Most CA firms do not have a tax knowledge problem.
They have a client-document control problem.
Think about what may be sitting in a CA firm’s Google Drive, WhatsApp chats, Gmail inboxes, staff laptops and old folders right now:
PAN cards, Aadhaar copies, ITR documents, Form 16, AIS/TIS downloads, bank statements, payroll sheets, KYC files, GST records, TDS workings and audit papers.
Many of these documents contain personal data. Some may contain personal data of the client, spouse, children, employees, directors, vendors or family members.
Under the Digital Personal Data Protection Act, 2023, this is no longer just an office convenience issue. It is a data-governance issue.
Depending on the nature of work, a CA firm may act as a Data Fiduciary for its own client onboarding and practice management, and in some assignments may also process data on behalf of a client. Either way, client-data handling now requires more discipline than “keep everything in Drive and WhatsApp”.
The DPDP Rules, 2025 have also moved the regime from theory to implementation, with phased enforcement. For CA firms, the practical question is simple:
Are client documents being collected, stored, accessed, retained and deleted in a controlled manner?
Here are ten gaps we commonly see in CA firms and the first practical step to close each one.
1. Client documents arrive through every possible channel
Clients send the same PAN copy by WhatsApp, email, shared folder link and physical scan.
This looks harmless. But once data is scattered across four channels, the firm cannot easily control access, honour a deletion request, or even know what it holds.
First step: Standardise document intake. Use one preferred channel for client documents and communicate it clearly to clients.
2. WhatsApp becomes permanent document storage
WhatsApp is fast and convenient. That is why clients use it.
But WhatsApp is often not managed like a controlled document repository. Documents remain in personal phones, staff devices, WhatsApp groups, downloads, gallery backups and old chats.
First step: Use WhatsApp only for initial receipt where unavoidable. Move documents to a controlled client folder and delete unnecessary WhatsApp copies after use.
3. Google Drive folders are open to too many people
Cloud storage is not the problem.
Uncontrolled access is the problem.
Many firms have client folders accessible to partners, staff, article assistants, interns, ex-staff or shared email IDs. This creates unnecessary exposure.
First step: Review folder permissions. Remove access for people who do not need it, especially ex-staff, former article assistants and temporary users.
4. No defined retention period
Many firms follow one rule:
Keep everything forever.
That may feel safe from a tax or audit perspective, but under DPDPA, indefinite retention without purpose can become a risk.
At the same time, deleting everything immediately is also not practical because tax, audit, contractual and professional requirements may require retention.
First step: Create a simple retention schedule. Separate records that must be retained for legal/professional reasons from personal data that is no longer required.
5. Old client files are never reviewed
A client may have moved to another consultant five years ago, but their PAN, Aadhaar, bank statements and ITR records may still be sitting in the old CA firm’s inbox, Drive, hard disk or physical file room.
This is common. It is also risky.
First step: Conduct an annual old-client data review. Decide what must be retained, what can be archived, and what should be deleted or securely destroyed.
6. Outsourced bookkeeping without written data terms
Many CA firms use contractors, freelancers, payroll processors, accounting support vendors or outsourced bookkeeping teams.
If they can access client personal data, there should be written terms governing how that data is used, protected, returned and deleted.
A verbal understanding with a trusted vendor is not enough for a mature compliance posture.
First step: List every external party that can access client data and add basic data-protection clauses to vendor arrangements.
7. Article assistants and interns get broad access
Article assistants and interns are essential to CA practice.
But unrestricted access to all client files is not necessary.
A person working on one assignment does not need access to every client’s ITR folders, payroll files, bank statements and audit documents.
First step: Apply need-to-know access. Give staff and article assistants access only to the client files required for their work.
8. Exit controls are weak
Staff leave. Article assistants complete training. Contractors move on.
But their Drive access, email forwarding, shared folder permissions and WhatsApp group memberships often continue.
Every dormant access point is a silent data risk.
First step: Add client-data access revocation to the exit checklist. Remove email, Drive, software and WhatsApp group access on the same day.
9. Family and employee data is treated as one client file
A CA firm may work for one individual client, but the file may include personal data of spouse, children, parents, employees, directors, vendors or household staff.
These people may never have signed the engagement letter.
Still, their personal data may be present in the firm’s records.
First step: Recognise this in the privacy notice and engagement process. Do not assume that one client file contains only one person’s data.
10. No basic data inventory
The biggest gap is often the simplest:
The firm does not know what personal data it holds, where it is stored, who has access, and how long it is retained.
Without this, privacy notice, consent language, deletion process and access control all remain weak.
First step: Start with a simple data inventory. One spreadsheet is enough.
Capture:
- Type of personal data collected
- Purpose of collection
- Source of data
- Storage location
- Who has access
- Software or vendor involved
- Retention period
- Deletion or archive process
- Responsible person
- Risk level
Start with the five largest clients. Then expand gradually.
Why this matters now
DPDPA compliance for CA firms is not only about publishing a privacy policy.
A privacy policy does not protect client data lying across WhatsApp, Gmail, Google Drive, staff laptops, pen drives and old physical files.
The real requirement is operational discipline:
- Controlled document intake
- Need-to-know access
- Clear retention rules
- Vendor and outsourcing controls
- Staff exit controls
- Privacy notice and engagement language
- Data inventory
- Breach readiness
The Act also provides for significant penalties, including penalties up to ₹250 crore for failure to take reasonable security safeguards to prevent a personal data breach.
For CA firms, the practical risk may not start with a regulator.
It may start with a lost laptop, an ex-staff member, a client complaint, a WhatsApp forward, a compromised email account, or a disputed deletion request.
The bottom line
DPDPA compliance for CA firms is not a legal research project.
It is a client-document control project.
The firms that start early do not need to build a complex privacy department. They need to answer basic questions:
What data do we collect?
Where do we store it?
Who can access it?
How long do we keep it?
Who do we share it with?
How do we delete or archive it?
What do we do if something goes wrong?
That is the foundation.
For firms that want to self-check their current gaps, SaralPrivacy has created a free DPDPA readiness assessment for Indian businesses: https://saralprivacy.com/industries/ca-firms
CAclubindia
