Is ChatGPT POPIA Compliant? What SA Businesses Actually Need to Know
ChatGPT itself is not POPIA compliant or non-compliant. Your use of it is. Here is what that means practically and what to do about it.
Is ChatGPT POPIA Compliant? What SA Businesses Actually Need to Know
I get asked this question at least once a week. A business owner in Johannesburg or Pretoria has started using ChatGPT for drafting emails, handling customer queries, or summarising documents. Then someone on the team mentions POPIA, and suddenly there is panic.
So let me give you the direct answer first, then we will unpack it properly.
The Blunt Answer
ChatGPT is not POPIA compliant or non-compliant. That is like asking whether a telephone is POPIA compliant. The tool does not carry the obligation. You do.
POPIA regulates how you, the responsible party, collect, process, store, and share personal information. If you paste a customer's ID number, medical history, or financial details into ChatGPT, you have just transferred personal information to a third-party processor based in the United States. That is a cross-border transfer under Section 72 of POPIA, and you need to have the right safeguards in place before you hit Enter.
OpenAI offers a Data Processing Agreement and, on certain API endpoints, Zero Data Retention. But having those documents sitting in a folder does not make you compliant. Your implementation does.
What Actually Violates POPIA When You Use ChatGPT
Let me be specific. Here is what goes wrong:
Pasting personal information directly into the chat. If your staff copies a customer complaint with the person's name, phone number, and account details into ChatGPT to draft a response, that personal information has left your environment. Unless you have a DPA, contractual safeguards for cross-border transfer, and ideally Zero Data Retention on that endpoint, you have a problem.
No consent or legitimate basis. POPIA requires a lawful basis for processing. If your customer gave you their details to receive a quote, they did not consent to those details being sent to an AI model hosted overseas.
No way to honour data-subject rights. The 2025 amendments to POPIA reinforce that people can request access to, correction of, or deletion of their personal information. If that information has been fed into a model, how do you honour that request? You probably cannot.
Automated decisions with legal effect. Section 71 says a data subject must not be subject to a decision based solely on automated processing if it has a legal or significant effect. If ChatGPT is making decisions about credit, hiring, or claims without a human completing that decision, you are exposed.
What You Should Never Tell ChatGPT (or Any AI Model)
People search for this constantly, so here it is plainly:
- ID numbers, passport numbers, financial account details. Special personal information under POPIA.
- Medical or health information. Also special personal information.
- Children's information. Heavily protected.
- Proprietary business data you cannot afford to leak. Not a POPIA issue, but a commercial one.
- Anything you would not want read out in a regulator's office. That is the practical test.
And a note on confidentiality: ChatGPT on the free tier has historically used inputs for model training. The API with Zero Data Retention is different. But most staff are not using the API. They are using the browser. Know the difference.
Is AI Regulated in South Africa?
Not specifically. There is no AI Act equivalent to the EU's regulation. But POPIA applies to any processing of personal information, whether you use a spreadsheet, a chatbot, or a large language model. The Information Regulator has signalled that AI falls squarely within POPIA's scope. And the fines are real: up to R10 million, or imprisonment for serious offences.
So while there is no standalone AI regulation yet, do not mistake that for a free pass. POPIA is the framework, and the Regulator is active.
How We Build POPIA Compliance Into Automation
At Aivolution, we do not bolt compliance on afterwards. We build it into the system architecture. Here is what that looks like in practice:
Strip & Return de-identification. Before any text leaves for a third-party model (OpenAI, Claude, Cohere), personal identifiers are stripped and replaced with tokens. The model processes the request without ever knowing who the person is. After the response comes back, identifiers are re-hydrated locally. The model never sees a name, ID number, or phone number.
Operator agreements and DPAs (Sections 20-21). We set up proper data processing agreements with every provider in the chain.
Zero Data Retention on eligible API endpoints. The model processes and forgets.
Cross-border transfer safeguards (Section 72). We use contractual safeguards to cover the transfer of any residual data to US-hosted endpoints.
Opt-in consent with auto-honoured logged opt-outs (Section 69). When a customer opts out, the system enforces it automatically. No manual list management, no human error.
Data-subject rights via email, SMS, and WhatsApp. Following the 2025 amendments, people can exercise their rights through the channels they actually use. Our WhatsApp automations handle this natively.
Human completion of decisions with legal effect (Section 71). The system flags decisions that carry legal or material consequences, and a human completes them. This is not babysitting. The human confirms or approves a specific action, then the automation runs. That is real human-in-the-loop, not someone watching a screen all day.
Minimisation and retention limits. We only collect and keep what is needed, for as long as it is needed.
And here is the honest caveat I state every time: Aivolution implements the technical measures. We are not a law firm. The client's Information Officer and attorney sign off the legal posture. We build it right; they confirm it is right for their context.
A Quick Note on BAAs
I see South African businesses asking about Business Associate Agreements (BAAs). A BAA is a HIPAA construct from US healthcare law. It is not a POPIA requirement. What you need under POPIA are operator agreements (Section 20-21) and proper contractual safeguards for cross-border transfers. Do not let someone sell you a "BAA" and tell you that covers POPIA. It does not.
What This Costs and Looks Like Practically
A compliant automation build with us starts from R75,000 (one-time, fixed scope), with ongoing maintenance at around R2,000 per month. Build time is typically 3-4 weeks. That includes the architecture, the Strip & Return pipeline, the consent management, the DPAs, all of it.
We work across Johannesburg, Pretoria, and the East Rand. Our stack includes n8n, Airtable, Supabase/Postgres, and whichever model fits the task (Claude, OpenAI, Cohere). We integrate with Sage, PayFast, Yoco, BulkSMS, and others. Customer-facing automation runs in English and Afrikaans.
You can see the full pricing breakdown here.
What We Will Not Do
We do not build fully autonomous systems that make decisions with legal or material effect without human oversight. We do not scrape contact lists. We do not use grey-route WhatsApp. And we do not replace whole teams. If someone is promising you a fully autonomous AI agent that handles everything, including compliance, they are either lying or do not understand what POPIA requires.
Agentic AI is not ready for SMEs. Not in a compliant, reliable way. What works is structured no-code workflows with proper guardrails and a human in the right place at the right time.
So What Should You Do?
If your team is pasting customer data into ChatGPT right now, stop and think about what you are actually sending. If you are building (or buying) AI-powered automation for customer support, sales, or operations, make sure POPIA compliance is designed in from day one, not patched on.
Businesses that resist AI lose to those that adopt it. But businesses that adopt it carelessly lose to the Information Regulator. The answer is not to avoid AI. It is to use it properly.
We run a free 45-minute audit where I look at your current setup, identify the gaps, and tell you exactly what needs to happen. No obligation, no sales pitch disguised as consulting. Book a call here and let us sort it out.
Timo van Deventer, Senior AI Automation Specialist and Founder, Aivolution
Want this applied to your business?
Reading is one thing. Mapping it to your specific workflows is another. Book a 45-minute audit and walk away with a custom PDF roadmap.
Book your free audit copy.png)