The DPDP Act for Chartered Accountants and Tax Practitioners
A mid-sized CA practice at filing season holds more concentrated financial PII than most banks' branch offices: PAN and Aadhaar for every client, Form 16s with salary breakdowns, 26AS statements, bank statements, capital-gains records, and login credentials for government portals. Under the DPDP Act the practice is a Data Fiduciary for all of it.
The filing-season data flow, mapped
| Workflow step | Personal data involved | DPDP consideration |
|---|---|---|
| Client sends documents on WhatsApp/email | PAN, Aadhaar, bank statements | Insecure intake; move to a defined channel, delete from chat apps after transfer |
| Documents stored on office PCs/drives | Everything | Access control, encryption, no client folders on personal laptops |
| Merging/compressing PDFs for portal upload | Full financial dossier | Cloud tools = unvetted processors; use client-side tools |
| Uploading to Income Tax / GST / MCA portals | As required by filing | Legitimate use (compliance with law) — over-retention afterwards is the risk |
| Sharing computations with clients | Tax computation, income details | Password-protect attachments; verify recipient address |
| Post-season storage | Prior-year records | Retain per statutory periods, purge beyond them on schedule |
Government portals are fine — the tools around them are the risk
Uploading a client's documents to the Income Tax e-filing portal is processing required by law — a Section 7 legitimate use. The exposure sits in the preparation step: the free cloud tool used to compress a bundle under the portal's 5MB limit, the online unlocker used on a password-protected 26AS, the converter used to turn a bank statement into Excel. Each of those transfers a client's complete financial identity to an unknown processor.
Practical safeguards for a CA office
- One intake channel: a monitored mailbox or portal, not personal WhatsApp; purge chat-app copies after saving to the matter folder.
- Client-side document tools for compressing, merging, unlocking (government password formats) and converting — no uploads.
- Role-based access: articled assistants see only the clients they work on; log who accessed what.
- AES password-protection on every outgoing attachment containing financial data.
- A retention calendar keyed to statutory periods, with a documented annual purge.
- Staff briefing each filing season: what personal data is, what tools are approved, and how to report a suspected leak the same day.
Why this matters more after May 2027
Every personal data breach must be reported to the Board and to affected clients — imagine notifying your entire client list. The safeguard failures behind most leaks (unvetted tools, shared logins, unencrypted email) are exactly what the ₹250 crore penalty slab addresses. Fixing them is cheaper than explaining them.
The CA workflow, zero-upload
EverydayPDF's CA suite validates GSTIN/PAN with real checksum algorithms, unlocks government PDFs using documented password formats, and compresses bundles to portal limits — entirely on your machine.
Open the CA suiteFrequently asked questions
Is a CA firm a Data Fiduciary or Data Processor?+
For client engagements the firm is generally a Data Fiduciary — it decides how documents are collected, stored and processed to deliver the service. If you process payroll on precise instructions of a corporate client, you may act as a processor for that flow; your obligations then arise via the contract the client-fiduciary must have with you.
Can clients demand deletion of their documents after filing?+
Yes, subject to statutory retention. You can and should retain what tax law and professional standards require, and tell the client the legal basis. Beyond those periods, erasure on request is their right — which is why a retention calendar matters.
Is emailing an unprotected Form 16 a DPDP problem?+
It sits poorly with the reasonable-safeguards obligation. Password-protecting attachments (AES encryption, password shared on a separate channel) is a low-effort measure that materially strengthens your safeguard record.
Do the ICAI's confidentiality rules already cover this?+
Professional confidentiality and DPDP overlap but are not the same: ICAI rules bind the member's conduct; DPDP imposes statutory duties on the practice as fiduciary — notices, breach notification, retention limits — with monetary penalties enforced by the Data Protection Board.
Continue reading
Compliance checklist
Twelve concrete steps — from data mapping to breach drills — sized for firms without a compliance department.
For lawyers & law firms
Client PII in filings, redaction duties, cloud-tool risk and privilege — what changes for legal practice.
Is your PDF tool compliant?
The five questions to ask any document tool before sending client files to it — and the architecture that makes them moot.
Penalties under DPDP
The full fine schedule — from ₹10,000 for individuals to ₹250 crore for security-safeguard failures.
This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.
