India's DPDP Act 2023: A Complete Compliance Checklist for Law Firms

Law firms occupy a peculiar position in India's data protection landscape: they are simultaneously subject to the DPDP Act as data fiduciaries and in a position to advise clients on compliance. Getting your own house in order is not just a regulatory obligation — it is a professional credibility requirement.

This checklist is designed for practising advocates, law firms, and in-house legal teams. It covers your obligations under the Digital Personal Data Protection Act 2023 in plain, actionable terms.

Understanding Your Role: Are You a Data Fiduciary?

Under the DPDP Act, a Data Fiduciary is any person who determines the purpose and means of processing personal data. Law firms almost certainly qualify because they:

• Collect identity documents, financial records, and case details from clients
• Process personal data of opposing parties, witnesses, and employees
• Decide how to store, use, and eventually delete that data

If you handle personal data of individuals (not just corporate entities), you are a Data Fiduciary and the Act applies to you.

The Core Obligations at a Glance

Obligation	What It Means for Your Firm	Priority
Notice & Consent	Inform data principals what data you collect and why; obtain consent before processing	High
Purpose Limitation	Use data only for the purpose stated at collection; no secondary use without fresh consent	High
Data Minimisation	Collect only the data you actually need for the engagement	Medium
Storage Limitation	Delete personal data after the purpose is fulfilled; implement a data retention policy	Medium
Data Principal Rights	Respond to requests for access, correction, and erasure within prescribed timeframes	High
Breach Notification	Notify the Data Protection Board and affected individuals in the event of a data breach	High
Data Processor Due Diligence	Vet any third party (e.g. cloud storage, e-signature, practice software) that processes data on your behalf	Medium

The DPDP Compliance Checklist for Law Firms

Section 1: Data Mapping

• ☐ Create a data inventory — what personal data does the firm collect, from whom, how, and where is it stored?
• ☐ Map all data flows: intake forms → client files → cloud storage → email → third-party tools
• ☐ Identify categories of data principals: clients, employees, witnesses, opposing parties, job applicants
• ☐ Classify data by sensitivity: general personal data vs. children's data vs. sensitive financial/health data

Section 2: Notice and Consent Mechanism

• ☐ Draft a clear, plain-language privacy notice for clients
• ☐ Update your client intake/engagement letter to include data processing disclosure
• ☐ Implement a consent record system — who consented, when, to what
• ☐ Create a consent withdrawal process and communicate it to clients

Section 3: Technology and Data Storage

• ☐ Audit where client data is stored: local servers, cloud (AWS/GCP/Azure), email systems
• ☐ Ensure encryption at rest and in transit for all client data
• ☐ Replace WhatsApp document sharing with a secure client portal
• ☐ Disable personal Gmail/Yahoo for client communications — use firm domain email
• ☐ Enable two-factor authentication on all firm email and file storage systems
• ☐ Review cloud storage vendors' data residency — is your data stored in India?

Section 4: Data Retention and Deletion

• ☐ Establish a data retention policy — e.g., client files kept 7 years after matter closure
• ☐ Implement a secure deletion process for data past its retention period
• ☐ Create a process for responding to erasure requests from data principals

Section 5: Breach Response Plan

• ☐ Define what constitutes a data breach for your firm (server hack, lost device, misdirected email)
• ☐ Assign a data breach response lead (typically a partner)
• ☐ Create a breach notification template for the Data Protection Board
• ☐ Define the internal escalation path when a breach is discovered
• ☐ Document and test the breach response plan annually

Section 6: Third-Party Processors

• ☐ List all vendors that process client data on the firm's behalf
• ☐ Review each vendor's privacy policy and data processing agreement
• ☐ Enter into a Data Processing Agreement (DPA) with each processor
• ☐ Ensure processors are contractually bound to your data protection standards

The Attorney-Client Privilege Question

A common misconception: attorney-client privilege shields a law firm from DPDP obligations. It does not. Privilege protects the content of communications from disclosure in legal proceedings. The DPDP Act governs how personal data is processed — these are separate legal regimes and both apply simultaneously.

Penalties for Non-Compliance

The DPDP Act empowers the Data Protection Board of India to impose penalties up to ₹250 crore for serious breaches. For law firms specifically:

• Failure to implement reasonable security safeguards: up to ₹250 crore
• Failure to notify a data breach: up to ₹200 crore
• Violation of children's data processing rules: up to ₹200 crore
• Non-compliance with Board directions: up to ₹150 crore

The reputational damage to a law firm from a publicised data breach or enforcement action would be far more costly than the investment in compliance.

Getting Started This Week

If you are starting from zero, prioritise these three actions:

1. Stop using WhatsApp for client documents — switch to encrypted email or a client portal
2. Update your engagement letter — add a DPDP-compliant data processing disclosure
3. Conduct a data mapping exercise — you cannot protect data you don't know you have

Compliance is not a one-time project. It requires ongoing attention as your firm's data flows evolve. Build it into your annual governance calendar — not just your to-do list.