more than paperwork. It is about trust. It is about showing your clients, your staff, and your community that their information is safe with you. It is also about knowing that if something goes wrong, you have a plan, not just to respond, but to take responsibility.


A Common Misstep: When Good Intentions Go Wrong

An employee accessed a client’s contact number, not through the employer’s approved system, but via an alternative source. She then used her personal phone to thank the client for a kind gesture. While her intentions were sincere, the method was unlawful.


Fortunately, the employer had a POPIA-compliant policy in place, including clear rules about device use and data access. Because of this, the employer was not held liable. But had those protections not existed, the business could have faced fines, reputational damage, or legal action.


This example highlights the importance of educating employees on what POPIA means, ensuring policies are written and accessible, and understanding that even well-meaning actions can have serious consequences.


AI in the Workplace: A New Layer of Risk

AI platforms like ChatGPT, DeepSeek, and Perplexity are now widely accessible. They are on our phones, our desktops, and in the hands of employees across every sector. So we must ask: Are our staff using AI? Are we using it to run our businesses? And if so, are we managing it correctly?


The accessibility of AI is not the issue. The real concern is the lack of understanding around how it should be used. When you insert information into an AI platform, do you know whether it is a general inquiry or personal data? Because that distinction matters. General inquiries like “how to mix hair tint” or “how to price a facial” are safe. But the moment you input personal information such as a client’s name, contact details, medical history, or appointment records, you may be breaching POPIA.


This is not just a technicality. It is a legal risk that could affect you as an employer, your employees, your clients, and your entire business ecosystem. And it is not always malicious. Sometimes it is just a lack of awareness. But ignorance is not a defence under the law.


Accountability: Who Carries the Risk?

When an employer has fulfilled their POPIA obligations through written policies, training, and monitoring, they are protected from liability in cases where an employee acts unlawfully. In such cases, the responsibility shifts to the employee, who may face:


  • Internal disciplinary action, including warnings, suspension, or dismissal

  • Civil claims, if the breach causes harm to a client or third party

  • Criminal charges, depending on the severity of the breach and intent


Employers must ensure that their disciplinary code includes POPIA violations as misconduct. Accountability must be built into employment contracts, induction processes, and ongoing performance management.


The Risk to Employers: What’s at Stake

Employers who fail to implement POPIA face serious consequences, even if the breach is caused by an employee. If the business cannot prove that it took all reasonable steps to comply, the employer may be held liable for:


  • Fines of up to R10 million

  • Criminal charges and imprisonment of up to 10 years

  • Reputational damage and loss of client trust

  • Civil claims from affected individuals

  • Operational disruption, including investigations, audits, and legal proceedings


One Call Is All It Takes

What makes POPIA risk so real is how easily it can be activated. A single phone call or email from an aggrieved client, staff member, or contractor to the Information Regulator is enough to trigger an investigation. No court case is needed. No formal complaint process. Just one moment of concern and the domino effect begins.


And while no business has yet been criminally prosecuted under POPIA, ask yourself: Would you want to be the first to test the theory? Compliance is not just about avoiding fines. It is about protecting your business from becoming a cautionary tale.


Your Implementation Guide: Ending on a Sweet Note

POPIA compliance does not have to be overwhelming. Here is how to start:


  1. Appoint an Information Officer: Every business must designate someone, often the owner or manager, who is responsible for POPIA compliance. Their role is to oversee data protection, ensure staff training, manage breach reporting, and serve as the contact point for the Information Regulator.

  2. Write it down: Create a step-by-step guide that outlines how your business protects personal information, from client records to employee files.

  3. Make it accessible: Ensure the guide is visible and available to everyone who enters your business.

  4. Train your team: Use real scenarios to explain what is allowed, what is risky, and what is unlawful.

  5. Audit regularly. Review your systems, update your policies, and check for gaps.

  6. Plan for breaches: Know what to do if something goes wrong and who will be held accountable.


If you are unsure whether your business is POPIA-compliant, do not wait. Contact your EOHCB representative for guidance. Implementing a policy is simple. Creating a culture of compliance takes dialogue, training, and leadership.


Protect your clients. Protect your business. Protect your people.


ree

 
 
bottom of page