The Digital Personal Data Protection (DPDP) Act has introduced a new era of accountability and responsibility in handling personal data in India. For chartered accountants (CAs), tax professionals, auditors, and finance practitioners, the law brings significant implications because of the large volume of sensitive financial and personal information handled during professional engagements.
Let's discuss the practical impact of the DPDP Act on CA firms, compliance obligations, client data handling and the importance of creating structured internal systems for data protection.
Understanding the DPDP Act
The DPDP Act governs the processing of personal data in digital form. The law applies when personal data is collected, stored, shared, or processed digitally. However, non-personal data and hard copy documents that are not digitized are generally outside the scope of the Act.
The framework introduces several important concepts:
- Data Principal: The individual to whom the personal data belongs.
- Data Fiduciary: The person or organization determining the purpose and means of processing personal data.
- Significant Data Fiduciary: Large entities handling substantial volumes of data and subject to enhanced compliance obligations.
- Consent Manager: An entity that assists individuals in managing, reviewing, and withdrawing consent.
For CA firms, the role of a data fiduciary becomes highly relevant because firms routinely process sensitive client information including PAN, Aadhaar, financial statements, bank details, tax records and employee information.
Importance of Consent and Data Minimization
One of the key principles is "data minimization." Under the DPDP framework, organizations should collect only such data that is necessary for a legitimate professional purpose.
Before collecting or processing personal information, proper consent must be obtained from the data principal. The consent should clearly specify:
- Purpose of data collection
- Nature of data being collected
- Retention period
- Rights available to the client
- Mechanism for withdrawal of consent
This emphasized that consent should not be treated as a one-time formality. Since the Act has retrospective implications, existing engagement letters and consent mechanisms may also require updates.
Master DPDP Act for CA and other Professionals by CA Mohit Punetha. Enroll Now!
Compliance Responsibilities for CA Firms
Several practical compliance requirements for CA firms and professionals.
1. Updating Engagement Letters
Engagement letters should now include:
- Consent clauses
- Data processing disclosures
- Data retention policies
- Client rights under DPDP
- Authorization for sharing data with third-party software or staff where applicable
2. Data Retention and Deletion
Professionals should retain data only for the required purpose and duration. Once the retention purpose is completed, client data should be securely deleted.
This explored the possibility of offering paid data retention services, provided:
- Explicit client consent is obtained
- Charges are clearly communicated
- Appropriate safeguards are maintained
3. Handling of DSCs
A major compliance point is the handling of Digital Signature Certificates (DSCs). Professionals were advised not to retain client DSCs unnecessarily, as improper storage may expose firms to legal and security risks.
4. Data Breach Reporting
The DPDP framework imposes strict reporting obligations in case of data breaches. Any breach must be reported:
- To the Data Protection Board
- To affected data principals
The reporting timeline discussed was within 48 hours of becoming aware of the breach.
5. Security Measures and Access Controls
CA firms must implement reasonable security safeguards including:
- Restricted employee access
- Cloud storage safeguards
- Password protection
- Encryption practices
- Employee confidentiality undertakings
- Removal of access rights when employees leave the organization
This stressed that even cloud storage is permissible if adequate protections are implemented.
Role of Significant Data Fiduciaries
Entities classified as Significant Data Fiduciaries are required to appoint a Data Protection Officer (DPO). The threshold discussed included organizations with very large user bases, such as those having 2 crore or more registered users.
The DPO is responsible for overseeing compliance, grievance handling, and communication with regulatory authorities.
Client Rights Under the DPDP Act
The DPDP Act grants important rights to data principals, including:
- Right to access information
- Right to withdraw consent
- Right to correction
- Right to erasure of data
- Right to grievance redressal
Important compliance requirement is that the withdrawal of consent should be as simple as giving consent. Firms may therefore need to create online forms, portals, or digital mechanisms to facilitate this process.
Data Sharing and Use of AI Tools
Concerns regarding AI tools and third-party platforms.
Before sharing client information:
- Proper agreements should exist with vendors and processors
- Written consent should be obtained where necessary
- Personal data should be anonymized or redacted before uploading to AI platforms or public systems
This is especially relevant for audit documentation, advisory work, and peer review processes where client information may be circulated internally or externally.
Penalties for Non-Compliance
The DPDP Act contains stringent penalty provisions. The Data Protection Board has the authority to impose substantial penalties for violations.
In is case CA firms proactively establish compliance systems rather than treating data protection as merely an IT issue.
Need for SOPs and Internal Frameworks
CA firms should develop Standard Operating Procedures (SOPs) covering:
- Data collection
- Consent management
- Data sharing
- Retention and deletion
- Employee access controls
- Data breach reporting
- AI usage protocols
- Client communication mechanisms
Training staff members and creating awareness within the organization were also identified as critical compliance measures.
Conclusion
The DPDP Act represents a significant shift in the professional responsibilities of chartered accountants and finance professionals. Client data can no longer be handled informally or retained indefinitely without clear purpose and consent.
For CA firms, compliance will require a combination of legal understanding, technology safeguards, updated engagement practices, and internal governance systems. Firms that proactively adapt to these requirements will not only reduce legal risks but also strengthen client trust and professional credibility in the digital era.
CAclubindia
