The Digital Personal Data Protection Act, 2023 is applicable to Chartered Accountants and CA firms if they collect, store, use, or process personal data of clients, employees, vendors, or website users in digital form.

For a CA firm, the Act becomes relevant because firms regularly handle sensitive and confidential personal information such as:

• PAN, Aadhaar, passport details
• Income-tax returns and financial statements
• Bank account details
• Employee records and salary data
• GST and compliance records
• Client KYC documents
• Data collected through website forms, emails, or cloud software

Under the DPDP Act, a CA firm may act as a “Data Fiduciary” because it determines the purpose and means of processing personal data.

Key compliance areas for CA firms include:

1. Obtaining Consent
   Personal data should generally be collected with lawful consent or under permitted legitimate uses.
2. Privacy Notice
   Firms should provide a clear privacy policy explaining:
   • what data is collected,
   • why it is collected,
   • how it is used,
   • grievance contact details.
3. Data Security Measures
   Reasonable safeguards should be implemented to prevent data breaches, unauthorized access, or leakage of client information.
4. Retention & Deletion
   Personal data should not be retained indefinitely once the purpose is completed unless required by law.
5. Vendor / Software Compliance
   If cloud accounting, payroll, CRM, or document management software is used, firms should ensure vendors also maintain adequate data protection standards.
6. Data Breach Reporting
   Certain personal data breaches may need to be reported to the authorities and affected individuals.

Practical examples where DPDP compliance becomes important for CA firms:

• Client onboarding and KYC collection
• Payroll processing
• Income-tax filing portals
• WhatsApp/email sharing of documents
• Employee attendance software
• Website contact forms and newsletters
• Cloud storage of client records

Non-compliance may result in significant monetary penalties under the Act depending on the nature of the breach.