DPDP checklist for accounting firms
At a glance
A CA or accounting firm’s version of DPDP Act compliance runs through client onboarding, document intake, audit fieldwork, and retention — not a generic business checklist. This list works through each: a notice line at engagement, one controlled channel for client documents, access limited by engagement, retention schedules naming the legal basis for each hold period (tax, company law, the profession’s own audit-standard clock), and written contracts with vendors and outsourced staff who touch client data. Run it against how the firm actually operates.
Educational resource only. This is a practical checklist for accounting and CA practices under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice, and DPDP compliance is a firm-wide obligation broader than any single checklist.
How to use this checklist
Run it against the firm as it actually operates — a solo practice does a lighter version, a multi-partner firm a fuller one. The goal is a firm that can show clients it handles their PAN, Aadhaar and financial records responsibly, and can act on a request without scrambling.
The checklist
Work through it in order — retention and vendor contracts only make sense once intake and access are fixed.
Client onboarding
- Add a plain-language DPDP notice line to the engagement letter — what personal data the engagement involves, why, and who accesses it.
- Take consent (or confirm the engagement itself is a legitimate-use ground) before requesting KYC and financial documents.
- Collect only what the specific engagement needs — a return-filing mandate doesn’t need the same document set as a statutory audit.
Document intake
- Route client document requests through one controlled channel — a portal or access-controlled folder — instead of ad hoc email and WhatsApp.
- Accept masked documents (e.g. masked Aadhaar) wherever the engagement doesn’t need the full number.
- Never store client PAN, Aadhaar or bank statements in an unlocked personal-device photo gallery or downloads folder.
Engagement and audit-file access
- Limit access to each client’s working papers and documents to the assigned engagement team.
- For audit engagements, apply the engagement-team-only rule to fieldwork data too — see the audit workflow guide below.
- Keep digital signatures and e-filing credentials out of chat apps.
Retention
- Set a written retention schedule per document type, naming the legal basis: six years (Income Tax Act) for tax records, eight years (Companies Act) for company records, seven years from report date — per the Institute of Chartered Accountants of India’s (ICAI) Standard on Quality Control (SQC) 1 — for audit working papers.
- Build the purge into the firm’s calendar or document-management system — don’t rely on memory.
- Delete client documents collected for a one-off KYC check once the engagement that needed them closes.
Prove & respond
- Keep a record of the consent or engagement basis relied on for each client.
- Be able to locate and produce a client’s data on request, and correct or delete it where the DPDP Act requires.
- Publish a named contact for data questions, even if the firm has no statutory DPO requirement.
Vendors & security
- Put a written agreement in place with any outsourced processing (a back-office bookkeeping vendor, an e-filing utility, cloud accounting software) covering security and deletion.
- Apply basic access control and, where the tool supports it, encryption to client files held digitally.
- Have a plan for what happens if a client folder or a team member’s device is compromised.
Breach response
- Know, in advance, what counts as a personal-data breach for the firm — a stolen laptop with client PAN/Aadhaar data, an email sent to the wrong recipient, a compromised cloud-accounting login — rather than working it out for the first time when one happens.
- Name who at the firm actually makes the call on whether an incident is reportable and to whom — an undefined decision-owner is how a firm ends up realising weeks later that something should have been reported.
- Keep a simple incident log (what happened, when it was found, what was done) even for near-misses that didn’t end up being reportable — it’s the record that shows the firm actually has a working process, not just a policy document.
What to prioritise first
Start where a small firm’s real exposure actually sits.
- Fix intake — a single controlled channel for client documents closes the biggest day-to-day gap.
- Write the retention schedule — most firms are holding everything indefinitely with no purge date.
- Limit access by engagement — stop treating “the whole firm can see the shared drive” as the default.
- Contract the vendors — the bookkeeping tool and outsourced staff are often the least-checked part of the chain.
FAQ
Does a solo CA practice need to do all of this?
Proportionately, yes — a solo practice runs a lighter version (a shorter notice line, a simpler retention log), not none of it. The duties don’t have a size cut-off.
Do we need a Data Protection Officer?
Almost certainly not — a statutory DPO applies only to Significant Data Fiduciaries, a government-notified tier most practices won’t fall into. A named contact and a way for clients to raise a data question covers the gap.
Is our ICAI confidentiality obligation enough on its own?
No. It covers disclosure and professional conduct; the DPDP Act separately requires notice, a lawful basis, retention discipline and the ability to respond to a client’s rights request.
What’s the single highest-impact fix for a small firm?
Replacing ad hoc email and WhatsApp document requests with one controlled channel — it fixes notice, minimisation and security exposure in one move.
Does a small firm need a formal, written breach-response plan?
It needs a working one, not necessarily an elaborate document — knowing who decides whether an incident is reportable, and keeping even a simple log of what happened, closes most of the gap. The failure mode this guards against is realising too late that something should have been reported.
Related Articles
Collecting personal data from your own customers?
These are the rights your business has to honour. See where you stand with a two-minute self-check — no sign-up, no data stored.
Run the compliance self-check →