Firmtalk
← All posts
Governance9 min readJune 5, 2026

DPDP 2025 for Indian Law Firms: A Managing Partner's Compliance Playbook

The Digital Personal Data Protection Act is now in force. What changes for client data, vendor due diligence and partner liability at Indian law firms, with a 90-day implementation checklist managing partners can actually run against.

By , Co-founder & CEO, Firmtalk
Front view of a populated enterprise server rack with rows of green status LEDs

DPDP is a partnership problem, not an IT problem

The Digital Personal Data Protection Act, 2023, with Rules notified in early 2025, is now in force. Across our 19-firm benchmark sample, fourteen managing partners told us they had “delegated DPDP to the tech team” or to the COO. That is the wrong answer, and most of the firms giving it will discover why in the next three quarters.

A Mumbai-based full-service firm of about 80 fee-earners learnt this in March. A banking client, mid-tier private bank, sent a one-page questionnaire ahead of a panel renewal. Six questions. The firm’s data fiduciary classification. Its sub-processor register. Its breach-notification window. Its data-localisation posture for matter files. Its DPO appointment. Its last internal audit date. The managing partner forwarded it to the head of IT. The head of IT forwarded it back. Nobody at the firm could answer four of the six. They kept the panel slot, narrowly, on a written undertaking to come back within ninety days. They are now on day fifty-one.

DPDP is not a tech-stack question. It is a question about how the partnership governs personal data, which is to say, almost everything the firm touches. The managing partner is the answer, not the IT head.

The Rules notified earlier this year clarified the operational items that had been left vague in the parent Act: the form of notice, the standard for verifiable consent, the timeline and content of breach notifications, the process for principal-rights requests, and the criteria the Central Government will use to designate significant data fiduciaries. None of those clarifications make compliance easier for a law firm. They make it more specific, which is harder, because the firm can no longer plead ambiguity.

Why Indian law firms are uniquely exposed under DPDP

The exposure surface at a law firm is wider than the average managing partner realises, because the firm collects personal data in places nobody calls a data-collection point.

An M&A due-diligence room contains the employee PII of an entire target company, salary bands, PAN numbers, addresses, medical declarations, disciplinary records. A criminal or family brief contains witness PII, minors’ details, and sometimes biometric or medical material. An IP file contains the personal data of the inventor, of customers cited in infringement evidence, sometimes of customers obtained via test purchases. A KYC archive built for the firm’s own onboarding holds identity proofs for every client director the firm has ever screened. An e-discovery export for a single arbitration can carry the inboxes of forty employees, all processed by the firm and, usually, by a foreign-hosted review platform.

In our sample, the median firm could not produce a complete list of the places it stored personal data within four working days of being asked. Three firms produced a partial list and three more produced nothing. That is not a tooling problem. It is the absence of a data map, which is the first thing a DPDP-ready firm is asked to produce and the first thing a regulator or large client will ask for.

The volume problem compounds the surface-area problem. A mid-sized full- service firm in our sample held an average of 4,200 active matter files and an additional 38,000 closed-but-retained files. Personal data sat in roughly two-thirds of them, in widely varying volumes. A single banking-litigation file held the PAN numbers and addresses of more than 9,000 borrowers. A single matrimonial brief held the medical records of two children. The partnership’s instinct, that DPDP risk scales with revenue, is wrong. It scales with personal-data volume, which is loosely correlated with revenue at best and inversely correlated at worst.

Data fiduciary or data processor? Most firms are both

The Act splits the world into data fiduciaries, who decide the purpose and means of processing, and data processors, who process on behalf of a fiduciary. The instinct at most law firms is to assume they are processors, because they handle client data on behalf of clients. That is half right, and the half it gets wrong is the half that carries personal liability.

When a firm processes data the client gave it for the matter, the client’s customer lists for an antitrust filing, the target’s employee data in due diligence, the firm is usually a processor. The fiduciary obligations (notice, consent, principal rights) sit with the client. The firm’s obligations sit at the processor level: security, sub-processor controls, assistance with breach response, return or deletion at the end of the engagement.

But when the firm collects data for its own purposes, intake KYC on a new client, employee data for the firm’s HR, marketing contacts for the newsletter, photographs and biographies for the website, alumni data for firm events, the firm is the fiduciary. Notice, consent, purpose limitation, principal rights and breach notification all flow to the firm directly.

