In response to the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) in India, the country’s prominent Big Four accounting firms, namely EY, PwC, Deloitte, and KPMG, have taken proactive measures by establishing internal committees. These committees have been tasked with conducting a comprehensive assessment of how the DPDP Act affects their existing processes and operations.
The Indian government recently approved a new digital data protection law aimed at improving data security practices in both enterprises and relevant authorities. Following the enactment of the Digital Personal Data Protection (DPDP) Act, the Big Four accounting firms—EY, PwC, Deloitte, and KPMG—established internal teams to assess its impact and take corrective measures. These teams have worked diligently to identify vulnerabilities and compliance gaps within their taxation and audit service lines, recommending various changes for storing and accessing customer’s personal data. Since these companies serve a global client base from India, swift action is crucial.
The significance of getting it right lies in the substantial amount of data that these firms, along with others like McKinsey and Accenture, handle on behalf of their clients. This data automatically falls under the purview of the DPDP Act. Imagine situations where auditors collect personal bank records during sampling processes without proper data masking. This also applies to the audit and compliance divisions of these industry giants, which have access to extensive volumes of sensitive personal information, including employee incomes, shareholdings, and director cross-holdings. Given that digital consulting and transformation services have become major revenue sources, DPDP compliance is of paramount importance.
In fact, there is a competitive race among the Big Four companies to meet DPDP compliance requirements promptly. According to sources , the transition wasn’t overly challenging because they were already aligned with the General Data Protection Regulation (GDPR), which is a prerequisite for serving global clients. GDPR compliance provided a foundation for adjusting processes and systems to align with the DPDP, as the two share similarities in nature and language. However, one area where these accounting firms need to prepare for challenges involves data breach incidents and reporting, as these aspects are not covered by global compliance regulations.
Ironically, these companies have limited control over the data breach and reporting aspects because the government needs to address various clarifications raised by the firms since the DPDP Act became operational. According to the rules, clients must disclose the recipients of their data, but there is currently no clarity on how this requirement should be implemented.