DPDPA Compliance for CA Firms in Dehradun

CA firms process highly sensitive client data — PAN, Aadhaar, payroll, bank statements — for many client entities, often via email and shared drives with minimal controls.

Dehradun context: An education and hospitality hub where institutes and hotels carry children's and guest-data duties. The obligations below apply to CA firms and accounting practices operating in Dehradun, Uttarakhand — there is no local exemption and no turnover threshold under the DPDP Act.

DPDPA applies. The firm is a Data Fiduciary for its own data and typically a Processor for client data handled on instruction.

• Client PAN/Aadhaar
• Payroll & salary data
• Bank statements & financials
• Employee data of client companies
• Tax filing records

• Sensitive files over personal email/WhatsApp
• No engagement-letter data clauses
• Indefinite retention of client records
• Staff access not restricted

• Data clauses in client engagement letters (processor contract)
• Security safeguards for financial data
• Retention aligned to statutory record-keeping
• Access control across staff
• Breach notification workflow

• Client data on unsecured shared drives
• No contract governing data handling
• Old client data never purged

• Add a data-protection clause to engagement letters
• Move client files off personal email
• Restrict file access by client/staff
• Define a record-retention schedule

Are we a Processor for client data?

Generally yes — you process client and client-employee data on the client's instructions, which requires a contract.

How long can we keep client records?

Tie retention to statutory tax/company-law record-keeping periods, then erase.