Most Indian firms wear both hats every day and have written the engagement letter for neither. The result, in our sample, is that engagement letters do not name the processor role, the KYC consent at intake does not name the fiduciary role, and the website’s privacy notice does the work of both, badly.

Where the firm is the processor
  • Client’s customer or employee data, given for the matter
  • Target-company HR data in M&A due diligence
  • Witness data passed by client in litigation briefs
  • Custodian inboxes in e-discovery and forensic reviews
  • Personal data sent by foreign counsel for an Indian filing
Where the firm is the fiduciary
  • Intake KYC on clients and client signatories
  • Employee, partner and contractor personal data
  • Marketing lists, alumni rolls, event registrations
  • Pitch decks holding individuals’ PII for credentials
  • Website forms, contact-us submissions, careers applications

The five DPDP obligations that bite hardest at law firms

The Act runs to a few dozen sections. For a managing partner reading it for operational consequence, five obligations do most of the work and almost all of the damage.

One. Notice and consent at intake. Every new client engagement that involves the firm collecting personal data for its own fiduciary purposes (KYC, conflicts, billing contacts) needs a DPDP-compliant notice and, where consent is the lawful basis, a verifiable consent record. In our sample, three firms had updated their engagement letters by April 2026. The rest were relying on a 2017 standard form that pre-dates the Act and does not name purposes, retention periods or principal rights.

Two. Purpose limitation across matters. Personal data collected for one matter cannot be cheerfully reused for another. The cross- matter reuse that practice groups treat as institutional knowledge, due-diligence data marts, pleadings archives, witness contact rolodexes, is precisely the practice DPDP penalises. The fix is not a ban on knowledge management; it is a deliberate, recorded retention and reuse policy with a named owner per practice group.

Three. Cross-border transfer. Every brief sent to foreign counsel, every cloud backup that lands in a Singapore or Dublin region, every e-discovery review hosted on a US platform, every translation outsourced to a Manila or Cairo vendor, is a cross-border transfer of personal data. The Act permits transfers except to countries the Central Government notifies as restricted. The list will move. The compliance posture cannot be “we will see what gets notified.” It has to be a register of cross-border flows, refreshed quarterly, with a documented decision per flow.

Four. Data principal rights. The client whose data the firm holds is now a data principal with rights of access, correction, erasure and grievance redressal. So is the witness whose contact details sit in a twelve-year-old criminal brief. So is the candidate the firm interviewed in 2019 and never wrote back to. A firm that cannot respond to a verified principal request within the timelines the Rules prescribe is in default. Most firms in our sample have no process to receive a request, let alone fulfil one.

Five. Breach notification. The Rules require notification to the Data Protection Board and to affected principals on a tight clock, working in effect to a seventy-two-hour window from awareness for most firms’ risk profiles. The clock starts when the firm is aware of the breach, not when it is sure. A lost laptop counts. A misdirected email with a client’s board-pack counts. The runbook to handle this needs to exist before the incident, not be drafted on the night of one. In our sample, fifteen of nineteen firms had no written breach runbook.

The five above are not the complete obligation set. They are the five we have seen do the most damage, fastest, at firms that delayed action. The firms that drafted their breach runbook in November of last year, when the Rules first leaked in consultation form, are not the ones losing panel slots today. The firms still treating it as a Q3 problem are.

Partner liability and the penalty regime under DPDP

The headline penalty is up to INR 250 Cr per category of violation. The headline is correct but partial. The number that should concentrate the partnership’s attention is the personal-liability test.

Section 33 of the Act lets the Board impose penalties on a data fiduciary. Where the fiduciary is a firm or LLP, the persons in charge of, and responsible to, the firm for the conduct of its business are deemed responsible, subject to the standard due-diligence defence. In a law firm, that test does not stop at the IT head. It runs to the managing partner, the executive committee, and to whichever partner or officer the firm has formally placed in charge of data protection. A board-level designation of the data protection officer is therefore not a hygiene step; it is a liability-locating step.

The comparison with the old regime is worth drawing because it explains why the partnership conversation has changed.

