Most of us in our CA practices have invested in good cybersecurity like password policies, encrypted drives, maybe even a firewall in some cases. But here is the uncomfortable truth; none of that alone makes us compliant under the Digital Personal Data Protection Act, 2023. The DPDP Act is not just another regulation. It is a fundamental shift in how we must treat client data; not just secure it, but justify why we collected it, what we are doing with it, and whether the client actually consented to that use.
Three Key Terms Every CA Must Understand:
The Act defines three roles in the data ecosystem:
1. Data Principal : The individual to whom the personal data belongs. In our context: our clients, their employees, or our own staff.
2. Data Fiduciary : The entity that determines the purpose and means of processing personal data. In most client engagements, this is Our CA firm. When we collect a client’s PAN, Aadhaar, bank statements, or employee salary data for filing or audit purposes, we are the Data Fiduciary. This role carries the highest accountability.
3. Data Processor : The entity processing data on behalf of the Fiduciary. The cloud software we use, the PDF converter tool our sub staff uses, the accounting SaaS platform; these are all Data Processors acting under our instructions. If they breach, we are still responsible.
The critical point: our responsibility as a Data Fiduciary cannot be delegated or transferred.
Security ≠ Privacy — Understanding the Differences
Many practitioners confuse cybersecurity with data privacy. They are not the same.
- Security is about protecting data from unauthorised access (the classic CIA triad — Confidentiality, Integrity, Availability).
- Privacy is about how that data is collected, used, and stored — and whether the data subject gave proper consent for that specific use.
Example: You have a client’s bank statements securely stored on your encrypted server. But your sub staff uploads them to a free online PDF-to-Excel converter websites to speed up data entry. The storage is secure, but the act of sharing with an unvetted third-party tool is a reportable data breach under DPDP.
The DPDP Act covers both; which it terms “Protection.” Good security is necessary but not sufficient
Consent — The Old Way Is Dead
The “By visiting this site, you agree to our terms”(somewhere hidden in plethora of Terms & Conditions) approach is no longer legally valid. The Act requires consent that is:
1. Free and Specific : One clear, stated purpose. No bundling of multiple purposes in a single consent clause.
2. Informed and Unambiguous : The client must genuinely understand what they are agreeing to.
3. Clear Affirmative Action : The client must actively consent. Pre-ticked boxes are invalid.
4. Easily Withdrawable : Withdrawing consent must be as easy as giving it.
For CA firms, this means your engagement letter is now our primary consent document. It must clearly state:
- What personal data we are collecting (PAN, Aadhaar, bank statements, salary details, etc.)
- The specific purpose (e.g., “for preparation and filing of Income Tax Return for AY 202X-2Y”)
- How the client can withdraw consent or request data erasure
If your current engagement letters are generic boilerplate from 2018, they need revision before you onboard your next client.
Rights Your Clients Now Have (and our Obligations)
As a Data Fiduciary, we are obligated to facilitate the following rights of our clients (Data Principals):
- Right to Access Information : Client can request a summary of what personal data you hold and who you have shared it with.
- Right to Correction and Erasure : Client can ask you to correct inaccurate data or erase it, subject to statutory retention requirements (e.g., Income Tax Act retention periods).
- Right to Grievance Redressal : You must have a mechanism to address client complaints about data handling.
- Right to Withdraw Consent : At any time. You must honour this promptly.
- Right to Nominate : A uniquely Indian provision. The client can nominate another person to exercise these rights in case of death or incapacity.
We need a documented internal process to respond to each of these. Ignoring such a request is a breach.
Conclusion
We have always been trusted advisors. Clients hand us their most sensitive financial information, their income, their assets, their business details — without a second thought. That trust is the foundation of our profession.
The DPDP Act does not change that relationship. It formalized it. It says: if you are handling someone’s personal data, you must be accountable for it — not just to your client, but to the law.
Author Bio
