Skip to content
Back to blog
Compliance

DPDP Rules are here: what India's data law means for client confidentiality at law firms

22 January 20267 min readBy The Lawisense Team

DPDP Rules are here: what India's data law means for client confidentiality at law firms

For decades, client confidentiality in Indian practice rested on professional ethics and the Advocates Act. As of late 2025, it also rests on statute. The Digital Personal Data Protection (DPDP) Rules were finalised in November 2025, giving operational shape to the DPDP Act, 2023 — and law firms, which handle some of the most sensitive personal data in the country, are squarely within scope.

This is not legal advice, and every firm should take its own counsel. But every advocate should understand the shape of what is coming.

The timeline that matters

The framework is rolling out in phases:

  • Phase I (from 13 November 2025): the Data Protection Board of India is established.
  • Phase II (from 13 November 2026): rules around consent managers take effect.
  • Phase III (from 13 May 2027): the substantive obligations — consent, notices, security, breach reporting — come fully into force.

In other words, 2026 is the build year. The obligations are not all live yet, but the runway to be ready for 2027 starts now.

Why law firms are firmly in scope

A law practice is, in DPDP terms, a Data Fiduciary — it decides how and why client personal data is processed. And the data is exactly the kind the Act cares about: names, contact details, financial records, medical history in injury matters, family details in matrimonial cases, allegations and case facts in criminal defence.

Crucially, responsibility stays with the firm even when processing is outsourced. If you use a cloud document tool, a billing service, or a case-management platform, the law expects you to have appropriate contracts and security provisions with those processors. You cannot delegate away the obligation.

What you will actually need to do

The substantive requirements, in plain terms:

  • Lawful basis (consent). For most processing, consent must be free, specific, informed, and unambiguous — collected with a clear affirmative action.
  • Transparent notices. Clients should be told what data you collect, why, how long you keep it, and how to exercise their rights — in English or a scheduled Indian language.
  • Reasonable security safeguards. You must protect personal data with appropriate technical and organisational measures.
  • Breach notification. A personal data breach must be reported to the Data Protection Board and affected individuals, with a tight reporting window.
  • Processor contracts. Vendors that touch client data need contractual security commitments.

The penalties are not symbolic — failure to maintain reasonable security can attract fines running into hundreds of crores for the most serious lapses.

The quiet implication: where does your client data live?

Most firms have never asked this question rigorously. Client data is scattered — personal email, WhatsApp, a shared drive, a clerk's laptop, a billing spreadsheet, an assortment of apps. Under DPDP, "we have it somewhere" is not a defensible posture. You need to know where personal data sits, who can access it, and whether your tools can support consent, retention, and breach response.

The firms that will find 2027 easy are the ones that, during this build year, consolidate client data into systems designed for security and access control — rather than leaving it spread across consumer apps that were never built for confidentiality.

Where Lawisense fits

A purpose-built legal practice platform helps on exactly the points DPDP cares about: client data in one controlled place rather than scattered across personal apps, role-based access so staff see only what they should, a secure client portal instead of confidential documents flying over WhatsApp, and an auditable record of who accessed what. Compliance is ultimately the firm's responsibility — but the right system makes it achievable instead of overwhelming.

Use this build year well. The advocates who treat data protection as an operational upgrade, not just a legal box to tick, will be the ones clients trust most.

Sources: Privacy World — India passes DPDP Rules, DPDP Act compliance guidance.

Try Lawisense free

Start organising your practice today. No credit card required.