PART 2: From the Client Perspective
(Company data stored in ex-employee’s personal mobile device)
This is even more serious.
1. Nature of Risk
When:
official email is configured on personal devices
data is not wiped post-exit
organization does not track data location
👉 Client data is effectively:
uncontrolled
unprotected
potentially exposed
2. Violations under DPDP Act
The organization (as Data Fiduciary) is responsible for:
(a) Data Security Safeguards
Failure to:
protect personal data
control access
ensure secure deletion
👉 Direct violation of data protection obligations
(b) Data Breach Risk
If client data remains:
on ex-employee’s phone
outside organizational control
👉 This may qualify as a data breach scenario, even if not yet exploited
(c) Accountability Failure
Under DPDP:
👉 Responsibility stays with the organization—not the employee
3. How Grievous Is This? (Severity Analysis)
Legally
Highly severe violation
Direct exposure under DPDP Act
Financial Exposure
Penalties up to ₹250 crore
Additional contractual liabilities
Client Impact
Loss of confidential information
Legal claims for damages
Termination of contracts
4. Ethical & Governance Breakdown
This reflects:
Weak BYOD (Bring Your Own Device) policy
No data exit control mechanism
Poor information lifecycle management
5. Real Risk Scenario (Important)
If:
ex-employee retains access
or device is compromised
👉 Client data could be:
leaked
misused
sold
or exposed unintentionally
