India’s Digital Personal Data Protection Act, 2023 (DPDP Act), along with the DPDP Rules notified in November 2025, establishes a comprehensive framework governing the collection, processing, storage, and use of digital personal data. The law applies to professionals such as Chartered Accountants, Company Secretaries, Cost Accountants, Advocates, and medical practitioners who determine how client data is handled, making them “Data Fiduciaries” responsible for compliance even when third-party software providers act as Data Processors. Key obligations include issuing privacy notices, obtaining valid consent where required, encrypting client information, implementing access controls, maintaining access logs for at least one year, publishing contact details for privacy-related queries, and erasing data when no longer necessary unless statutory retention obligations apply. In the event of a data breach, affected clients must be informed without delay and the Data Protection Board notified promptly, followed by a detailed report within 72 hours. Non-compliance may attract penalties of up to Rs. 250 crore.
WHAT IS THE DPDP ACT?
The Digital Personal Data Protection Act, 2023 is India’s legal framework governing the collection, processing, storage, and use of digital personal data. It applies to any personal data that is either collected digitally or collected on paper and subsequently digitised. The Act is administered by the Ministry of Electronics and Information Technology (MeitY) and enforced by a newly constituted Data Protection Board of India. In simple terms, if you handle client information on your computer, in the cloud, or in any digitised format, this law applies to you.
WHO IS COVERED?
Any person or entity that determines the purpose and means of processing personal data is classified as a “Data Fiduciary” under the Act. This directly covers Chartered Accountants, Company Secretaries, Cost and Management Accountants, Advocates, and medical practitioners since each of these professionals decides how client data is collected, structured, and used in the course of delivering their services. The fact that you use third-party software (Tally, practice management tools, email, or cloud storage) does not transfer the compliance obligation to that software vendor. That vendor becomes your “Data Processor” but you remain the Data Fiduciary solely responsible for compliance.
WHAT IS REQUIRED TO BE DONE?
The Act requires every Data Fiduciary to implement what it calls “reasonable security safeguards.” In practice, this means
1. Encrypting client files and sensitive documents (tools like BitLocker, VeraCrypt, or AES-256 encrypted cloud platforms are adequate for most small practices),
2. Implementing access controls so that client data is accessible only to authorised persons, and
3. Maintaining a log of data access for a minimum period of one year. This access log need not be a sophisticated IT system for a solo or small practice, a maintained register/excel recording which client file was accessed, when, by whom, and the purpose, would satisfy the requirement.
4. Professionals must also provide clients a clear notice before or at the time of collecting their data, describing what data is being collected and for what specific purpose. Consent, where required, must be free, specific, informed, and capable of being withdrawn.
5. Every Data Fiduciary must publish a contact (their own name and details, in the case of a solo practitioner) on their website or digital presence to handle data-related queries from clients.
A formal Data Protection Officer (DPO) appointment is required only for entities designated as Significant Data Fiduciaries (organisations processing large volumes of sensitive data) A solo professional practitioner is not in that category. You may designate yourself as the privacy contact for your practice without any formal appointment requirement.
WHAT TO DO IN CASE OF A BREACH AND WHEN?
A personal data breach includes any unauthorised access to client files, a stolen or lost device containing client data, a hacked email account, ransomware, or even an accidental disclosure such as sending a client’s information to the wrong recipient. The moment you become aware of a breach, a two-track obligation is triggered simultaneously.
1. First, you must notify every affected client without delay, in plain and clear language, describing what happened, what data was involved, the likely consequences for them, what steps you are taking to contain the damage, and what they can do to protect themselves.
2. Second, you must intimate the Data Protection Board of India initially without delay with a description of the breach, and then with a detailed report within 72 hours of becoming aware, covering the full facts, circumstances, measures taken, findings about who caused the breach, and remedial actions. (The Board operates as a digital office, and once its portal is fully operational, intimations are to be filed online. Until the portal is fully live, professionals should document all breach-related actions meticulously so they can demonstrate timely action)
PENALTY FOR NON-COMPLIANCE
The penalties for non-compliance are significant: ₹250 crore for failure to implement security safeguards, and ₹200 crore for failure to notify the Board or affected clients of a breach. The ₹250 crore figure is the ceiling, not the starting point. The Board considers the gravity of the breach, sensitivity of data affected, mitigation efforts taken, and whether the lapse was a one-time occurrence before arriving at any penalty.
Data Protection Obligations for Professionals
1. Provide a Privacy Notice to Clients: Before collecting any personal data, inform clients about what information you collect, why it is being collected, and how it will be used.
2. Encrypt Client Data and Files: Ensure that all stored client data and sensitive documents are protected through encryption on an ongoing basis.
3. Implement Access Controls: Use appropriate security measures such as password protection and role-based access to limit access to client information only to authorized individuals.
4. Maintain Access Logs: Keep records of who accessed client data and when. These logs should be retained for a minimum period of one year.
5. Publish Contact Information: Make your contact details available on your website or other relevant platforms so that clients can reach you with data protection or privacy-related queries.
6. DPO Appointment: For solo practitioners and small practices, appointing a Data Protection Officer (DPO) is generally not required but such solo practitioner or promoter can put their name/contact number as the Data Protection contact person on website or online profile.
7. Notify Clients of Data Breaches: If a data breach occurs, inform all affected clients without delay using clear and easy-to-understand language.
8. Submit an Initial Breach Notification to the Board: Report the breach to the Data Protection Board as soon as possible, providing an initial description of the incident.
9. Submit a Detailed Breach Report: Within 72 hours of becoming aware of the breach, provide a detailed report to the Data Protection Board outlining the facts, impact, and remedial measures taken.
10. *Erase Data When No Longer Needed: Delete client data once the purpose for which it was collected has been fulfilled, unless retention is required by law.
*Note: Statutory retention requirements under tax, audit, and professional laws override the erasure obligation — data that must be retained by law need not be erased merely because the engagement has concluded.
The law is still evolving. The Data Protection Board was constituted only in November 2025, its portal is yet to be fully operationalised, and further procedural clarity is expected as the Board becomes functional and MeitY issues subsequent notifications.
Author Bio
