DPDP Act 2023: What CAs and Lawyers Must Do Before November 2026

Q: Do engagement letters need a data protection clause under DPDP?

Yes. Under the DPDP Act, before collecting personal data (PAN, Aadhaar, financial records), a Data Fiduciary must issue a consent notice specifying what data is collected, the purpose, and the retention period. Embedding this in the engagement letter is the most practical approach for CAs and lawyers.

Q: Are cloud tools and AI tools used by CAs covered under DPDP?

Yes. Any third-party tool (cloud storage, AI assistants, document tools) that processes client personal data on your behalf is a "Data Processor" under DPDP. You need a Data Processing Agreement (DPA) with that vendor, and the vendor must meet adequate data protection standards.

TL;DR

DPDP Rules notified 13 November 2025. Phase 2 obligations (Data Fiduciary duties, Consent Manager Framework) must be met by November 2026. CAs and lawyers collecting client PAN, Aadhaar, and financial data are Data Fiduciaries. Non-compliance penalties: up to ₹250 crore. Engagement letters, NDAs, and third-party tool agreements all need updating.

Why DPDP Directly Affects CAs and Lawyers

The Digital Personal Data Protection (DPDP) Act 2023 and its Rules (notified 13 November 2025) regulate how "Data Fiduciaries" — entities that collect and process personal data — operate in India.

If you are a CA or lawyer, you are almost certainly a Data Fiduciary. Consider what you collect from clients every day:

PAN numbers, Aadhaar numbers, passport details
Bank account statements, ITR data, financial records
Business ownership details, shareholding patterns
Employee salary data (for audits, payroll advisory)
Personal dispute details, family financial information (for lawyers)

All of this is "personal data" and some of it is "sensitive personal data" under DPDP. Collecting it without a proper consent notice and processing it without safeguards exposes your practice to regulatory action.

The DPDP Enforcement Timeline

Phase	Date	Key Obligations
Phase 1	13 November 2025	Data Protection Board of India (DPBI) established. Complaint portal live. Grievance mechanism active.
Phase 2	By 13 November 2026	Consent Manager Framework active. Data Fiduciary obligations enforceable: consent notices, retention limits, data principal rights (access, correction, erasure). Significant Data Fiduciary (SDF) assessment begins.
Full Enforcement	By 13 May 2027	Data Protection Officer (DPO) appointment mandatory for SDFs. SDF list finalised. Cross-border data transfer restrictions active. Maximum penalties applicable.

For most CA and law firms, Phase 2 (by November 2026) is the critical deadline. This is when you must have consent notices in place and be able to respond to data principal rights requests.

6-Item Compliance Checklist for CAs and Lawyers

Issue consent notices before collecting data. Before taking PAN, Aadhaar, or financial records from a new client, issue a notice specifying: what data you collect, why, how long you retain it, and who you share it with.
Update engagement letters. Embed a data protection clause covering collection purpose, retention period, and client rights (access, correction, erasure). See the sample clause below.
Update NDAs and service agreements. Add a clause on how personal data shared under the agreement is handled, stored, and deleted.
Document your retention policy. You need a written policy: how long client data is retained post-engagement and how it is securely deleted or archived.
Audit third-party tools. Any cloud storage, AI tool, or document software processing client data is a Data Processor. You need a Data Processing Agreement (DPA) with each vendor.
Set up a breach notification process. DPDP requires reporting data breaches to the DPBI "as soon as possible." Have an internal protocol: who assesses the breach, who reports it, and what timeline applies.

Updating Engagement Letters: The Data Protection Clause

The simplest way to implement consent compliance is to embed a data protection clause in your standard engagement letter. Every client signs it at the start of the engagement. Here is a minimal compliant clause:

Sample DPDP Clause for Engagement Letters

"In the course of this engagement, [Firm Name] will collect and process personal data including [PAN, Aadhaar, financial records, other relevant data] for the purpose of [describe services]. Data will be retained for [X years] after the conclusion of this engagement and will not be shared with third parties except as required by law or as necessary to fulfil the engagement. You have the right to access, correct, or request erasure of your personal data by contacting [contact details]. [Firm Name] implements [256-bit encryption / relevant safeguard] to protect your data."

This is a sample for reference only. Consult a data protection specialist to finalise clause language for your practice.

Why the Tools You Use Also Matter

If you use a cloud document tool, AI assistant, or any SaaS platform to draft, store, or process client documents — that vendor is processing personal data on your behalf. Under DPDP, you are responsible for ensuring that Data Processor complies with adequate protections.

Questions to ask every vendor:

Is data hosted in India?
Is client data used to train AI models?
Is data shared with third parties?
Is there a signed Data Processing Agreement available?
What encryption standards are in place?

Tools that use your client inputs to improve their AI models — common with free-tier AI tools — create direct DPDP exposure. You are sharing client PAN, financials, or legal matter details with a vendor that retains and uses that data.

Glomiq's DPDP Alignment

Glomiq was built specifically for Indian professionals handling sensitive client documents. It is designed to be compliant with DPDP obligations:

India-hosted infrastructure — your data stays in India and does not cross borders by default.
Data never used to train AI models — your client's PAN, financials, or legal details are not fed into any model. This is a contractual commitment, not just a preference setting.
256-bit encryption at rest and in transit — industry-standard protection.
No third-party data sharing — your documents remain yours.

When evaluating any document tool for your CA or law practice, these are exactly the criteria DPDP compliance demands.

Frequently Asked Questions

When do DPDP Act obligations begin for CAs and lawyers?

Phase 1 started 13 November 2025 (DPBI established, complaint portal live). Phase 2 obligations — including Consent Manager Framework and Data Fiduciary duties — must be met by 13 November 2026. Full enforcement, including DPO requirements for Significant Data Fiduciaries, follows by 13 May 2027.

Do engagement letters need a data protection clause under DPDP?

Yes. Before collecting personal data — PAN, Aadhaar, financial records — a Data Fiduciary must issue a consent notice specifying what data is collected, the purpose, and the retention period. Embedding this in the engagement letter is the most practical approach for CA and law firms. It documents consent and satisfies the notice requirement in one step.

Are cloud tools and AI tools used by CAs covered under DPDP?

Yes. Any third-party tool that processes client personal data on your behalf is a "Data Processor" under DPDP. You need a Data Processing Agreement with that vendor, and the vendor must meet adequate data protection standards. Using a free AI tool that trains on your inputs — without a DPA — creates direct compliance exposure from November 2026.

Generate DPDP-Compliant Engagement Letters in 2 Minutes

Update your engagement letter template once with the data protection clause. Glomiq auto-fills every client variable — name, PAN, scope, dates — in under 2 minutes. India-hosted, never trains on data.

Start free — no credit card →