DPDP Rules, 2025 are now in effect. See where your business stands, in 3–5 minutes.Find out — free →
Industry Guide · CA Firms

Most CA firms don't have a tax knowledge problem. They have a client-document control problem.

Your firm may handle PAN, Aadhaar, ITR files, Form 16, bank statements, payroll sheets and audit records across WhatsApp, email, Google Drive and staff laptops. This 3-minute scan shows where DPDPA exposure may arise.

If everyone in the office can open every client folder, that is not collaboration. It is exposure with good lighting.

Start CA Firm Risk Scan 3 minutes · 10 questions · free · no login
PANAadhaarITR FilesBank StatementsPayrollGoogle DriveWhatsAppArticle-Staff AccessOld Client Files

Your CA practice risk map

The free scan scores your firm across these five areas. Here is what each one looks at.

Client document risk

PAN, Aadhaar, ITR, Form 16, AIS/TIS, bank statements, payroll sheets, family financial data.

First move: Collect only what's necessary, define retention, and restrict who can open these documents.

Document intake risk

Clients sending the same documents through WhatsApp, email, shared folders and scans.

First move: Standardise intake to one controlled channel so access, deletion and breach response are possible.

Storage & access risk

Google Drive, OneDrive, laptops and inboxes — open to article assistants, interns and ex-staff.

First move: Move to role-based, need-based access with periodic reviews. Remove former-staff access promptly.

Retention & deletion risk

Old ITR files, PAN copies, bank statements, audit papers and payroll kept indefinitely.

First move: Adopt a documented retention schedule with an annual deletion/archive review.

Vendor & incident readiness

Tax software, GST tools, payroll platforms, cloud providers and outsourced teams in the data chain.

First move: Keep a vendor list with written terms, and a breach-response process for email, cloud and WhatsApp.

How the 3-minute scan works

1

Answer 10 quick questions

About your documents, intake channels, storage, staff access, retention and vendors. ~3 minutes.

2

See your readiness score + risk map

A 0–100 DPDPA readiness score, your risk band, and five CA-specific risk buckets.

3

Get your priority fixes + checklist

The four controls to start with, plus the CA Firm DPDPA Starter Checklist.

Start CA Firm Risk Scan

CA firm compliance checklist

A preview of the CA Firm DPDPA Starter Checklist you get after the scan.

List all categories of personal data your firm processes
Identify engagements where you are a Data Fiduciary vs Data Processor
Audit access controls on cloud storage and shared drives
Define retention periods for all document categories
Add data handling terms to client engagement letters
Sign DPAs with cloud tools, payroll software, and contractors
Implement role-based access for employee and client records
Create a staff training plan on data handling basics
Designate a data protection contact within the firm
Build a basic rights request process for clients and employees

CA firm DPDPA questions

Does the DPDPA apply to CA firms and accounting practices?

Yes. CA firms process substantial personal data including PAN, Aadhaar, bank details, salary records, and tax documents. This makes them Data Fiduciaries under the Digital Personal Data Protection Act, 2023. Obligations apply to all firms regardless of size, including sole practitioners.

Can we store client PAN and Aadhaar copies on Google Drive or shared folders?

You can, but with controls. Cloud storage platforms like Google Drive are Data Processors under DPDPA. You must have a Data Processing Agreement in place, restrict folder access to only those who need it, and disclose this storage in your client engagement terms or privacy notice.

How long should CA firms retain client documents under DPDPA?

DPDPA requires deletion once purpose is served. For CA firms, practical retention periods are: ITR copies and supporting documents — 7 years; employee records — 5 years after employment end; KYC documents — as required by applicable law (Income Tax Act, PMLA). Define these periods formally and implement annual deletion reviews.

If we outsource bookkeeping or data entry, do we need a Data Processing Agreement?

Yes. Any contractor or outsourced vendor who accesses client personal data on your behalf becomes a Data Processor under DPDPA. You must sign a Data Processing Agreement that restricts their use of the data, requires them to follow your instructions, and mandates adequate security measures.

Can a client ask us to delete their personal data?

Yes. Under Section 13 of the DPDPA, individuals have a right to erasure of personal data that is no longer needed for the original purpose. However, if you are legally required to retain records (e.g., under the Income Tax Act), you can decline deletion for that specific data. You must inform the client of the legal basis for continued retention.

Take the free scan

10 questions · 3 minutes · free · no login. Get your CA firm's DPDPA readiness score.

Start CA Firm Risk Scan →

Free Guide

DPDPA compliance guide for Indian businesses.

Download the Guide →

Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.

This page is for educational purposes and does not constitute legal advice.