DPDP act 2023 & Role of Tax Advocate

Digital Personal Data Protection (DPDP) Act, 2023 – Understanding the Law in Simple Language & Role of Tax Advocates

Introduction

Today, almost every part of our life has become digital. Whether we are filing Income Tax returns, using UPI payments, booking tickets, shopping online, using social media, opening bank accounts, or applying for GST registration — our personal information is constantly being shared online.

Details like:

• Mobile numbers
• Aadhaar details
• PAN information
• Bank account details
• Financial records
• Location data
• Browsing activity

are regularly collected and stored by companies, apps, banks, government portals, and online platforms.

With increasing digital use, the risk of misuse of personal information, data theft, cyber fraud, and privacy breaches has also increased significantly.

To protect citizens’ digital privacy, the Government of India introduced the Digital Personal Data Protection Act, 2023 (DPDP Act).

This law creates a legal framework for how personal data should be collected, stored, used, shared, and protected in India.

The main purpose of this law is to balance two important things:

1. Protection of people’s privacy; and

2. Proper use of data for business, governance, technology, and economic growth.

What is Personal Data?

Personal data means any information through which a person can be identified.

Examples include:

• Name
• Mobile number
• Aadhaar number
• PAN card details
• Email ID
• Address
• Bank details
• GST information
• IP address
• Biometric data

If any information can identify a person directly or indirectly, it is considered personal data.

Important Terms Under the DPDP Act

1. Data Principal

The person whose data is being collected is called the “Data Principal.”

In simple words, if your information is collected by a company, app, bank, school, hospital, or government department — you are the Data Principal.

2. Data Fiduciary

The person, company, institution, or organization that collects and decides how your data will be used is called a “Data Fiduciary.”

Examples:

• Banks
• E-commerce companies
• Hospitals
• GST portals
• Educational institutions
• Social media platforms

3. Data Processor

A Data Processor is a person or company that processes data on behalf of another company.

For example:

• Cloud storage companies
• Payroll service providers
• IT support companies

Where Does the DPDP Act Apply?

The Act applies to:

1. Digital Data in India

The law applies when personal data is:

• Collected online; or
• Collected offline and later converted into digital form.

For example:

• Scanned KYC documents
• Digitized client files
• Online tax records
• GST databases

2. Foreign Companies Also Covered

Even foreign companies can come under this law if they offer services or goods to people in India and process their personal data.

This means many international apps and websites are also covered.

Rights Given to Individuals Under the DPDP Act

The Act gives several important rights to citizens.

1. Right to Know and Give Consent

Before collecting personal data, companies must clearly inform people:

• What data is being collected
• Why it is being collected
• How it will be used

Consent must be clear, informed, and voluntary.

People also have the right to withdraw consent later.

2. Right to Access Information

A person can ask a company:

• What personal data they hold
• Why they are using it
• With whom it has been shared

3. Right to Correct or Delete Data

If personal information is wrong or outdated, individuals can ask for correction.

People can also request deletion of their data when it is no longer required.

4. Right to File Complaint

Every company must have a grievance system.

If a complaint is not resolved properly, a person can approach the Data Protection Board of India (DPBI).

5. Right to Nominate Another Person

A person can nominate someone who may exercise their rights in case of death or incapacity.

Situations Where Consent May Not Be Required

In certain situations, data can be used without taking explicit consent.

Examples include:

• Legal compliance
• Medical emergencies
• Court matters
• Employment purposes
• Government subsidy schemes
• Prevention of fraud
• Disaster management

Exemptions Under the Act

Some activities are exempted from the law.

1. Personal Use

Personal activities like maintaining family photos or contact lists are generally outside the scope of the Act.

2. Legal and Court Proceedings

Use of personal data for:

• Court cases
• Legal claims
• Litigation
• Regulatory proceedings

is generally exempted from some compliance requirements.

This is very important for advocates and legal professionals.

3. Government and Security Purposes

The Government may exempt certain agencies for matters related to:

• National security
• Public order
• Investigation of offences
• Sovereignty of India

Special Protection for Children

Under the DPDP Act, a child means a person below 18 years of age.

The law puts stricter rules on handling children’s data.

Companies cannot:

• Track children for behavioural advertising
• Show targeted ads to children
• Monitor children unfairly

Parental consent is generally required before processing children’s data.

Data Protection Board of India (DPBI)

The Act establishes the Data Protection Board of India.

Its role includes:

• Handling complaints
• Investigating data breaches
• Ensuring compliance
• Imposing penalties

Penalties Under the DPDP Act

The law provides very heavy penalties for violations.

Even individuals can face penalties up to ₹10,000 for false complaints or impersonation.

Role of Tax Advocates Under the DPDP Act

The DPDP Act is extremely important for tax advocates, chartered accountants, GST practitioners, and legal professionals because they regularly handle sensitive client information.

Tax professionals deal with:

• PAN and Aadhaar details
• Income Tax records
• GST information
• Bank statements
• Financial data
• Business documents
• Digital signatures
• Employee salary details

Therefore, tax advocates must now become more careful about data handling and cybersecurity.

Responsibilities of Tax Advocates

1. Protect Client Confidentiality

Client information must be kept secure and confidential.

2. Use Secure Systems

Tax professionals should use:

• Password-protected systems
• Encrypted storage
• Secure emails
• Licensed software

3. Handle Data Carefully

Sensitive client documents should not be casually shared on unsecured platforms.

4. Train Office Staff

Employees and interns should be trained regarding:

• Cyber frauds
• Phishing attacks
• Data leaks
• Confidentiality obligations

Do’s for Tax Advocates

√ Maintain confidentiality of client records

√ Use secure digital platforms

√ Keep proper authorization from clients

√ Collect only necessary information

√ Use antivirus and cybersecurity tools

√ Maintain secure backups of data

√ Regularly update passwords and software

Don’ts for Tax Advocates

× Do not share client data casually on WhatsApp or public drives

× Do not store unnecessary old records forever

× Do not use unknown AI tools for confidential documents

× Do not ignore data breaches or hacking incidents

× Do not allow unauthorized persons access to client files

Why This Law Matters

The DPDP Act is not only a technology law — it is now becoming an important part of professional ethics and compliance.

In coming years, every professional handling client data will need to focus on:

• Privacy protection
• Cybersecurity
• Safe digital practices
• Responsible data management

For advocates and tax professionals, protecting client data will become as important as protecting client interests in litigation.

Conclusion

The Digital Personal Data Protection Act, 2023 is a major step toward protecting digital privacy in India.

As India moves toward a fully digital economy, every individual, business, and professional must understand the importance of data protection.

For tax advocates and legal professionals, this law creates both responsibility and opportunity.

*******

Professionals who adopt safe digital practices, strong confidentiality systems, and proper cybersecurity measures will gain greater trust and credibility in the future.

Author

Ashish Kamthania
LL.M. | PMP (USA)
Tax Advocate | IPR Attorney | Notary Public

Specializing in GST, Income Tax, Corporate Law, IPR, Cyber Law & Litigation Practice.