With the Digital Personal Data Protection Act, 2023, now becoming a serious compliance topic for Indian businesses, I wanted to initiate a practical discussion for CA firms, tax consultants, accounting firms, audit firms, and finance advisory practices.
Most CA firms handle large volumes of personal and financial data during normal professional work.
This may include:
- PAN, Aadhaar, GST and TDS details
- ITR documents and Form 16
- Bank statements
- Salary and payroll data
- KYC documents
- Client financial statements
- Audit working papers
- Employee and vendor records
- Data shared with cloud software, interns, outsourced teams, and third-party service providers
Many firms may assume that DPDPA compliance starts with updating the website privacy policy or adding a clause in the engagement letter.
But I am not sure whether that is enough.
In my view, the first practical step may be data mapping.
A CA firm should probably know:
- What personal data it collects
- From whom it collects the data
- Why the data is collected
- Where the data is stored
- Who has access to it
- Which software tools or vendors process it
- How long the data is retained
- How correction or deletion requests will be handled
- What happens if there is a data breach
- Whether client consent and notices are properly documented
So my question to fellow professionals is this:
For a CA firm, is a privacy policy update enough for DPDPA readiness, or should the real starting point be data-flow mapping and internal control over client data?
Also, what are firms currently doing in practice?
- Updating privacy policy only?
- Adding DPDPA clauses in engagement letters?
- Taking consent from clients?
- Mapping client data flows?
- Reviewing software/vendor access?
- Defining retention and deletion rules?
- Or waiting for more clarity before taking action?
I believe DPDPA compliance for CA firms is not only a legal documentation exercise. It is also a matter of client trust, data governance, professional risk management, and internal control.
Would appreciate views from members who are advising clients or preparing their own firms for DPDPA.
Looking forward to the views of fellow professionals.
CAclubindia
