WhatsApp document sharing: Client sends Aadhaar, PAN and bank statement, is this risky under DPDPA?

Almost every CA firm receives client documents on WhatsApp.

PAN, Aadhaar, bank statements, Form 16, ITR files, GST details, TDS workings, salary slips, KYC documents, and financial statements are shared daily through personal chats, office groups, and staff numbers.

It is fast. It is convenient. Clients are comfortable with it.

But under DPDPA, this creates a practical problem.

Once a client sends documents on WhatsApp, those files may remain in:

- Personal phones
- WhatsApp chats and groups
- Download folders
- Gallery backups
- Staff devices
- Old phones
- Cloud backups
- Shared folders

My doubt is this:

If a client voluntarily sends Aadhaar, PAN, or bank statements on WhatsApp, is that enough protection for the CA firm?

Or does the firm still need to control what happens after receipt?

For example:

- Should WhatsApp be used only for temporary document intake?
- Should documents be moved to a controlled client folder?
- Should WhatsApp copies be deleted after use?
- Should staff and article assistants have limited access?
- Should client-data handling be mentioned in the engagement letter?
- Should the firm maintain a basic record of what data is collected and where it is stored?

This is where I see the real DPDPA risk.

A CA firm may have a privacy policy, but if client documents remain scattered across WhatsApp, phones, laptops, staff devices, and shared folders, the actual control gap remains.

So the question is not whether WhatsApp should be completely stopped.

That may not be practical for small and mid-sized CA firms.

The real question is:

How should CA firms use WhatsApp without creating unnecessary DPDPA risk?

A practical approach could be:

1. Use WhatsApp only for initial receipt
2. Move documents to a secure client folder
3. Avoid forwarding documents casually
4. Restrict staff and article assistant access
5. Delete unnecessary WhatsApp copies after use
6. Define retention and deletion rules
7. Train staff on client-data confidentiality

Would like to know from fellow professionals:

How are CA firms currently handling client documents received on WhatsApp?

Are firms continuing as usual, using Google Drive/client portals, deleting WhatsApp copies, adding engagement-letter clauses, or waiting for more clarity?

Would appreciate practical views from CAs, tax consultants, audit firms and compliance professionals.