Your law firm does not just protect client confidentiality. It stores, shares and retains client data every day.
From client KYC, affidavits and contracts to evidence files, WhatsApp instructions, email attachments, court filings, junior access, external counsel, filing agents and closed matter records — legal practices handle personal data at every step. This 3-minute scan shows where DPDPA exposure may arise in your client and matter-data workflows. It collects no client documents — only your answers about your processes.
Most law firms don't have a confidentiality problem — they have a matter-data control problem.
Your client & matter-data risk map
The free scan scores your firm across these five areas. Here is what each one looks at.
Client & matter-data risk
Client KYC and ID proofs, company documents, contracts and notices, affidavits, financial, employee and property records, court pleadings and correspondence.
First move: Map client and matter data and update engagement letters to explain data use, sharing, storage and retention.
Case-file & evidence sensitivity risk
Family, criminal, employment, medical, whistleblower, harassment and disciplinary matters, plus evidence files, screenshots, call records and videos.
First move: Mark sensitive matters and restrict access to the matter team — don't store them with regular files.
Document sharing & court-workflow risk
Client intake over WhatsApp, email and shared folders; sharing with external counsel, court clerks, notaries, translators, experts and legal-tech tools.
First move: Standardise intake and sharing channels, and share externally only with documented purpose and controlled access.
Staff, junior & vendor access risk
Juniors, interns, paralegals, clerks and support staff; files duplicated across email, laptops, cloud folders, WhatsApp and external drives; lingering ex-staff access.
First move: Move to matter-based, need-based access, consolidate storage, and remove ex-staff access promptly.
Retention & incident readiness risk
Closed matter files, evidence, ID proofs and drafts kept for years; no clear plan for a wrong-recipient email, an exposed cloud folder or a compromised account.
First move: Set a retention + deletion schedule and a simple incident-response process for wrong-recipient and breach events.
How the 3-minute scan works
Answer 10 quick questions
About your practice, the documents you hold, intake, storage, access, client notice, external sharing, sensitive matters and retention. ~3 minutes.
See your readiness score + risk map
A 0–100 DPDPA readiness score, your risk band, and five law-firm-specific risk areas.
Get your priority fixes + checklist
The five controls to start with, plus the Law Firm DPDPA Starter Checklist.
What the scan checks
Ten plain-English questions across your real client and matter-data workflows. The scan collects no client documents.
Law firm DPDPA questions
Does the DPDPA apply to law firms and advocates?
Yes. Law firms, advocates and legal consultants process large volumes of client personal data — KYC and ID proofs, financial records, employee records, affidavits, evidence files and sensitive case details — which makes them Data Fiduciaries under the Digital Personal Data Protection Act, 2023. Professional confidentiality and privilege are important, but they are not the same as DPDPA compliance, which adds obligations around notice, access, retention and breach response.
Is client confidentiality the same as DPDPA readiness?
No. Confidentiality and legal privilege protect the substance of a client's matter. The DPDPA adds operational duties: telling clients how their personal data is used, stored, shared and retained; limiting who can access it; deleting it when no longer needed; and responding to incidents. A firm can be excellent at confidentiality and still have DPDPA gaps in intake, storage, junior access and retention.
Can we share client documents over WhatsApp and email with counsel or filing agents?
Legal work naturally requires sharing with external counsel, clerks, notaries, translators and court systems. The risk is not sharing itself — it is uncontrolled sharing without a defined purpose, access limitation, client awareness or document tracking. Prefer secure channels for sensitive records, document what is shared and with whom, and avoid sending evidence or sensitive files through informal WhatsApp where possible.
How should sensitive matters (family, criminal, employment) be handled?
These matters contain highly sensitive personal data — allegations, medical facts, family details, employment records. They should be clearly marked and access-restricted to the matter team, not stored alongside regular files where any associate or intern can open them. Separate classification and restricted access is one of the highest-impact controls a firm can put in place.
How long can we keep closed matter files and evidence?
Law firms have legitimate reasons to retain files for limitation periods and professional obligations. The DPDPA risk is indefinite retention with no documented schedule, access review or archival rules. Define a retention period by matter and record type, archive securely, and have a process for client return, correction or deletion requests where retention is no longer required.
Take the free scan
10 questions · 3 minutes · free · no login. Get your firm's DPDPA readiness score.
Start Law Firm Risk Scan →Related Briefings
Need advice?
Request Consultation →Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.
This page is for educational purposes and does not constitute legal advice.