1. INTRODUCTION
This Privacy Policy (“Policy”) is issued by
SDP & Associates, a firm of Chartered Accountants (the “Firm”), in compliance with the
Digital Personal Data Protection Act, 2023 (“DPDP Act”), applicable rules, and professional confidentiality obligations under ICAI regulations.
This Policy outlines:
- The Firm’s data governance framework
- Standards for processing personal data
- Data subject rights and procedures
- Security safeguards and risk management protocols
By accessing our website or using our services, you consent to the practices described in this Policy. Updates to this Policy will be communicated through our website or other appropriate channels.
2. DEFINITIONS
Unless otherwise stated, terms shall have the meanings assigned under the DPDP Act:
- “Personal Data”: Any data about an individual identifiable by or in relation to such data
- “Data Principal”: Individual to whom the personal data relates
- “Data Fiduciary”: The Firm determining the purpose and means of processing
- “Processing”: Collection, storage, use, disclosure, erasure,
“Sensitive Personal Data”: Information such as financial data, biometric data, bank details, KYC documents or any other data classified as sensitive under applicable laws.
3. APPLICABILITY
This Policy applies to:
- Website visitors
- Clients and their representatives
- Employees and consultants
Third-party service providers
4. PRIVACY GOVERNANCE FRAMEWORK
The Firm has implemented a structured governance framework to ensure compliance:
4.1 Governance Structure
- Designated Data Protection Officer (DPO): Responsible for compliance oversight
- Engagement Partners: Accountable for data handling within assignments
- IT & Security Team: Responsible for implementing safeguards
- Compliance Committee: Periodic review of privacy risks
4.2 Key Principles: The firm adheres to the following principles in relation to collection of data from individuals pursuant to contractual engagements or provision of services, data from device identifiers, IP addresses, geolocation, and user preferences that are collected via cookies and similar technologies and in relation to the processing of data for fulfilling contractual obligations, complying with legal and regulatory requirements, recruitment, employment, operational management and conducting analytics and research-
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Accountability
4.3 Policy Ecosystem
- Information Security Policy
- Confidentiality Policy
- Incident Response Policy
- Vendor Risk Management Policy
5. CONTRACTUAL CONFIDENTIALITY OBLIGATIONS
The Firm adheres to strict confidentiality obligations arising from:
- Engagement letters with clients (including banks)
- Regulatory mandates (ICAI, RBI, SEBI where applicable)
- Non-disclosure agreements (NDAs)
The Firm shall maintain strict confidentiality of all client information, including personal data, and shall not disclose such information except:
- where required by law or regulatory authority;
- with prior written consent of the client; or
- for performance of services under the engagement, subject to equivalent confidentiality obligations.
Sub-Processor Obligations
All third parties must:
- Execute binding confidentiality agreements
- Comply with DPDP Act requirements
- Implement equivalent security controls
6. DATA CLASSIFICATION & HANDLING GUIDELINES
We classify the data into categories based on objective process driven metrics to determine the safeguard and processing protocols applied to each category to ensure compliance with applicable regulatory requirements-
6.1 DATA Classification
| Classification Level |
Definition |
Examples (Bank Audit Context) |
| Confidential |
Highly sensitive personal, financial, or regulated data requiring maximum protection |
Customer KYC data, account details, loan files, audit evidence, passwords, financial statements (unpublished) |
| Restricted |
Sensitive business or client data with limited disclosure |
Audit working papers, internal reports, risk assessments, management letters |
| Internal |
Firm operational data not intended for public disclosure |
HR records, internal emails, policies |
| Public |
Non-sensitive data approved for public disclosure |
Website content, marketing material |
6.2 Handling Protocols
1.1 Collection
- Limited to lawful and specified purposes
- Obtained directly or through clients
Storage
- Secure servers with encryption
- Access-controlled environments
Access Control
- Role-based access
- Least privilege principle
Transmission
- Encrypted channels (SSL/VPN)
Sharing
- Only on need-to-know basis
- Subject to contractual safeguards
