Digital Personal Data Protection Act 2023: Practical Guide for Tax Advocates and Finance Professionals

1. Background: Why a Separate Law for Digital Personal Data?

Life and business activities in India are now largely digital. From filing Income Tax returns and obtaining GST registration to using UPI, net banking, online marketplaces, and social media platforms, assessee and businesses are constantly leaving digital footprints.

During these activities, a wide variety of information is routinely collected and stored, such as:

  • Mobile numbers
  • Aadhaar details
  • PAN information
  • Bank account particulars
  • Financial statements and transaction data
  • Location and device details
  • Browsing and online usage patterns

These data points are held by banks, fintech platforms, e-commerce operators, government portals, intermediaries, apps, and other entities. As the volume and value of such data grow, so do risks like:

  • Identity theft and data breaches
  • Cyber frauds and phishing attacks
  • Unauthorised profiling or tracking
  • Misuse of financial or personal details

To provide a structured legal regime for handling such digital information, the Government of India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act).

The law attempts to strike a careful balance between:

  1. Safeguarding the privacy and autonomy of individuals, and
  2. Enabling legitimate and efficient use of data for governance, business operations, innovation, and economic progress.

2. Meaning of “Personal Data”

Under this framework, personal data broadly covers any information that can identify a natural person, whether directly or indirectly. Illustrative examples include:

  • Name of the individual
  • Mobile or landline numbers
  • Aadhaar number
  • PAN card details
  • Email address
  • Residential or office address
  • Bank account and payment details
  • GST registration particulars
  • IP address
  • Biometric identifiers

Key point: If an item of information can be linked to a specific human being, alone or in combination with other data, it falls within the ambit of personal data.

3. Core Definitions Under the DPDP Act

3.1 Data Principal

The individual to whom the personal data relates is termed the Data Principal.

If an income tax e-filing portal, bank, hospital, or e-commerce website holds your personal details, you are the Data Principal in relation to that information.

3.2 Data Fiduciary

The entity that determines the purpose and means of processing personal data is called a Data Fiduciary. This can be:

  • Banks and NBFCs
  • Online marketplaces and payment gateways
  • Hospitals and diagnostic centres
  • GST or Income Tax portals
  • Educational institutions
  • Social media platforms
  • Professional firms that collect and decide how client data is processed

In effect, a Data Fiduciary is responsible for deciding why and how data is collected, used, stored, or shared.

3.3 Data Processor

A Data Processor processes personal data on behalf of a Data Fiduciary, without independently deciding the purpose. Typical examples:

  • Cloud hosting and data storage providers
  • Third-party payroll or HR processing agencies
  • IT maintenance and support vendors
  • Outsourced document scanning and digitisation agencies

Note: Many tax and legal practices engage Data Processors (e.g., cloud accounting software, outsourced IT support). Such relationships must be managed through appropriate contracts and controls.

4. Scope and Territorial Reach of the DPDP Act

4.1 Digital Data and Digitised Records in India

The Act applies primarily to digital personal data, whether:

  • Collected directly in digital form (e.g., online KYC, e-forms); or
  • Initially collected in physical format but subsequently digitised.

Typical instances within scope include:

  • Scanned KYC documents stored by a CA firm
  • Digitised client files maintained by a tax advocate’s office
  • Electronic working papers for assessments
  • Income Tax e-filing data and GSTN records

4.2 Foreign Entities Targeting Individuals in India

The law also extends to entities outside India that:

  • Offer goods or services to individuals in India, and
  • Process their personal data in that context.

Thus, many global apps, digital platforms, and SaaS tools that cater to Indian users may fall under this legislation when dealing with their Indian user base.

5. Rights of Individuals Under the DPDP Act

The DPDP Act codifies a set of enforceable rights for Data Principals. Every assessee, client, or individual whose data is processed gains the following powers: