DPDP Act Compliance Programme for Large Law Firms: A Practical Framework

Most Indian law firms have advised clients on the Digital Personal Data Protection Act, 2023. Far fewer have systematically applied it to their own operations. The DPDP Act is fully in force as of 2026, and the gap between advisory excellence and internal application has become the single largest compliance exposure for large Indian law firms.

This whitepaper translates the DPDP Act into a practical compliance programme for a 100+ lawyer firm. It addresses the features that make law firms unusual — the dual Fiduciary/Processor role, legal professional privilege, mandatory record retention, and the tension between compliance obligations and client service — and sets out an implementation framework the firm can use as a foundation.

1. The Dual-Role Problem

The DPDP Act, 2023 classifies entities processing personal data as either Data Fiduciaries (those who determine the purpose and means of processing) or Data Processors (those who process on behalf of a Fiduciary). Law firms routinely sit on both sides of this line within the same organisation, and sometimes within the same matter.

When the firm is a Data Fiduciary

• Employee data (recruitment, payroll, HR).
• Client relationship data (intake forms, KYC, billing).
• Matter data where the firm determines processing purposes (e.g., marketing insights, internal knowledge management).

When the firm is a Data Processor

• Personal data received from a corporate client for the purpose of providing legal services in a specific matter.
• Personal data accessed through due diligence on behalf of a Fiduciary client.
• Personal data handled in litigation support where the client controls the purpose.

Why the distinction matters

Data Fiduciaries carry the primary obligations — consent, purpose limitation, storage limitation, data-principal rights, breach notification, security safeguards. Data Processors carry the narrower obligation of processing only on lawful instructions from the Fiduciary and assisting with the Fiduciary's obligations. Firms that treat themselves as Fiduciaries across all matters over-comply in ways that create client-confidentiality exposure; firms that treat themselves as Processors across all matters under-comply in areas where they do in fact control processing.

2. Legal Professional Privilege and DPDP

Legal professional privilege — rooted in Section 126 of the Indian Evidence Act, 1872 (and now mirrored in the Bharatiya Sakshya Adhiniyam, 2023) — prevents disclosure of attorney-client communications. The DPDP Act does not grant a blanket exemption for privileged information, but it must be read harmoniously with privilege.

Areas where privilege and DPDP interact

• Data Principal Rights (Sections 11–14). A Data Principal's right to access may conflict with the privilege owed to the firm's client if the Principal is a third party whose data is referenced in privileged communications. The firm generally cannot disclose privileged content even in response to a valid access request from a third-party Data Principal.
• Erasure requests. A Data Principal's right to erasure (Section 12) can conflict with the firm's obligation to retain matter files under the Bar Council and Advocates Act rules. The DPDP Act recognises statutory retention obligations as a basis for continued processing.
• Breach notification. Notification of a breach involving client matter data may require careful coordination with the client as the Fiduciary, rather than unilateral notification by the firm.

Practical handling

Firms should document a privilege-aware response playbook for each DPDP obligation, with clear decision trees on when and how to respond while preserving privilege. This is typically owned by the firm's data-privacy partner in consultation with the managing partner.

3. The Compliance Programme: Seven Workstreams

A practical DPDP Act programme at a large law firm consists of seven parallel workstreams. Each needs an owner, a delivery milestone and a quarterly review cadence.

Workstream 1: Role mapping

• Map every category of personal data the firm processes.
• Classify each as Fiduciary-controlled or Processor-controlled.
• Document the Fiduciary for each Processor role (i.e., which client owns the purpose).
• Revisit quarterly.

Workstream 2: Consent and notice architecture

• Update engagement letters and new-client onboarding to include required DPDP notices.
• Create a consent register for Fiduciary-role processing activities.
• Document lawful bases for processing where consent is not used (Section 7 legitimate uses).

Workstream 3: Data-principal rights

• Stand up a central intake for access, correction, erasure and nomination requests.
• Build privilege-aware response playbooks.
• Set internal SLAs (the statute permits a 30-day window; firms typically commit to a shorter internal SLA to accommodate escalation).

Workstream 4: Security and safeguards

• Review encryption, access controls, logging and backup policies against Section 8(4).
• Ensure vendors and service providers meet equivalent standards.
• Document incident-response procedures.

Workstream 5: Vendor and sub-processor governance

• Audit every vendor processing personal data on the firm's behalf.
• Put in place DPDP-compliant contracts with each (see Section 4 below).
• Maintain a register with processing locations, data categories, retention periods.

Workstream 6: Cross-border transfers

• Identify vendors, cloud services and AI tools processing data outside India.
• Monitor Section 16 notifications by the Central Government.
• Document client consents where cross-border transfer is not otherwise covered.

