DPDPA 2023 Draft Rules: Compliance Guide for Law Firms

DPDPA 2023: Draft Rules Published — What Legal Professionals Must Know

The Ministry of Electronics and IT has published draft rules under the Digital Personal Data Protection Act, 2023. The rules impose significant obligations on data fiduciaries including law firms and legal service providers.

📅 08 Mar 2026 👤 For: Compliance Professionals 📰 Source: SEBI 👁 1 views

India's data protection landscape is crystallising rapidly. The draft rules under the Digital Personal Data Protection Act, 2023 (DPDPA) have been published for public comment, and the implications for the legal services sector are profound.

Who Is a Data Fiduciary?

Any entity that determines the purpose and means of processing personal data is a Data Fiduciary. Law firms handling client data, litigation documents, and personal information are squarely within this definition.

Key Obligations for Law Firms

Consent Management: Written, specific, informed consent required for processing client personal data beyond the immediate engagement.
Data Minimisation: Collect only the data essential for the legal service being provided.
Retention Limits: Personal data must be purged once the purpose is served, subject to statutory retention requirements under other laws.
Data Breach Notification: Breaches must be reported to the Data Protection Board within prescribed timelines.

Compliance Roadmap

Legal practices should immediately appoint a data protection point of contact, conduct a data audit, update client engagement letters, and revise their digital infrastructure policies.