NexBDM

NexBDM Blog

The POPIA-Aligned Workplace AI Policy (Free Template for South African Businesses)

By NexBDM Team · 2026-07-11

South Africa has no standalone AI law yet, but POPIA already governs every workplace AI tool that touches personal information. This is a free, plain-English AI use policy template you can adapt for your business today, plus the rules it needs to satisfy.

A workplace AI policy is a short document that tells your team which AI tools they may use, what information they may put into them, and who is accountable. In South Africa there is no standalone AI Act yet, but POPIA already applies to any AI tool that processes personal information. So the policy below is built to satisfy POPIA first: collect only what you need, keep it secure, be transparent, and never feed client or staff personal data into public AI tools that may store it.

Do South African businesses legally need an AI policy?

There is no law that says "you must have an AI policy" by name. But POPIA, the Protection of Personal Information Act, has been fully enforceable since 1 July 2021, and it governs every piece of personal information your business handles, including anything an employee pastes into an AI tool. The Information Regulator, POPIA's enforcement body, is getting stricter: reported data breaches rose sharply through 2025, with more than 1,600 breaches logged between April and September 2025 alone, a jump of roughly 60 percent on the year before. A written AI policy is how you show your team the line and show the regulator you took reasonable steps. It is a control, not a formality.

What about South Africa's national AI policy?

South Africa has been working towards a national position. The Department of Communications and Digital Technologies published an AI policy framework in 2024, and a draft National AI Policy went out for public comment in 2026. None of this is binding law yet, and the detail is still moving. The practical takeaway for a business owner is simple: do not wait for a dedicated AI Act to act. POPIA is already in force, it already covers AI that touches personal data, and it is what the regulator can act on today.

The free workplace AI policy template

Copy the outline below, replace the bracketed parts with your business details, and adapt it to how your team actually works. Keep it short. A policy nobody reads protects nobody.

  1. Purpose. This policy sets out how staff at [Business Name] may use artificial intelligence tools at work, so we get the benefit of AI while protecting client and staff information and meeting our POPIA obligations.
  2. Who it applies to. All employees, contractors and anyone acting on behalf of [Business Name].
  3. Approved tools. Staff may use the following AI tools for work: [list your approved tools]. Any tool not on this list must be approved by [role or name] before use for work tasks.
  4. What you may never put into an AI tool. Do not enter client personal information, staff personal information, ID numbers, financial or banking details, passwords, or anything confidential into a public AI tool, unless that specific tool is on our approved list and configured not to retain or train on our data.
  5. Transparency. Where AI materially shapes a decision that affects a person, we disclose that AI was used, in line with POPIA's fairness and transparency principles.
  6. Human accountability. AI assists, it does not decide. A named person reviews and signs off on any AI-assisted output before it goes to a client, a regulator, or into a legal document. The human is responsible for the result.
  7. Accuracy. AI output can be confidently wrong. Staff must check facts, figures and legal or financial claims before relying on them.
  8. Security. Access approved AI tools only through your work account. Do not share logins. Report any suspected data exposure to [role or name] immediately.
  9. Training. Staff will be trained on this policy before using AI for work, and refreshed when the policy changes.
  10. Breaches of this policy. Misuse of AI, especially entering personal information into unapproved tools, is treated as a data-handling breach and may lead to disciplinary action.
  11. Review. This policy is reviewed every [six or twelve] months, or sooner if the law changes. Owner: [role or name]. Version: [1.0]. Date: [date].

The four POPIA rules your policy has to satisfy

If you strip POPIA down to what matters for AI at work, it comes to four things. Your policy should visibly meet all four.

POPIA principleWhat it means for AI at work
MinimalityOnly put into an AI tool the personal information the task genuinely needs. No dumping full client records into a chatbot.
Purpose limitationUse personal information only for the reason it was collected, not to feed a new AI experiment.
Security safeguardsApproved tools, work accounts, no public tools that retain your data. Reasonable steps to keep information safe.
Transparency and accountabilityPeople know AI was involved where it affects them, and a named human is responsible for the outcome.

Frequently Asked Questions

Is there an AI law in South Africa in 2026?
No standalone AI Act is in force yet. A draft National AI Policy has been circulated for comment, but it is not binding law. POPIA, which has applied since 1 July 2021, already governs any AI use that touches personal information and is what the regulator can enforce now.

Can my staff use ChatGPT at work?
They can, if your policy allows it and they never enter client or staff personal information, financial details or confidential data into it unless it is configured not to retain that data. Set the rule in writing so the line is clear.

Does POPIA apply to AI tools?
Yes. POPIA applies to the processing of personal information regardless of the tool. If an AI tool collects, stores or uses personal information, the same duties apply as if a person did it by hand.

What is the biggest AI risk for a small business?
Staff pasting personal or confidential information into public AI tools that store or train on it. It is the most common and most avoidable exposure, and a written policy plus short training closes most of the gap.

How long should a workplace AI policy be?
Short enough to be read and remembered, usually one to two pages. The template above is deliberately compact. A policy nobody reads offers no protection.

Turn the policy into a habit, not a PDF

A policy only works when your team understands it and your systems make the safe path the easy path. That is what The Briefing does: practical, plain-English AI training for South African teams, so staff know exactly what they may and may not do. Pair it with a Business Autopsy to see where AI safely fits your workflow, and read what ROI to expect in your first 90 days. Ready to talk it through? Book a discovery call.

Book a free strategy call →