Impact of the Digital Personal Data Protection (DPDP) Act, 2023 on Chartered Accountants and Professional Firms
Impact of the Digital Personal Data Protection (DPDP) Act, 2023 on Chartered Accountants and Professional Firms
Introduction
Chartered Accountants routinely handle some of the most sensitive personal and financial information belonging to clients, employees, directors, shareholders, vendors and other stakeholders. The Digital Personal Data Protection Act, 2023 (DPDP Act) introduces a statutory framework governing the processing of digital personal data and has significant implications for CA firms and professional practices.
While the Act does not specifically regulate the accounting profession, many routine activities performed by Chartered Accountants involve collection, storage, processing, transmission and retention of personal data. Consequently, professional firms should evaluate their existing systems, processes and client engagement practices from a data protection perspective.
Why the DPDP Act Matters for Chartered Accountants
Typical Data Handled by CA Firms
| Category | Examples |
|---|---|
| Identity Data | PAN, Aadhaar, Passport, Driving Licence |
| Financial Data | Bank Statements, Financial Statements, Loan Documents |
| Tax Data | ITRs, AIS, Form 26AS, GST Returns |
| Employee Data | Salary Records, PF, ESIC, Payroll Information |
| Corporate Data | Directors' KYC, Shareholding Details |
| Litigation Records | Assessment Orders, Appeals, Notices |
In most engagements, CA firms process substantial volumes of personal data on behalf of clients.
Position of a Chartered Accountant Under DPDP Act
| Activity | Possible Position |
|---|---|
| Collecting client documents for tax filing | Data Fiduciary |
| Maintaining client records in office systems | Data Fiduciary |
| Processing client data through software | Data Fiduciary |
| Using cloud-based accounting platforms | Data Fiduciary engaging Data Processor |
| Outsourcing bookkeeping activities | Data Fiduciary with third-party processor |
The exact classification depends on facts and contractual arrangements.
Important Note: The DPDP Act does not specifically classify Chartered Accountants as Data Fiduciaries merely by virtue of professional status. Classification depends upon actual processing activities.
Risk Areas for CA Firms
Client Document Collection
Common documents collected include:
-
PAN Card
-
Aadhaar Card
-
Bank Statements
-
Income Tax Returns
-
GST Records
-
Financial Statements
Compliance Concern
Unnecessary collection or retention of documents may increase exposure under data protection principles.
Email and WhatsApp Communication
Many firms routinely exchange:
-
PAN copies
-
Income Tax Computations
-
Financial Statements
-
Audit Reports
through email and messaging applications.
Potential Risk
| Risk | Example |
|---|---|
| Wrong Recipient | Email sent to incorrect client |
| Data Leakage | Forwarded confidential documents |
| Device Theft | Unsecured mobile phone access |
| Unauthorized Access | Shared email credentials |
Cloud Storage
Most firms use:
-
Google Drive
-
Microsoft OneDrive
-
Dropbox
-
Practice Management Software
-
Tax Filing Platforms
Practical Requirement
Firms should evaluate:
✓ Access controls
✓ Password policies
✓ Data backup systems
✓ Vendor security measures
✓ User permissions
Impact on Common CA Services
| Service | DPDP Consideration |
|---|---|
| Income Tax Return Filing | Personal data processing |
| GST Compliance | Personal and business data |
| Tax Litigation | Sensitive records and notices |
| Audit Services | Employee and financial information |
| Payroll Services | Extensive personal data |
| RERA Consultancy | Promoter and allottee records |
| Virtual CFO Services | Continuous access to business data |
Data Retention Challenges
One of the most practical questions for Chartered Accountants is:
How Long Should Client Records Be Retained?
Various laws prescribe retention requirements:
| Law | Indicative Retention Requirement |
|---|---|
| Income Tax Act | Assessment and litigation period |
| GST Law | Statutory record retention requirements |
| Companies Act | Prescribed corporate record periods |
| Professional Standards | Engagement documentation requirements |
Accordingly, deletion obligations under DPDP Act must be evaluated alongside other legal retention requirements.
Professional Judgment Required: Records required under statutory law should generally not be deleted merely because an engagement has concluded.
Employee Data Compliance
CA firms process personal information of:
-
Staff Members
-
Articles
-
Consultants
-
Interns
Typical data includes:
-
Aadhaar
-
PAN
-
Bank Details
-
Medical Information
-
Salary Records
Appropriate internal policies and access controls should be maintained.
Data Breach Scenario Analysis
Example 1
Employee emails wrong ITR to another client.
Consequences
-
Client confidentiality breach
-
Reputational damage
-
Potential DPDP implications
Example 2
Laptop containing tax records is stolen.
Consequences
-
Exposure of personal data
-
Internal investigation requirements
-
Potential regulatory implications
Example 3
Cloud storage credentials compromised.
Consequences
-
Unauthorized access
-
Large-scale disclosure of client information
-
Significant professional risk
DPDP Compliance Checklist for CA Firms
Governance
□ Data Protection Policy
□ Privacy Notice
□ Client Data Handling SOP
□ Employee Confidentiality Policy
Technology Controls
□ Multi-Factor Authentication
□ Strong Password Policy
□ Encrypted Storage
□ Regular Backups
□ Access Control Matrix
Operational Controls
□ Restricted Client Access
□ Document Classification System
□ Secure Disposal Procedure
□ Incident Response Process
□ Vendor Evaluation Framework
Practical Roadmap for Small and Mid-Sized CA Firms
| Priority | Action |
|---|---|
| High | Inventory personal data collected |
| High | Review cloud storage access |
| High | Implement confidentiality controls |
| Medium | Prepare privacy notice |
| Medium | Establish grievance mechanism |
| Medium | Review vendor arrangements |
| Ongoing | Conduct periodic compliance review |
Key Takeaways
What Chartered Accountants Should Do
✓ Know what personal data is being collected.
✓ Collect only data reasonably necessary for professional work.
✓ Secure client records appropriately.
✓ Restrict access on a need-to-know basis.
✓ Review retention practices.
✓ Evaluate third-party software and cloud providers.
✓ Develop an internal data protection framework.
Conclusion
The DPDP Act, 2023 represents an important development in India's data governance framework. Chartered Accountants and professional firms routinely process significant volumes of personal and financial information and should proactively strengthen privacy, confidentiality and information security practices. While professional confidentiality obligations have always existed, the DPDP framework places increased emphasis on responsible handling of personal data throughout its lifecycle.
Disclaimer
This article is intended for educational and informational purposes only. The DPDP Act, 2023, associated Rules, Notifications and future Government guidance should be independently reviewed before implementing compliance measures. The applicability of specific provisions depends upon the facts and circumstances of each case and this article should not be construed as legal advice.
Have Questions? We're Here to Help
Get expert advice from Thakkar Prakash and company. Reach out to discuss your requirements.