Workstream 7: Training and culture

• Partner-level training on DPDP obligations and daily decision-making.
• Associate training on handling client data, matter documents, and AI tools.
• Annual refresher and incident-based ad hoc updates.

4. Vendor Onboarding: The Highest-Exposure Area

In most large Indian firms, the largest single DPDP compliance exposure is not the firm's own practices — it is vendors. Every AI tool, cloud service, e-discovery provider, document management system and managed-services engagement involves personal-data processing by an external party.

Vendor categorisation

• Tier A vendors: Process sensitive personal data (KYC records, salary data, medical data).
• Tier B vendors: Process general personal data (contact details, matter context).
• Tier C vendors: No personal data processing (ancillary tools).

Contract terms to insist on

For Tier A and B vendors, the firm's engagement contract should include:

• Clear designation of the vendor as a Data Processor (or sub-Processor where applicable).
• Obligation to process personal data only on the firm's documented instructions.
• Obligation to implement appropriate security safeguards.
• Breach-notification SLAs consistent with DPDP Act Section 8(6) — meaning prompt notice that allows the firm to notify the Data Protection Board and affected Principals within the relevant windows.
• Sub-processor authorisation requirements.
• Data-return and data-deletion obligations at termination.
• Audit and inspection rights.
• Indemnity for breach of the vendor's DPDP obligations.

AI vendor specifics

AI vendors introduce additional considerations: whether prompts and outputs are used for vendor model training, whether the vendor's model runs in India or abroad, whether personal data appears in training corpora, and whether the vendor can segregate the firm's data from other tenants. These should be documented explicitly.

5. Incident Response

An effective DPDP incident response programme has four stages.

Stage 1: Detection and escalation

• Define what constitutes a personal data breach.
• Every employee knows how to escalate suspected incidents (a single dedicated channel).
• Incidents are triaged within hours, not days.

Stage 2: Assessment

• Determine whether personal data was compromised.
• Identify the Data Principals affected.
• Identify the Data Fiduciary (the firm, or a client for whom the firm is a Processor).
• Document in the incident register.

Stage 3: Notification

• If the firm is the Fiduciary, notify the Data Protection Board and affected Principals within the DPDP Act's framework (Section 8(6) — "as may be prescribed").
• If the firm is a Processor, notify the Fiduciary client promptly under the engagement contract SLA.
• Coordinate with CERT-In obligations under the IT Act, 2000 where incidents cross the 6-hour notification threshold for prescribed categories.

Stage 4: Remediation and review

• Close the technical vulnerability.
• Conduct a post-incident review.
• Update controls where systemic weaknesses are found.

Tabletop exercises — simulated breach scenarios run with the DPO, key partners, and IT leadership — are the single most effective way to stress-test this workflow. Leading Tier-1 firms run at least one per year.

6. Partner Training

Partner-level training is typically the lightest-weight workstream and also the most under-delivered. Managing Partners, practice leaders and individual Partners make daily decisions that have DPDP implications:

• Whether to accept a new matter where the client's instructions imply processing the firm cannot lawfully perform.
• Whether to share matter documents with a co-counsel abroad.
• Whether to accept a client's own AI-tool usage within the matter.
• Whether to retain documents beyond the minimum retention period.

Training programme design

• Module 1: DPDP Act fundamentals — what the statute says and why it applies to law firms.
• Module 2: Dual Fiduciary/Processor role — how to classify per matter.
• Module 3: Client-side obligations — handling data principal rights, breach notifications and cross-border transfers.
• Module 4: Vendor and AI-tool usage — what is permitted, what requires consent.
• Module 5: Incident response — partner-level duties when a breach is discovered.
• Module 6: Annual refresh and caselaw updates.

Training should be delivered in small groups (15–25 partners) with scenario-based discussion rather than large-format lectures, and should be mandatory for partners in line with the firm's existing CLE and KYC requirements.

7. DPDP Governance Structure

A programme of this scope requires named ownership. Typical structure at a 100+ lawyer firm:

• Executive sponsor: Managing Partner or Executive Committee.
• Programme owner: Data Privacy Partner (typically a senior partner in the regulatory or technology practice).
• Data Protection Officer: As required if the firm is a Significant Data Fiduciary; best practice even where not strictly required.
• Programme manager: Director-level, runs the day-to-day workstreams.
• Workstream leads: One per workstream described above.
• DPDP Committee: Meets monthly; reviews incidents, data-principal requests, vendor changes.

The Executive Committee should receive a quarterly DPDP report covering metrics: number of requests, response SLA compliance, incidents detected and resolved, new vendor onboardings, training completion rates.

Talk to us about DPDP readiness — sales@lexireview.in

8. Metrics and Reporting

Metrics demonstrate that the compliance programme is live rather than theoretical.

