CA firms have traditionally relied on client relationships and professional confidentiality as their primary data governance framework. DPDPA creates a parallel statutory layer with enforceable obligations. Firms that process payroll for clients are acting as Data Processors. Firms that manage their own employee data are Data Fiduciaries. Both roles create compliance obligations that must be addressed proactively.
Firms must audit their client data flows and identify where personal data of individuals (not just companies) is processed. Shared drives, email attachments, and cloud accounting tools are all vectors for personal data that need governance. Staff must be trained on data handling. Retention and deletion schedules must be documented.
Under DPDPA, processing personal data for tax filings, audits, payroll, or advisory services requires a lawful basis. Where the client is a company, the firm processes personal data of third-party individuals (employees, directors, shareholders). This creates obligations around notice, purpose limitation, and retention. Aadhaar data is particularly sensitive — its use is already governed by the Aadhaar Act, and DPDPA adds further requirements. Bank account numbers, salary slips, and investment records are personal data that must be handled with access controls, encryption, and documented retention schedules.
List all categories of personal data your firm processes (PAN, Aadhaar, bank, salary)
Identify which engagements make you a Data Fiduciary vs Data Processor
Audit access controls on your shared drives and email
Define retention periods for client files (including digital scans)
Add data handling terms to your client engagement letters
Train staff on data minimisation and secure handling
Create a documented process for responding to data access or deletion requests
Free — takes 3 minutes
Answer a few simple questions. Get your free Readiness Score — sent to your email or WhatsApp.
Check My Readiness →Take our free 10-minute industry assessment to find out your compliance risk level.
Take Free Assessment →2-min reads, plain English, every morning. Free forever.