LATEST NEWS

DPDP Act - Client Perspective

DPDP Act - Client Perspective
PART 2: From the Client Perspective (Company data stored in ex-employee’s personal mobile device) This is even more serious. 1. Nature of Risk When: official email is configured on personal devices data is not wiped post-exit organization does not track data location 👉 Client data is effectively: uncontrolled unprotected potentially exposed 2. Violations under DPDP Act The organization (as Data Fiduciary) is responsible for: (a) Data Security Safeguards Failure to: protect personal data control access ensure secure deletion 👉 Direct violation of data protection obligations (b) Data Breach Risk If client data remains: on ex-employee’s phone outside organizational control 👉 This may qualify as a data breach scenario, even if not yet exploited (c) Accountability Failure Under DPDP: 👉 Responsibility stays with the organization—not the employee 3. How Grievous Is This? (Severity Analysis) Legally Highly severe violation Direct exposure under DPDP Act Financial Exposure Penalties up to ₹250 crore Additional contractual liabilities Client Impact Loss of confidential information Legal claims for damages Termination of contracts 4. Ethical & Governance Breakdown This reflects: Weak BYOD (Bring Your Own Device) policy No data exit control mechanism Poor information lifecycle management 5. Real Risk Scenario (Important) If: ex-employee retains access or device is compromised 👉 Client data could be: leaked misused sold or exposed unintentionally