DPDPA for CA Firms: Is a privacy policy enough, or do we need data mapping first?

812 views 2 replies

With the Digital Personal Data Protection Act, 2023, now becoming a serious compliance topic for Indian businesses, I wanted to initiate a practical discussion for CA firms, tax consultants, accounting firms, audit firms, and finance advisory practices.

Most CA firms handle large volumes of personal and financial data during normal professional work.

This may include:

  • PAN, Aadhaar, GST and TDS details
  • ITR documents and Form 16
  • Bank statements
  • Salary and payroll data
  • KYC documents
  • Client financial statements
  • Audit working papers
  • Employee and vendor records
  • Data shared with cloud software, interns, outsourced teams, and third-party service providers

Many firms may assume that DPDPA compliance starts with updating the website privacy policy or adding a clause in the engagement letter.

But I am not sure whether that is enough.

In my view, the first practical step may be data mapping.

A CA firm should probably know:

  1. What personal data it collects
  2. From whom it collects the data
  3. Why the data is collected
  4. Where the data is stored
  5. Who has access to it
  6. Which software tools or vendors process it
  7. How long the data is retained
  8. How correction or deletion requests will be handled
  9. What happens if there is a data breach
  10. Whether client consent and notices are properly documented

So my question to fellow professionals is this:

For a CA firm, is a privacy policy update enough for DPDPA readiness, or should the real starting point be data-flow mapping and internal control over client data?

Also, what are firms currently doing in practice?

  • Updating privacy policy only?
  • Adding DPDPA clauses in engagement letters?
  • Taking consent from clients?
  • Mapping client data flows?
  • Reviewing software/vendor access?
  • Defining retention and deletion rules?
  • Or waiting for more clarity before taking action?

I believe DPDPA compliance for CA firms is not only a legal documentation exercise. It is also a matter of client trust, data governance, professional risk management, and internal control.

Would appreciate views from members who are advising clients or preparing their own firms for DPDPA.

Looking forward to the views of fellow professionals.

Replies (2)
Quick Summary
For CA firms, DPDPA compliance requires more than a privacy policy. Data mapping, access controls, vendor reviews, retention policies, breach response procedures, and client data governance are essential to ensure compliance, reduce risk, and maintain client trust.

  • Privacy policy alone is not enough for DPDPA compliance.
  • Data-flow mapping and internal controls should ideally be the first practical step.
  • CA firms should understand what client data they hold, where it flows, who accesses it, and how long it is retained.
  • Mature compliance requires governance, vendor review, retention rules, and breach preparedness — not just legal wording updates.

Very relevant and practical insights for CA firms. The article rightly highlights that DPDPA compliance is not just about policies but also about managing client data securely through proper access controls, retention practices, and employee awareness.

Leave a Reply

Your are not logged in . Please login to post replies

Click here to Login / Register  

Company
ARTICLESHIP 08 July 2026
Article internship

AJAY SINGH AND CO LLP

Thane

CA Final

View Details
Company
13 July 2026
AVP / VP - PCG Advisory

Workforce Connect

Mumbai

MBA

View Details
Company
ARTICLESHIP 11 July 2026
Article

SNCO

Mumbai

CA Inter

View Details
Company
05 July 2026
Financial Controller

NovumLake Partners

Mumbai

CA

View Details
Company
ARTICLESHIP 20 June 2026
Articleship

RB KESHRI & CO

Mumbai

B.Com

View Details
Company
19 June 2026
Accounts Executive

Getfive Advisors Pvt. Ltd.

Ahmedabad

CA Inter

View Details
Company
ARTICLESHIP 24 June 2026
CA Article Trainee

Rahul Dang & Associates

Pune

CA Inter

View Details
Company
11 July 2026
CA semi qualified

Vakilsearch.com

Chennai

CA Inter

View Details