Big Four Rush to Fix Data Protection Gaps

India’s lawmakers recently signed off on a new digital data protection law that sought to bridge the gaps in data security practices across enterprises and government. Close on the heels of the Digital Personal Data Protection (DPDP) Act coming into force, the Big Four accounting firms had set up internal teams to assess its impact and take remedial action. 

It turns out that these teams worked overtime to identify vulnerabilities and compliance gaps in their internal service lines of taxation and audit and have recommended several changes on how to store and access personal data of customers. Given that these companies – EY, PwC, Deloitte and KPMG – manage a global client-base out of India, a quick shift is important. 

There’s a reason why the Big-4 Need to Get it Right

The large volumes of data that these companies and others such as McKinsey and Accenture store and use on behalf of their customers means that they automatically come under the purview of the DPDP Act. Imagine having personal records of bank customers that auditors collect during sampling processes where the data isn’t masked. 

Same is the case for the audit and compliance businesses of these giants who have access to massive amounts of sensitive personal data ranging from personal employee incomes to shareholdings, director cross-holdings and much more. Given that digital consulting and transformation has emerged as a major revenue earner, DPDP compliance becomes critical.  

In fact, such is the rush to complete audit and compliance to the DPDP in their own backyards that each of the Big Four companies are racing against each other to get past the goalposts. Representatives to whom we spoke said the shift itself wasn’t too tough as they were already aligned with the General Data Protection Regime (GDPR), a prerequisite for global clients. 

GDPR compliance offers some respite

Given this scenario it wasn’t too tough to tweak the processes and systems to comply with the DPDP, which is quite akin to the GDPR in nature and language. The one area that these accounting firms need to gear up to face involves the entire data breach and reporting angle, because these aren’t part of the global compliance rules. 

However, the irony is that there’s little these companies can do on the breach and reporting bit as the government needs to come up with responses to several clarifications that the companies have raised after the DPDP Act became operational. Per the rules, the clients need to disclose the recipient of the data though there’s no clarity around how this is implemented.  

Meanwhile, the companies have kickstarted the activities to update policies and processes across all business lines and are using technology innovations where possible to speed things up. One of our sources told us that their organization had actually started work on this around the time the government had shared the Draft Data Protection Bill some months ago. 

Three roles that the Big-4 play makes it tough

Sources also told us that processes would require tweaking in the forensics business as most of this work requires high levels of discretion that necessitates online investigations and research using the data sets provided by the clients. Whether the data resides on the client servers or are transferred on to those of the accounting firm, the DPDP Act plays out in both instances. 

Though the requirement itself sounds quite simple, getting it off the ground isn’t so. For example, if there is a need to share personal data with third parties, the enterprise needs to get explicit sign-offs in each case with prior information that their data could be shared. Getting all of this into digitized data with a firewall around it is no mean task, says an official. 

This is a result of the DPDP Act specifying that the liabilities of data security lie primarily with the data fiduciary or the one who’s processing the data. However, the responsibility of taking and giving consent for use of such data is shared by the data principal (who owns the data) and the data processor who uses it based on instructions from the data fiduciary. 

Since the Big Four accounting firms and other similar entities end up playing different roles under different circumstances based on their deals with the customers, there can be no shortcuts when it comes to identifying and plugging any data gaps.  

For, one mistake and you could almost wipe out half your annual profits!