Sector Guide 9 min read · 1 July 2026

DPDP for Chartered Accountants: A Compliance Guide for CA Firms

Chartered Accountants hold some of the most sensitive client data in India — PAN, financials, payroll. Here is how the DPDP Act 2023 applies to a CA firm, what your obligations are, and how to advise clients.

S

Sedhu

Founder, EasyDP · Published 1 July 2026

Download the free one-page guide

Branded PDF summary with a QR code back to this guide — print it for your desk or team.

PDF →

Chartered Accountants sit on a mountain of sensitive personal data — client PANs, bank statements, financials, payroll, employee records. Under India's DPDP Act 2023, a CA firm is a Data Fiduciary, with the full weight of the law's obligations. This guide covers how the Act applies to your practice, what you must do, and how to advise your clients.

In plain English

  • Your CA firm = a "Data Fiduciary" for the client data you hold
  • Your client / their employees = "Data Principals"
  • Your cloud accounting / DMS vendors = "Data Processors" acting for you
  • Your core obligations = Sections 4–10 of the DPDP Act

Quick Answer: How Does DPDP Apply to a CA Firm?

A CA firm collecting client PAN, financials and payroll decides the purpose and means of processing, so it is a Data Fiduciary under Section 2(i) and must meet the Act's obligations — lawful basis, notice, security, breach reporting and deletion. Its software vendors are Data Processors, but responsibility stays with the firm. Larger practices may be designated Significant Data Fiduciaries (Section 10).

Why Your Firm Is a Data Fiduciary

You decide what client data to collect, why, how long to keep it, and who to share it with. That makes your firm a Data Fiduciary under Section 2(i), and the primary obligations of the Act fall on you. It doesn't matter whether you're a sole practitioner or a multi-partner firm.

Fiduciary vs Processor: Where Your Vendors Sit

When you use cloud accounting software, a document-management system, or a payroll tool, those vendors typically act as Data Processors on your behalf. You remain the Data Fiduciary and stay legally responsible — so you need data-processing terms with each vendor and should confirm they apply reasonable safeguards. Large firms holding substantial financial data could be notified as Significant Data Fiduciaries (Section 10), triggering extra duties: an India-based Data Protection Officer, an independent data auditor, and periodic impact assessments.

Your Core Obligations as a CA Firm

  • Notice & consent (Sections 5, 6): give clients a clear, itemised notice and obtain valid consent for processing that isn't covered by a legitimate use. See our consent notice template.
  • Security (Section 8(5), Rule 6): encrypt or mask stored client data, control access firm-wide, keep access logs, and contract your processors to do the same.
  • Breach reporting (Section 8(6)): have a plan to intimate the Board and affected clients — see the 72-hour breach rule.
  • Erasure (Section 8(7)): delete personal data once its purpose ends — but only after statutory retention periods (below) have passed.
  • Client rights (Sections 11–14): be ready to handle access, correction and erasure requests — including from your clients' employees whose payroll you process.

Retention: DPDP vs Your Statutory Duties

DPDP says delete data when the purpose ends — but other laws require you to keep records:

RecordMinimum retentionSource
Books of accountAt least 8 financial yearsSection 128(5), Companies Act 2013
Income-tax recordsAround 6 years (verify per case)Income-tax record-keeping rules
Personal data with no legal-retention needDelete when purpose endsSection 8(7), DPDP Act

The practical rule: keep what a statute requires you to keep, and delete the rest once the engagement is over.

A Note on Sensitive Data

Unlike the GDPR or the old IT Act SPDI rules, the DPDP Act has no separate "sensitive personal data" category — financial data is treated under the same baseline obligations as any other personal data. If your firm ever processes data of individuals under 18 (uncommon in practice), the stricter children's-data rules in Section 9 also apply.

Advising Your Clients

DPDP is also an advisory opportunity. Your SMB clients look to you to interpret compliance obligations, and many will need help with notices, consent and record-keeping. ICAI has recognised this by launching a Data Protection Compliance & Audit Certification programme and DPDP tooling for members — so upskilling here is well supported. Point clients to our SMB checklist and applicability guide, and use the free DPDP checker in client conversations.

References & Sources

  1. Ministry of Electronics & IT, Government of India — The Digital Personal Data Protection Act, 2023 (Sections 2(i), 4–10; Section 8(7) erasure).
  2. The Digital Personal Data Protection Rules, 2025 (G.S.R. 846(E)) — Rule 6 (security safeguards).
  3. Ministry of Corporate Affairs — Companies Act, 2013, Section 128 (books of account: minimum eight-year retention).
  4. India Code — Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), official consolidated text.

This article is general information about the DPDP Act 2023 and related laws, not legal or professional advice. Retention periods and obligations arise under several statutes; verify each against the current text for your specific engagements.

Chartered AccountantsCA FirmsDPDPAuditorsProfessional Services

Check Your DPDP Compliance

Free 2-minute checker — get your specific obligations and penalty exposure.