Internal investigations are crucial to corporate governance, whether triggered by breaches of confidentiality, insider trading, misconduct or criminal activities such as fraud and corruption. These inquiries will also present new challenges when the Digital Personal Data Protection Act, 2023 (DPDPA), is in force. Such internal probes are usually personal data-intensive exercises, and businesses must be careful when navigating the attendant legal, operational, and reputational risks.

Internal investigations may require access to personal data, including sensitive information such as medical records, financial data, and CCTV footage. Under the DPDPA, personal data can primarily be processed on the grounds of consent. This means obtaining permission from the data principal, who will usually be the employee. However, consent as a legal basis for processing during investigations is often impractical because investigations may require confidentiality to be maintained at first. Employees may also withdraw consent at any time, which is likely to disrupt the inquiry.

These issues raise two critical considerations. First, consent-based processing may limit the effectiveness of internal investigations because employees being probed will have an opportunity to bring proceedings to a halt. Second, any consent obtained in the context of an investigation may be legally challenged as not freely given. It may be alleged that there was an inherent power imbalance between an employer and employee. This legal argument must be considered because it may have implications for the integrity of investigations.