DPDP for Chartered Accountants, Explained
At a glance
A chartered accountancy practice — solo or a firm — is a Data Fiduciary under India’s DPDP Act the moment it holds a client’s PAN, Aadhaar, bank statements or financials, which is every practice. The Act layers statutory duties (notice, consent, breach reporting, individual rights) on top of the confidentiality you already owe clients under the ICAI Code of Ethics. The sharpest practical tension is retention: tax and audit law require you to hold records for years, while DPDP expects you to delete data once its purpose is served — the fix is a written retention schedule that reconciles both, not silence on either.
Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to chartered accountancy practices; it is not formal legal advice.
On this page
- Does DPDP apply to a CA practice?
- The client data a CA practice handles
- The obligation that actually bites: retention vs your deletion duty
- Where DPDP sits alongside the ICAI Code of Ethics
- Common mistakes CA practices make
- Collecting client documents compliantly
- FAQ
The situation
Client onboarding at a CA practice is a personal-data exercise before it’s anything else — PAN, Aadhaar, bank statements, salary slips, Form 16, ITRs, sometimes a client’s own payroll or customer data if you’re doing their books or an audit. That makes a CA practice one of the more concentrated pockets of sensitive personal data in the Indian economy, handled by firms that have historically treated it as a confidentiality question, not a statutory-compliance one. DPDP changes that.
Does DPDP apply to a CA practice?
Yes — a CA practice is a Data Fiduciary the moment it decides why and how a client’s personal data is processed, and size doesn’t exempt you. The DPDP Act doesn’t carve out an exception for solo practitioners or small firms; if you collect and use personal data — even just a client’s name, PAN and phone number to file a return — you’re a Data Fiduciary with the duties that come with it: notice at collection, valid per-purpose consent (or a legitimate-use ground that fits), reasonable security, breach reporting, and the ability to answer a rights request. A one-partner practice with a handful of clients carries the same baseline duties as a large firm; what scales with size is exposure, not the existence of the obligation.
The client data a CA practice handles
Almost every engagement runs through the same core set of identity and financial documents, plus whatever the specific mandate adds. In a typical practice, that includes:
- Identity and KYC — PAN, Aadhaar, passport or other ID for client verification.
- Financial records — bank statements, salary slips, Form 16, investment proofs, loan documents.
- Filings and working papers — ITRs, GST returns, audit working papers, financial statements.
- Payroll and HR data — if you run a client’s payroll or handle statutory audit fieldwork, their employees’ personal data too.
- Digital signatures and login credentials — for e-filing and portal access, often shared over chat or email.
Each of these is personal data in its own right, and several — PAN, Aadhaar, financial detail — are the kind of document DPDP expects you to collect and store deliberately, not casually. For the document-by-document detail on what to redact and how to store each safely, see the document-handling guides below.
The obligation that actually bites: retention vs your deletion duty
This is the nuance generic DPDP guidance misses, and it’s specific to your profession: tax and company law require you to keep records for years, while DPDP expects deletion once the purpose is served — you need both, reconciled in writing. Under the Income Tax Act, books of account generally have to be retained for six years from the end of the relevant assessment year; under the Companies Act, 2013, the figure is eight years from the end of the relevant financial year. Those aren’t optional — they’re a legal obligation, which is itself a recognised ground under DPDP (Section 7) for processing without needing separate consent for that specific retention.
The conflict is only apparent, not real, once you write it down: DPDP doesn’t ask you to delete data your other legal duties require you to keep — it asks you to have a reason for how long you keep everything, and to actually delete what’s left over once neither the engagement nor a specific legal duty needs it anymore. A working paper you’re statutorily required to hold for eight years stays for eight years. A client’s Aadhaar copy taken for a one-off KYC check that’s no longer needed once the engagement closes should not still be sitting in your inbox three years later. The fix is a written retention schedule, per document type, that names the legal basis for each hold period — not an unwritten habit of keeping everything indefinitely “just in case.”
