AI tools are genuinely useful — but they introduce a risk that's easy to overlook in the excitement: whatever you type in has to go somewhere. For a Botswana business that now has clear duties under the Data Protection Act, casually pasting customer or financial information into a public AI tool isn't just risky, it can be a compliance breach. This article explains the risk plainly and gives you simple rules to use AI safely.
What actually happens to the data you type in
When you enter text into a public AI tool, that text is sent to the provider's servers — usually outside Botswana — and, depending on the tool and its settings, it may be stored and used to improve their models. In other words, the confidential paragraph you pasted in to "just summarise this" might be retained, and potentially seen, beyond your control.
For a quick brainstorm with no sensitive content, that's fine. The problem starts when the text contains things it shouldn't:
- Customer names, contacts, ID or passport numbers.
- Financial details — invoices, bank information, payroll.
- Confidential business information — contracts, pricing, strategy.
- Staff records and personal information.
Put any of that into the wrong tool and you've potentially disclosed it to a third party and lost control of it.
Where the Data Protection Act comes in
Botswana's Data Protection Act, 2018 expects you to keep personal information secure and use it responsibly (we cover it fully in our Data Protection Act guide). Feeding personal data into a public AI tool can run straight into that duty: you may be sharing people's information with a third party, in another country, for purposes they never agreed to, with no control over what happens to it next.
The key point: the obligation to protect personal data doesn't disappear because an AI is doing the work. If anything, AI makes it easier to leak data carelessly — one paste of a customer list and it's gone. Treat AI tools as you would any third party you're about to hand data to: with caution and clear rules.
Other risks worth knowing
Privacy isn't the only AI risk to a business:
- Confidently wrong output. AI can invent facts, figures and even fake sources that read as authoritative. Acting on unverified AI output — a wrong figure in a quote, a made-up "fact" in a proposal — can cost you money or credibility.
- Confidential leakage between staff. If your team uses personal AI accounts for work, sensitive business content ends up scattered across consumer tools nobody controls.
- Over-reliance. Letting AI make decisions it isn't fit to make — anything involving money, people or legal matters — is a risk in itself.
Simple rules to use AI safely
You don't need to ban AI; you need a few clear rules everyone follows:
- Never paste confidential or personal data into public AI tools. If you wouldn't email it to a stranger, don't type it into a free AI tool.
- Use business-grade or built-in AI for anything sensitive. The AI inside Microsoft 365 or Google Workspace, on a business plan, comes with far stronger privacy terms than a consumer tool. For sensitive work, prefer those — or don't use AI for that task.
- Check the settings. Many tools let you opt out of having your inputs used for training. Turn that off where you can, and prefer tools that offer it.
- Always verify output. Treat every AI answer as a draft to be checked, never as fact — especially numbers, names and anything customer-facing.
- Write it down. A one-page AI-use policy that your whole team understands — what's allowed, what's never allowed, which tools to use — prevents the great majority of incidents.
The bottom line
AI is a powerful assistant, and you don't have to avoid it to stay safe — you have to use it deliberately. Keep confidential and personal data out of public tools, lean on business-grade AI for anything sensitive, verify what it produces, and give your team simple rules to follow. Do that, and you get the productivity benefit without trading away your customers' trust or your compliance obligations.
If you'd like help drawing up a sensible AI-use policy, choosing tools with proper privacy protections, or making sure your data handling meets the Data Protection Act, that's squarely what our security and compliance and consultancy work covers.
Frequently asked questions
Is it safe to put customer data into an AI tool?
Not into a public consumer AI tool, no. Information you type into many free AI tools may be stored and used by the provider, potentially to train their models. Putting customers' personal details, financial data or confidential business information into such a tool can breach your duty under the Data Protection Act and expose the data. For anything sensitive, use AI built into your business software with proper privacy terms, or don't use AI at all.
What does the Data Protection Act have to do with AI?
If you feed personal data (names, contacts, ID numbers, financial details) into an AI tool, you are processing and possibly sharing that data — which falls under your obligations to keep it secure and use it responsibly. Using AI carelessly with personal data can turn a productivity tool into a compliance breach. The duty to protect the data doesn't disappear because an AI is involved.
How can my team use AI safely?
Set a simple rule: never paste confidential or personal data into public AI tools; use business-tier or built-in AI for anything sensitive; check and turn off data-for-training settings where available; and always verify AI output before relying on it. A short, written AI-use policy that everyone understands prevents most problems.