DPDP Rules 2025 are now in effect. How ready is your business? Most Indian companies don't know yet.Find out in 10 minutes — free →
SaralPrivacy emblem
Industry Guide

DPDPA for CA Firms and Accounting Practices

CA firms handle some of the most sensitive personal data in routine business operations: PAN, Aadhaar, payroll records, bank details, tax files, and employee documents. DPDPA adds practical obligations around access control, vendor governance, retention, rights handling, and internal accountability. This guide helps CA firms move from professional confidentiality to operational privacy discipline.

If everyone in the office can open every client folder, that is not collaboration. It is exposure with good lighting.

Key Risk Areas

PAN and Aadhaar Documents

High Risk

Physical and digital copies of PAN, Aadhaar, and passport documents collected for tax filings and KYC create significant exposure if not handled with strict controls.

Action: Collect only what is necessary. Define retention limits. Store with access restrictions. Consider whether physical copies need to be retained or can be destroyed post-filing.

Client Payroll Data

High Risk

Processing payroll means handling salary details, bank account numbers, PF/ESI data, and personal employment information of multiple individuals per client.

Action: Implement role-based access so only payroll team members can access employee records. Define retention periods. Sign DPAs with payroll software vendors.

Cloud Storage and Shared Drives

High Risk

Google Drive, Dropbox, or Tally on cloud with broad team access creates unmanaged exposure of sensitive client personal data.

Action: Audit who has access to what. Implement folder-level access controls. Ensure cloud vendors have signed DPAs and hold appropriate certifications.

Third-Party Contractors

Medium Risk

Outsourced accounting staff, IT vendors, or back-office processors who access client data without formal agreements create liability.

Action: Sign Data Processing Agreements with all contractors accessing client personal data. Restrict access to minimum necessary data.

Retention of Client Files

Medium Risk

Keeping digital copies of client documents indefinitely without a defined deletion process creates both legal risk and security exposure.

Action: Define retention periods for each document category (ITR copies: 7 years; employee documents: 5 years from exit). Implement annual deletion reviews.

Compliance Checklist

List all categories of personal data your firm processes
Identify engagements where you are a Data Fiduciary vs Data Processor
Audit access controls on cloud storage and shared drives
Define retention periods for all document categories
Add data handling terms to client engagement letters
Sign DPAs with cloud tools, payroll software, and contractors
Implement role-based access for employee and client records
Create a staff training plan on data handling basics
Designate a data protection contact within the firm
Build a basic rights request process for clients and employees

Take the Free Assessment

7 questions. 8 minutes. Get your CA firm's DPDPA risk score.

Start Assessment →

Free White Paper

45-page DPDPA compliance guide for Indian businesses.

Download White Paper →

Related Briefings

→ CA Firms: PAN, Aadhaar & DPDPA Obligations→ Consent Notice Requirements→ Data Breach Notification

Need advice?

Request Consultation →

Last reviewed: March 2026

Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.

This page is for educational purposes and does not constitute legal advice.