Most CA firms are sitting on years of old client data.
ITR files, PAN copies, Aadhaar copies, bank statements, Form 16, GST records, TDS workings, payroll files, KYC documents, audit papers and financial statements are often stored across Gmail, Google Drive, WhatsApp, desktops, laptops, pen drives, hard disks and physical files.
This has been normal practice for years.
The reason is understandable.
A CA firm may need old records for tax notices, reassessment, audit reference, client queries, professional defence, continuity of service and future assignments.
So the instinct is simple:
Keep everything. Delete nothing. We may need it someday.
But DPDPA creates a conflict.
If personal data was collected for a specific purpose, can it be kept forever after that purpose is over?
If a client has moved to another consultant, should all old PAN, Aadhaar, bank statements and WhatsApp attachments still remain with the previous CA firm?
If an article assistant or employee had access to old client folders and later leaves the firm, who is responsible for that data?
If old client documents are lying in personal phones, shared drives, email attachments and backup disks, is a privacy policy enough protection?
This is the real struggle for CA firms.
On one side, we have statutory, audit, and professional retention requirements.
On the other side, we have DPDPA expectations around purpose, consent, reasonable safeguards, data principal rights and responsible handling of personal data.
So the practical question is not whether CA firms should delete everything.
That would be unrealistic.
What should be retained, for how long, where, by whom, and under what control?
The resolution may be a basic retention and deletion framework for CA firms.
At a minimum, every firm may need to define:
1. Which client documents must be retained due to tax, audit, or professional requirements
2. Which personal data is no longer required after the assignment is completed
3. How long should PAN, Aadhaar, bank statements, salary slips, and KYC documents should be kept
4. Whether old WhatsApp and email copies should be deleted after moving documents to a controlled folder
5. Who in the firm can access old client records
6. What happens when staff, interns, or article assistants leave
7. How ex-client records should be reviewed
8. How physical files, hard disks, and backups should be destroyed or archived
9. Whether retention terms should be included in engagement letters
10. How client correction, deletion, or access requests should be handled
This is not only a legal compliance issue.
It is also an internal control, client trust, and professional risk management issue.
A CA firm may have a privacy policy, but if old client data is lying indefinitely across Gmail, WhatsApp, Google Drive, laptops, and physical files without retention logic, the real risk remains.
So I wanted to ask fellow professionals:
How are CA firms practically handling old client data under DPDPA?
Are firms:
- Keeping all records permanently?
- Defining retention periods?
- Cleaning old client folders?
- Reviewing ex-client data?
- Deleting WhatsApp copies after use?
- Restricting access to old records?
- Adding retention clauses in engagement letters?
- Waiting for more clarity?
Would appreciate practical views from CAs, tax consultants, audit firms and compliance professionals.
CAclubindia
