Loading…
FeaturesPricingSecurityCompareBlog
Sign inBook a demoGet started
Back to blog

FirmsNest blog

What the DPDP Act, 2023 means for your CA practice

The FirmsNest team8 min read

This article is general information, not legal advice. The Digital Personal Data Protection Act, 2023 and its rules continue to evolve, and how they apply to your firm depends on your specific facts. For advice on your obligations, consult a qualified lawyer.

A CA practice holds some of the most sensitive personal data anyone collects: PAN, Aadhaar, bank-account details, salary slips, capital-gains statements, entire sets of books. The Digital Personal Data Protection Act, 2023 (the "DPDP Act") is India’s law governing how that kind of digital personal data is handled. You do not need to become a privacy lawyer to run a compliant practice — but you should understand a few core ideas and let them shape the tools you choose.

Controller and processor — who is who

The DPDP Act talks about a Data Fiduciary — the party that decides why and how personal data is processed — and a Data Processor, which processes data on the fiduciary’s behalf. For most engagements, your firm is the fiduciary: your client entrusts you with their data, and you decide how it is used to deliver the service.

Software you use to handle that data — a client portal, for instance — generally acts as a processor, working under your instructions. FirmsNest is built on that footing: it is the software processor, and your firm remains the controller of your clients’ data and the professional adviser. That distinction matters, because the fiduciary carries the primary obligations to the individual, and should choose processors that help meet them rather than complicate them.

Consent and purpose

A recurring theme of the Act is that personal data should be collected for a clear, lawful purpose, with the individual’s consent or another permitted basis, and not quietly repurposed later. In practice, that points towards a few habits:

  • Collect what the engagement actually needs, and be able to say why each item was collected.
  • Tell clients, in plain language, what you are collecting and what it is for.
  • Avoid letting sensitive data sprawl across personal chat apps and inboxes where its purpose and access are impossible to govern.

Where the data lives

Data residency — where your clients’ data is physically stored and processed — is a question worth asking of every tool you use. Many global SaaS products host data outside India by default. For a CA practice, keeping personal data within India is a sensible posture, and it is the approach FirmsNest takes: data is hosted in an India region, and personal data is not transferred outside India.

Security expectations

The Act expects reasonable security safeguards to protect personal data. There is no single certificate that makes a tool "compliant", and you should be wary of any vendor that claims otherwise. What you can sensibly look for are concrete, describable measures:

  • Encrypted storage for documents and sensitive fields at rest.
  • Data minimisation — for example, storing Aadhaar as the last four digits only, and encrypting bank-account numbers.
  • Role-based access, so team members see only what their role requires.
  • An audit trail of actions and approvals, carrying identifiers and amounts rather than personal-data strings.
  • Tenant isolation, so one firm’s data is sealed from every other firm’s at the database level.

Retention

Personal data generally should not be kept forever — it should be retained for as long as the purpose, or a legal obligation, requires, and then dealt with appropriately. CA practices often have their own record-keeping obligations that call for multi-year retention; FirmsNest keeps engagement documents and audit records for seven years to support that. The discipline the Act encourages is to retain on purpose, with a defensible reason, rather than by accident.

What to look for in any tool you use

When you are evaluating software that will touch your clients’ personal data, a short, practical checklist goes a long way:

  1. Where is the data hosted, and is it kept in India?
  2. How is sensitive data stored — is it encrypted, and is it minimised?
  3. Who can access the data, and is access role-based and logged?
  4. Is there a clear audit trail of actions and approvals?
  5. If the product is multi-tenant, how is your firm’s data isolated from others?
  6. Will the vendor sign terms that reflect its role as a processor acting on your instructions?
  7. What are the retention and deletion arrangements?

The bottom line

The DPDP Act is less a checklist to clear than a standard of care to build into how your practice runs. Holding clients’ financial data has always carried responsibility; the Act puts that responsibility into statute. Choosing tools that keep data in India, store it carefully, limit access, and keep a record will not, by itself, make your firm compliant — that depends on how you operate as a whole — but it removes a great deal of avoidable risk.

And to repeat the one line that matters most: this is general information, not legal advice. For your firm’s specific obligations, speak to a qualified lawyer.

Give your clients a portal worthy of your firm.

Scoping, payments, secure documents, approvals and filing status — one branded place, with data kept in India. You keep computing and filing wherever you do today.

Book a demoSee pricing

Questions? Write to support@firmsnest.in.