Jayant Saran, Partner, Forensic – Financial Advisory, Deloitte India, on the data protection bill from a fraud investigation perspective.
The recently drafted Personal Data Protection Bill, 2018 showcases India’s growing concern for data privacy. The Bill covers diverse aspects of data protection including collection, processing, and analyses of personal data. It also lays emphasis on the protection of personal and sensitive data of children. The bill has placed emphasis on defining various stakeholders and participants such as fiduciary (entity requesting processing of personal data), the processor (analyzer of said personal data), and principal (individual to whom the personal data belongs). This is a welcome move considering several other developed economies already have stringent data protection laws. The Bill also proposes significant financial penalties for noncompliance which will compel organizations to relook at how they treat personal data and take appropriate measures to remain compliant.
Specifically, in the context of corporate fraud investigation and related scrutiny of transactions, the Bill covers the rights of data principals even during allegations of fraud and subsequent investigations. For example,
• In order for the data fiduciary (the client) to forensically preserve data of the company issued IT assets (laptops/desktops/mobile phones etc.) of the data principal (suspect/target/custodian) to conduct the investigation, consent and prior intimation for collecting the data of said data principal will be required as these devices may contain personal information relating to the data principal.
• The data fiduciary will also have to disclose the reason for collecting the data and the proposed retention period of the collected data to a Competent Authority as defined by the bill.
Further, data fiduciaries and data processors alike may be liable for damages in case there is a violation of the terms of the bill such as
• During a personal data security breach
• If the data processor acts outside the instructions of the data fiduciary,
• If either the data processor or the data fiduciary is negligent or does not incorporate adequate safeguards while analyzing the data.
Considering most organizations today allow for reasonable use of company-issued computers and other IT assets for personal use, it is likely that a significant amount of personal data resides on these assets. This may pose a challenge while seeking assets for investigations or other proactive fraud detection measures undertaken by the organization. In line with these new guidelines, organizations may need to relook at their internal IT policy and their fraud response policy and ensure that employee approvals are obtained prior to accessing personal data.