A Project by Meridian Bridge Strategy
Compliance Guide

DPDP Compliance for Accounting Firms

Accountants handle the most sensitive financial data. Learn how to align your tax and audit practice with India's DPDP Act 2023 to avoid heavy penalties.

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

DPDP Action Sheet

Use this before your next workflow goes live. It keeps the useful parts visible and turns DPDP into checks your team can actually answer.

For DPDP Compliance for Accounting Firms, the DPDP question is how personal data enters the workflow, where it is stored, which tools touch it, what purpose was explained, and how deletion or withdrawal will work.

Check my data flow

1. Lead Forms

Check:

  • What data are you collecting?
  • Is the purpose clear at the point of collection?
  • Is marketing consent separate from service communication?
  • Can the user withdraw consent later?

Common mistake: one checkbox that silently covers newsletters, sales calls, partner sharing and remarketing.

2. Email and WhatsApp

Check:

  • Who is on the list?
  • Where did consent come from?
  • Is the list imported from a vendor, event, webinar, scrape or old CRM?
  • Can you prove the source of consent?

Common mistake: treating every lead as permanently marketable.

3. Ads and Retargeting

Check:

  • Are pixels or ad platforms receiving identifiable user behavior?
  • Are audiences built from customer lists?
  • Are lookalike or remarketing audiences using personal data?

Common mistake: assuming "the ad platform handles it" means your company has no DPDP responsibility.

4. Website Analytics

Check:

  • Which tools run on the site?
  • Are IP address, device identifiers, session IDs or form fields being captured?
  • Is analytics used only for measurement, or also for profiling and targeting?

Common mistake: installing tools first and asking privacy questions later.

5. Vendor List

Make a quick list:

  • CRM
  • Email platform
  • WhatsApp provider
  • Analytics
  • Ad pixels
  • Form tool
  • Landing page builder
  • Webinar tool

For each vendor, answer: what data goes there, why, who can access it and how deletion works.

6. This Week's Action

Map one campaign from first click to final follow-up. Mark every place personal data is collected, enriched, shared, uploaded or used for targeting.

If your team cannot answer where the data came from and where it goes next, start with a data flow map before rewriting policy copy.

Book a DPDP clarity call

Now think about your work. Where does personal data enter your workflows? Where does it sit? Who else touches it?

Frequently asked questions

Does DPDP apply to the financial data of a Private Limited Company?

The Act only protects the data of individuals. However, accounting firms handle the personal PAN, Aadhaar, and bank details of directors and shareholders, which are covered under the Act.

Can I share client data with third-party tax software providers?

Yes, but you must have a written agreement with the software vendor. This contract must state that they will only use the data for the specific filing task and will protect it according to Indian law.

Do I need a new consent form for every tax year?

You need a clear notice that covers the ongoing relationship. If the scope of data you collect changes—such as adding foreign asset reporting—you must provide an updated notice to the client.

Real-World Examples Companies struggling with this issue

Fintech

Fi Money

48

Fi Money offers a slick user experience, but its privacy framework remains stuck in the pre-DPDP era. While bank-grade security is a plus, the lack of specific consent controls and the current inaccessibility of policy pages create significant legal risks under the new Act.

⚠️ Broken or inaccessible policy links create immediate 'Notice' failures
⚠️ Consent is bundled with account creation — not granular per Section 6
+4 more gaps detected
Mar 2026 View Report
Mobility

Rapido

39

Rapido's bike taxi model creates unique privacy + physical safety risks — riders share personal space with captains who know their home address, phone number, and daily patterns. At 39/100, the combination of intimate location data, personal proximity, and minimal data governance creates one of the highest risk DPDP profiles.

⚠️ No DPDP Act 2023 reference
⚠️ Bike taxi GPS data reveals continuous movement patterns
+5 more gaps detected
Feb 2026 View Report
Messaging

WhatsApp India

51

WhatsApp processes communications for 500M+ Indians. At 51/100, while end-to-end encryption protects message content, metadata (who you talk to, when, how often) flows to Meta's global infrastructure. The 2021 privacy policy controversy showed Indian users care about data sharing — DPDP now gives them legal backing.

⚠️ No DPDP Act 2023 reference — Meta global policy
⚠️ Meta business data sharing post-2021 policy update controversy
+5 more gaps detected
Feb 2026 View Report
Book clarity call