IT Act regime (pre-DPDP)
  • Compensation under section 43A, capped in practice
  • Reasonable security practices, ill-defined in case law
  • Officer liability narrow, mostly criminal-side under section 72A
  • No statutory breach-notification clock
  • No data-principal rights enforceable against a law firm
DPDP regime (post-Rules)
  • Penalties up to INR 250 Cr per category, per proceeding
  • Specific obligations: notice, consent, purpose, retention, security
  • Persons in charge personally exposed under the section 33 test
  • Time-bound breach notification to Board and principals
  • Principal rights enforceable, with grievance redressal mandated

Two practical implications. First, the firm needs a documented governance chain, MP to designated DPO to practice-group leads, so that the due-diligence defence is available to individual partners. Second, the partnership deed’s indemnity and insurance clauses need a fresh read against the new exposure. Most we have seen were drafted for a world where the only personal-data risk was a section 72A criminal complaint. That world is gone.

A third implication, which the insurance market is now pricing in, is the professional indemnity premium. Two of our sample firms went to renewal in April and reported quoted increases of between 18% and 34%, attributable to underwriters explicitly naming DPDP as a new risk category. Where the firm could show a documented DPDP programme, an appointed DPO, a vendor register, a breach runbook, the increase came down by between 8 and 14 points. The underwriting question is no longer whether the firm has a privacy policy on its website; it is whether the firm can produce, on request, the twelve artefacts of a working programme. Most cannot, yet.

Vendor due diligence: every tool is a sub-processor

The DMS, the practice-management system, the e-discovery platform, the contract-review AI, the translation vendor, the cloud backup provider, the courier scanning service, the transcription service the disputes team uses, every one of them is a sub-processor of personal data. Each needs a written contract, a security review, a sub-processor list of its own, and a deletion commitment at end of engagement.

The procurement angle on legal-AI tooling deserves a separate read, and we have one. The buyer’s checklist for legal AI is set out in our piece on the legal-AI vendor buyer’s checklist, which works equally as a sub-processor diligence template for any vendor touching personal data. The DPDP-specific clauses to insist on in every vendor contract are five: a defined processor role, a sub-processor register with right of objection, a breach-notification clock that flows up to the firm inside twenty-four hours, audit rights, and a hard deletion or return obligation at termination.

In our sample, the median firm had no central vendor register. Eleven of nineteen could not list, on a single page, every external system holding client personal data. Seven of those eleven had been asked the question by a client and had answered partially. That is the practice DPDP punishes.

The vendor lock-in problem deserves a separate flag. Two firms in our sample discovered, after starting the diligence exercise, that their incumbent DMS vendor had no contractual obligation to delete client data on termination, no documented sub-processor list, and no breach-notification clock to the firm. Renegotiating those terms is possible but slow. The firms that get ahead of this build a standard DPDP addendum, issue it to every live vendor on a thirty-day acknowledgement window, and treat refusal to sign as a procurement decision, not a legal one. Three firms in our sample have now switched a vendor for refusal to sign. None of the three regret the switch.

The 90-day DPDP implementation checklist for a law firm

A managing partner reading this will want a concrete plan, with owners and outputs, that can be put to the executive committee on Monday. The version below has worked at four firms in our sample. It assumes the firm starts from approximately zero, which is where most still are.

WeekTaskOwnerOutput
1Appoint a data protection officer with a written mandate from the ECManaging partnerBoard minute and DPO terms of reference
1–2Stand up a DPDP steering group: MP, COO, IT head, GC, two practice headsManaging partnerWeekly thirty-minute standing meeting
2–3Build the personal-data inventory: every system, every practice, every flowDPO with IT headData map, one row per system, signed off by practice heads
3–4Classify every open matter file by personal-data sensitivity (none, ordinary, sensitive)Practice headsMatter register with PII classification column
4Identify and list every cross-border flow of personal data, current and intendedDPO with IT headCross-border register, quarterly refresh cadence
5Update the firm’s standard engagement letter with DPDP notice and processor termsGC with DPONew standard engagement letter, mandatory from week 6
5–6Rewrite the intake KYC consent flow, with verifiable record-keepingCOO with DPONew intake workflow, paper and digital paths
6–7Build the vendor register and sub-processor list, with DPDP-compliant contract addendumCOO with GCVendor register, addendum issued to all live vendors
7–8Draft the data principal rights process, intake form, verification, response SLADPOPublic-facing privacy page and internal SOP
8–9Write the breach response runbook: detect, escalate, decide, notify, remediateDPO with IT headRunbook with named on-call roster and call tree
9–10Run a tabletop simulation of two breach scenarios, lost laptop and misdirected emailDPO with ECLessons-learnt note and runbook revision
10–11Train all fee-earners and support staff on DPDP basics and the firm’s SOPsCOO with DPOTraining attendance log, refresher cadence set
11Audit retention: identify data that should already have been deleted, delete itDPO with practice headsRetention schedule, signed-off deletion log
12Report to the partnership: posture, residual risks, twelve-month roadmapManaging partnerPartnership minute and roadmap document
12Notify the firm’s ten largest clients of DPDP posture and processor termsManaging partner with relationship partnersLetter or note, plus updated engagement letter where due