Core metrics

| Metric | Cadence | Target | |-------------------------------------------------|------------|----------------------------------------------| | Data-principal requests received / resolved | Monthly | 100% resolved within SLA | | Incidents detected / notified | Monthly | All incidents logged; notification SLA met | | Vendor contracts DPDP-compliant | Quarterly | 100% of Tier A vendors; 95%+ of Tier B | | Partners trained | Annually | 100% trained in prior 12 months | | Associates trained | Annually | 100% trained in prior 12 months | | Cross-border transfer inventory current | Quarterly | Fully current, no unmapped transfers |

Board reporting

The Executive Committee should see a one-page dashboard each quarter showing these metrics, trend lines and open risk items. This is the operational evidence that the programme is functioning.

9. Common Pitfalls and How to Avoid Them

• Treating DPDP as a legal-department exercise. DPDP impacts IT, HR, finance and practice operations. A legal-only programme will miss half the exposure.
• Relying on vendor self-certification. Vendor representations without contractual commitment and audit rights are worth little. Insist on both.
• Leaving the Fiduciary/Processor classification ambiguous. Ambiguity creates exposure on both sides. Document the classification explicitly for each matter type.
• Under-investing in the associate layer. Associates handle the majority of personal data day to day. Training that focuses only on partners misses the operational layer.
• Treating incident response as theoretical. Incidents happen. A programme that has never run a tabletop is not ready for a real incident.

10. Outlook: 2026–2028

The DPDP Act's full enforcement window opens substantively over 2026–2027. The Data Protection Board is still ramping up enforcement posture. Early enforcement cases are likely to come from: (a) high-profile breach incidents; (b) complaints by Data Principals dissatisfied with access or erasure responses; and (c) sectoral triggers (banking, telecom, e-commerce) where DPDP overlaps with existing regulators.

For law firms, the specific risks to watch:

• Malpractice claims that reference DPDP failings as part of the negligence theory.
• Client insistence on DPDP-compliant processing as a pre-condition to engagement.
• Bar Council guidance or rules on DPDP compliance as part of professional conduct.
• Enforcement action against individual lawyers or firms where handling of personal data is materially deficient.

A robust programme — built along the seven workstreams described above — positions the firm for both enforcement risk and the client-driven competitive pressure that is already emerging.

Book a strategic demo — cal.com/lexireview/strategic-demo

Frequently Asked Questions

Is a law firm automatically a Significant Data Fiduciary under the DPDP Act?▾

Not automatically. The Central Government may notify firms or categories of firms as Significant Data Fiduciaries based on volume and sensitivity of processing, potential impact on Data Principals, and risk to electoral democracy or public order. A Tier-1 Indian law firm handling regulated-sector client data should plan for likely designation even if not formally notified.

Do we need to appoint a Data Protection Officer?▾

The DPDP Act requires a DPO for Significant Data Fiduciaries (Section 10(2)). Even if not formally required, leading Tier-1 firms appoint a DPO as best practice, often combined with an existing partner-level compliance role.

How should engagement letters reference the DPDP Act?▾

Engagement letters should (a) identify processing purposes and lawful bases, (b) set out the Fiduciary/Processor classification for the specific engagement, (c) address cross-border transfers if applicable, and (d) define breach-notification and audit protocols. A standard clause set should be reviewed annually.

Can we use AI tools that process data outside India?▾

Yes, subject to DPDP Act Section 16 (which allows the Central Government to notify territories to which transfers are restricted; no restrictive notification as of Q1 2026) and any sectoral rules (RBI, SEBI localisation for regulated-sector data). Client consent is best practice where the client is the Fiduciary. Document the position for each tool.

What counts as a reportable breach?▾

Any confirmed or reasonably suspected unauthorised access, disclosure, destruction or alteration of personal data. The DPDP Act Section 8(6) obliges the Fiduciary to inform the Board and affected Principals in the manner prescribed by rules. Law firms acting as Processors have obligations to notify their Fiduciary clients promptly under the engagement contract.

How does DPDP interact with the Bar Council's record retention rules?▾

Bar Council rules and the Advocates Act impose retention obligations that constitute lawful bases for continued processing under DPDP Act Section 7(e). Firms can resist erasure requests that would breach the retention rules, but should document the statutory basis in the response.

How often should the DPDP programme be reviewed?▾

Core workstreams should be refreshed quarterly. The full programme should be reviewed annually by the Executive Committee, or sooner if triggered by a material incident, a significant new regulation, or a new practice or office launch.

Does LexiReview support DPDP-compliant deployments?▾

Yes. LexiReview supports India-resident deployments, customer-managed keys, detailed access logging exportable to client SIEMs, sub-processor transparency, and engagement agreements aligned to the DPDP Act's Processor-role obligations. Tier-1 firm deployments typically include a DPDP architecture review as part of implementation.