7. CONSENT MANAGEMENT- The firm adheres to the following principles in terms of Section 5 and Section 6 of the DPDP Act 2023 for obtaining and managing consent of Data Principals in relation to sensitive personal data-
7.1 Principles
- Free, specific, informed, and unambiguous
- Obtained prior to processing
7.2 Consent Mechanisms
- Client engagement documentation
- Consent logs
7.3 Withdrawal of Consent
Data Principals may withdraw consent at any time by contacting:
grievanceredressal@sdpa.in
legal@sdpa.in
8. DATA SUBJECT RIGHTS HANDLING PROCEDURES
It is understood and acknowledged that under the DPDP Act, Data Principals have the right to:
- Access information
- Correction and erasure
- Grievance redressal
- Nominate a representative
8.1 The following protocol is followed in relation to any request, including without limitation any request for data deletion or erasure, is made by Data Principles in relation to their statutory rights under the DPDP Act 2023
–
- Request received via email/portal
- Identity verification
- Logging in request register
- Evaluation of applicability
- Response within statutory timeline
8.2 Exceptions
Requests may be declined where:
- Required for legal compliance
- Audit obligations mandate retention
- Data is anonymized
9. DATA RETENTION & DELETION POLICY
9.1 Retention Principles
Personal data is retained only as long as necessary to fulfil its purpose or comply with legal obligations. After the retention period, data is securely deleted or anonymized. Data may be retained for compliance with:
- ICAI standards
- Tax laws
- Banking regulations
9.2 Standard Retention Periods
| Data Type |
Retention |
| Audit Working Papers |
7–10 years |
| Client Records |
As per engagement/legal requirement |
| Website Data |
1–3 years |
9.3 Deletion Protocols
- Secure deletion methods
- Periodic data purging
- Backup lifecycle management
10. REASONABLE SECURITY SAFEGUARDS
The Firm implements “reasonable security safeguards” as mandated in compliance with the provisions of the IS 17428 privacy assurance standard published by the Bureau of Indian Standards (BIS), including for data collected and processed on behalf of a Data Fiduciary:
10.1 Technical Measures
- Encryption (data at rest and in transit)
- Firewalls and intrusion detection systems
- Multi-factor authentication
- Secure cloud infrastructure
10.2 Organizational Measures
- Employee confidentiality agreements
- Periodic training
- Access control reviews
10.3 Physical Security
- Restricted office access
- Secure storage of documents
11. DATA BREACH MANAGEMENT & REMEDIATION- In the event of a breach of applicable data protection standards despite reasonable safeguards, following is the protocol for incident management and remediation-
11.1 Incident Response Plan
- Immediate containment
- Risk assessment
- Notification to authorities and affected parties
11.2 Remediation Actions
- Root cause analysis
- Control strengthening
- Policy updates
11.3 Reporting
- Maintained incident register
- Periodic reporting to management
12. ACTION PLANS FOR REMEDIATION
In case of identified privacy risks:
- Risk identification
- Impact assessment
- Prioritization based on severity
- Implementation of corrective controls
- Monitoring and closure
13. PRIVACY RISK ASSESSMENT SOP
13.1 Trigger Events
- New audit engagements
- Adoption of new technology
- Vendor onboarding
13.2 Process
- Identify data flows
- Classify data
- Evaluate risks (likelihood vs impact)
- Assign risk rating
- Define mitigation measures
13.3 Output
- Risk register
- Mitigation plan
- Management approval
14.1 When Required
- Large-scale processing
- Sensitive financial data
- Use of new technologies
14.2 DPIA Steps
- Description of processing activity
- Necessity and proportionality analysis
- Risk identification
- Safeguard evaluation
- Residual risk assessment
14.3 Approval
- DPO sign-off
- Senior partner approval
15. THIRD-PARTY PROCESSORS
The Firm ensures that all vendors:
- Comply with DPDP Act
- Are subject to contractual obligations
- Undergo due diligence assessments
16. WEBSITE-SPECIFIC PROVISIONS
16.1 Cookies
The Firm may use cookies for:
- Website analytics
- User experience improvement
16.2 Data Collected
- Name, email, contact details
- IP address and browsing data
17. GRIEVANCE REDRESSAL
Grievance Officer:
Complaints shall be resolved within prescribed timelines.
18. POLICY REVIEW & UPDATES
- Reviewed annually or upon regulatory changes
- Updated version published on website
19. DISCLAIMER
This Policy is intended to comply with applicable Indian laws including the DPDP Act and does not override professional confidentiality obligations under ICAI guidelines.