The plan is light on technology because, in practice, the binding constraints at most firms are not technological. They are organisational: who owns the data map, who signs the engagement letter, who picks up the phone when the breach is detected at 11 p.m. on a Friday. The tooling, including ours, comes after these answers, not before.

A note on cost. The four firms in our sample that ran the plan through to week twelve spent between INR 28 lakhs and INR 64 lakhs in the first year, depending on size. The largest line was DPO compensation, followed by training delivery and external counsel review of standard documents. Software costs sat in the INR 4 lakhs to INR 9 lakhs range. The dominant cost is people, not platforms, which is consistent with what we have seen on every other operational reform at Indian law firms over the last decade.

What changes inside the partnership room

The political beat is the one most pieces on DPDP avoid. It is also the one managing partners need to plan for, because the implementation surfaces habits that the partnership has tolerated for years.

The data map will name which practice groups touch the most personal data. In most firms it will be employment, family, criminal, banking and competition, in roughly that order. The partners running those groups will, correctly, point out that their compliance burden under DPDP is heavier than the corporate transactional group’s, even though the corporate group earns more. The conversation about how the firm budgets compliance time across groups, and whether the corporate group cross-subsidises the others, is a new one. It is also overdue.

The retention audit will surface old habits. The unencrypted hard drive at a senior partner’s desk with twelve years of matter files. The personal Gmail address used to send a brief to junior counsel in 2019. The shared drive that has not been pruned since the firm moved offices. The auditor is not a regulator; it is a member of the firm’s own staff acting on behalf of the partnership. The political question is whether the partnership will back them when they ask a senior partner to hand over the hard drive.

The vendor register will name tools that partners adopted personally and never told the firm about. Generative-AI tools, in particular, are a favourite of partners who feel they have been left behind by their juniors. The DPDP posture forces the partnership to decide what is firm-sanctioned and what is not. There will be resistance. It will mostly come from the partners who have been least careful.

DPDP is not the threat. The audit DPDP forces the firm to run on itself is the threat, and it is the part the partnership has been postponing for years.On Partnership Politics

A managing partner at a Delhi disputes practice put it more bluntly when we walked them through the data map exercise: “you are asking me to take on three partners by Friday.” That is the honest version of the conversation. The firms that do it earliest will have it once. The firms that delay it will have it under a regulatory clock or a client letter, which is a worse meeting to convene.

There is a quieter compensation conversation too. Two firms in our sample have begun crediting DPO and data-steward time to a partner’s contribution metric, on a small but visible basis. The signal is the point. A partnership that wants compliance work to happen has to value it the way it values origination, even at the margin. Where compliance time is uncredited, it falls to the same three people who pick up every other uncredited piece of firm work, and the firm becomes structurally dependent on their goodwill. That is a fragile basis for a programme that has to run for the next decade.

The operational read-across to per-matter discipline

DPDP discipline borrows from, and reinforces, the operational discipline a well-run firm already applies to its matter ledger. A matter that cannot be mapped to a personal-data inventory is, almost always, a matter that cannot be mapped to a clean P&L either. The two audits, the data audit and the per-matter financial audit, surface the same loose practices: missing time records, missing closure steps, missing sub-processor disclosures, missing retention decisions.

We made that case at greater length in our earlier piece on why per-matter P&L is broken at most Indian firms. The DPDP analogue is straightforward: a firm that cannot tell you the true margin on a matter usually cannot tell you what personal data sat inside the matter either. The fix in both cases is the same, an operational function that owns the question, reporting to the managing partner, with the partnership’s air cover to ask uncomfortable questions of senior partners.

One firm in our sample paired the two audits deliberately. The senior associate running the matter-margin rebuild also captured the personal-data inventory at the same time, one row per matter, two extra columns. The marginal cost was four days of associate time. The output was a single register the executive committee could read both ways, by margin and by DPDP exposure. The matters at the top of the DPDP exposure list and the bottom of the margin list became the easy first conversation: drop the exposure or reprice the matter. Two engagements were exited inside the quarter. Neither, in retrospect, should have been on the firm’s books at the price.

