POPIA — South Africa's Protection of Personal Information Act — is broadly aligned with GDPR but not identical. If you're processing personal information through an AI system, you have specific obligations. Here's the day-one conversation.
1. Lawfulness of processing
You need a legal basis to feed personal info into an LLM. Consent is the easiest, but "legitimate interest" works too if your AI use-case is necessary for the service the user signed up for.
2. Cross-border transfer
OpenAI, Anthropic and Google all process outside SA borders. Section 72 of POPIA permits this only under specific conditions — typically that the recipient is bound by similar legislation, or the data subject consented, or it's necessary for contract performance.
In practice: get explicit consent in your terms, document the basis, mention which provider and which region.
3. Right to erasure & data minimisation
A POPIA-subject can ask you to delete their data. If their PI is buried in your RAG index, you need to be able to find and remove it. Build the deletion path before you build the indexer.
Don't put PI in long-running prompts unless you have to.
4. AI-generated content & automated decisioning
Section 71 restricts decisions "based solely on automated processing". This catches credit scoring, hiring, insurance underwriting. If your AI does any of these, you need a human-in-the-loop and a clear appeal process.
We build approval gates and audit logs as standard for this reason.