Where DPDP sits alongside the ICAI Code of Ethics
The ICAI Code of Ethics already binds you to client confidentiality — DPDP doesn’t replace that duty, it adds statutory consequences on top of it. Confidentiality under the Chartered Accountants Act and the ICAI Code has always been a professional and ethical obligation. What DPDP adds is a regulator (the Data Protection Board of India), enforceable rights for the client (access, correction, erasure, grievance redressal), a breach-notification duty that runs even where professional discretion once governed disclosure, and penalties that can reach the highest tier of the Act for a security failure.
In practice, the most useful place to fold DPDP into your existing process is the engagement letter. Rather than relying on a general confidentiality clause, spell out what personal data the engagement involves, why you’re collecting it, who it might be shared with (a co-sourced auditor, a software vendor, the tax department), and how long you’ll hold it. That turns an ethical duty you already honour into a documented, DPDP-compliant one.
Common mistakes CA practices make
Most of the exposure comes from habits that predate DPDP, not from anything deliberately careless.
- “Just email me your PAN and Aadhaar” — the default onboarding ask, with no notice, no consent capture, and copies scattered across inboxes and devices indefinitely.
- No written retention policy — everything kept forever “to be safe,” well past what tax or company law actually requires.
- Treating ICAI confidentiality as the whole answer — it covers disclosure, not notice, consent, breach reporting or rights fulfilment.
- No breach plan — assuming a leaked client folder is a reputational problem only, when it’s also a reportable one.
- Sharing login credentials and digital signatures over WhatsApp — convenient, but neither secure nor a controlled channel.
Collecting client documents compliantly
The fix for most of the above is a single, controlled intake step at onboarding, not a full rebuild of how you practice. A notice-and-consent step at the point of collection, one consistent channel for clients to send documents instead of ad-hoc email, and masking sensitive IDs where the engagement doesn’t need the full number, get you most of the way. This is common ground across professional practices, not unique to accountancy, so the detail lives in a dedicated guide: see secure client document collection for professionals for the full walkthrough, and collecting Aadhaar, PAN and KYC from customers for what you can ask for and how.
FAQ
Is a chartered accountant a Data Fiduciary under DPDP? Yes. Any CA or CA firm that collects and processes client personal data — which is effectively all of them — is a Data Fiduciary, regardless of firm size.
Does the ICAI Code of Ethics already cover DPDP compliance? No. It covers professional confidentiality, which is one piece. DPDP separately requires notice at collection, valid consent or a legitimate-use ground, breach reporting, and the ability to fulfil rights requests.
How long must a CA firm retain client financial records, and does that conflict with DPDP? Income Tax Act records generally need six years’ retention from the end of the assessment year; Companies Act records need eight years from the end of the financial year. DPDP doesn’t override this — legal obligation is a recognised basis for holding data that long. The gap most firms have is deleting what’s left over once neither DPDP nor the underlying law needs it anymore.
Can I email a client’s Aadhaar or PAN to complete a filing? Nothing bans email outright, but it skips notice, consent and channel security, and leaves copies scattered across inboxes. A controlled intake channel with masking where possible is a much closer fit for sensitive IDs.
Does a small or solo CA practice need a formal Data Protection Officer? Almost certainly not — a statutory DPO is required only for Significant Data Fiduciaries, a government-notified tier most practices won’t fall into. What every practice needs is a named, reachable contact for data questions and a grievance route.
Related reading
- Are you a Data Fiduciary? What the DPDP Act expects — the baseline duties every practice carries.
- Do small businesses count as Data Fiduciaries? — confirms size doesn’t exempt a solo or small practice.
- Secure client document collection for professionals — the intake fix, written for practices like yours.
- Collecting Aadhaar, PAN and KYC from customers — what you can ask for, and how.
- Data retention and erasure under DPDP — the deletion duty, and how it sits alongside other legal retention rules.
Reviewed by Confidential Dispatch Editorial Team
Last updated 10 July 2026
Not legal advice.