What to do this quarter

Three actions, in escalating order of commitment. The first costs nothing beyond an hour of the executive committee’s time. The third costs a year of partnership attention. None of them are optional for a firm that intends to be on a banking, insurance or technology panel by March.

One. Convene a single ninety-minute session of the executive committee dedicated to DPDP posture. Walk through the five obligations above against the firm’s current state. If anyone in the room can answer all five with documented evidence, the firm is ahead of the median. If nobody can, the firm is at the median, and that is fine, provided action item three starts within the fortnight.

Two. Appoint a data protection officer with a written EC mandate, a reporting line to the managing partner, and a budget line for the next four quarters. The DPO does not have to be a senior partner, and in most firms it should not be; it should be a senior non-partner with the partnership’s explicit authority to direct partners on data matters.

Three. Run the twelve-week implementation plan above, with the steering group meeting weekly and a fortnightly note to the EC. Do not run it as a project with an end date and a celebratory email; run it as the beginning of a permanent function. The firms that treat DPDP as a one-off will fail their first audit. The firms that build the function will find that the function pays for itself in the panel-renewal conversations alone.

A note from the partnership

The reason DPDP feels heavier on Indian law firms than on most of their clients is not because the rules are heavier; the rules are roughly the same for everyone. It is because law firms have, for two decades, run on partnership autonomy in matters of process. Every partner has their own intake form, their own filing habit, their own preferred cloud tool, their own view on what to send by personal email. DPDP rules that out. The partnership has to agree, in writing, on a single way to handle personal data, and to enforce it on each other.

That is the hard part. It is also, quietly, the part that makes the firm a better firm. The same discipline that keeps the firm out of trouble with the Data Protection Board keeps the firm out of trouble with its largest clients, its insurers, its lateral hires and its own auditors. The cost of building it is real. The cost of not building it is larger, and it lands on the partners whose names sit on the section 33 notice.

Private walk-through
Map your firm’s DPDP posture in a single session
We run the executive committee through the five obligations against your current systems, engagement letters and vendor list. Output is a one-page posture sheet and a draft twelve-week plan with owners. Ninety minutes, on a video call, no deck, your data on a page that reads honestly.
Request a DPDP walk-through

A note on the data. The firm-level observations in this piece are drawn from the same survey set as the 2026 Indian Law Firm Benchmark: nineteen Indian law firms across eighteen months, five cities, with nine sharing line-item operational data. The DPDP-specific posture observations come from structured questionnaires returned by sixteen of the nineteen firms between February and May 2026, plus follow-up interviews with managing partners, COOs and IT heads. All firm and partner examples in this piece are anonymised; the Mumbai firm and the Delhi disputes partner are composites, drawn from more than one underlying conversation.

Firmtalk and this view. Firmtalk builds practice-operations software for Indian law firms. The data map, vendor register, matter classification, principal-rights intake and breach runbook described above are workflows our customers run inside the product. Six of the nineteen firms in the underlying benchmark use Firmtalk. The remaining thirteen do not, and we walked them through the same plan on the same terms. The plan stands or falls on its own; the product is the way the firms that run it monthly avoid letting it lapse.

Keep reading

All posts →
Drone aerial of the new Mumbai Coastal Road at Worli Sea Face
Benchmark12 min · May 19

The 2026 Indian Law Firm Benchmark: Realisation, Utilisation, Partner Economics

Eighteen months sitting with operations leads at nineteen Indian law firms; nine shared P&L. The numbers most managing partners suspect, finally on the page.

Densely-stacked old leather-bound books on warm wooden library shelves
AI Strategy11 min · May 5

The Best Legal AI Tools for Indian Law Firms in 2026

Eight tools across drafting, Indian legal research, contract review and practice operations. What each one is actually good at, where it will trip you up, and how to stack them.

Modern glass-walled corporate office atrium with multi-storey workspaces visible through the facade
AI Strategy9 min · Jun 26

The In-House AI Mandate: What Clients Will Demand by 2027

GCs at India's largest companies are quietly drafting AI-use clauses for outside counsel. The questions you will be asked in 18 months, and how to be ready before the RFP arrives.

Next

Run the firm with clarity.

Firmtalk puts realisation, utilisation, lock-up and partner economics on one page, across every matter, every partner, every quarter. Built for Indian law firms.

Request demo