DPDP Act 2023: Data Compliance for Valuation Firms

The Digital Personal Data Protection Act, 2023 (DPDP Act) imposes new obligations on entities processing personal data in India. Valuation firms, which routinely handle sensitive financial information about companies, their shareholders, and key management personnel, fall squarely within the Act's scope. This article examines the specific compliance requirements relevant to valuation practice.

Scope of Application to Valuation Firms

Valuation firms process personal data at multiple stages of an engagement: during client onboarding (identity documents, PAN, DIN details), during data ingestion (KMP compensation data, shareholding patterns with individual names, director details from MCA filings), during analysis (individual transaction data when assessing related party transactions), and during report preparation (individual names, designations, and professional credentials).

Under the DPDP Act, a valuation firm is a 'Data Fiduciary' when it determines the purpose and means of processing personal data. When the firm processes data on behalf of a client (e.g., analyzing client-provided employee data), it may also act as a 'Data Processor.' Both roles carry distinct obligations.

Consent and Purpose Limitation

The Act requires that personal data be processed only for the purpose for which consent was obtained or for which it is deemed legitimate. For valuation firms, this means clearly defining the scope of data processing in engagement letters. Data collected for one valuation engagement cannot be retained or repurposed for marketing, benchmarking, or other secondary uses without fresh consent.

Data Principal Rights

Individuals whose data is processed (data principals) have the right to access information about how their data is being used, the right to correction and erasure, and the right to grievance redressal. Valuation firms must establish processes to respond to such requests, which is particularly relevant when reports contain personal data of company directors and key management personnel who are not the firm's direct clients.

Data Retention and Deletion

The DPDP Act mandates deletion of personal data once the purpose of processing is fulfilled, unless retention is required under another law. For valuation firms, this creates a tension with professional requirements to maintain working papers for quality review and regulatory inspection (IBBI requires retention for a minimum of three years). Firms must clearly document their retention policies, distinguishing between data retained under professional obligations and data that should be deleted.

Technical and Organizational Measures

Valuation firms must implement reasonable security safeguards to protect personal data. This includes encryption of data at rest and in transit, access controls limiting data visibility to authorized team members, audit trails for data access, secure storage of client documents, and protocols for data breach notification.

Firms using cloud-based valuation platforms or SaaS tools must ensure that their technology vendors also comply with DPDP requirements, as the Data Fiduciary remains responsible for processing undertaken by Data Processors on its behalf.

Cross-Border Data Transfers

Some valuation firms serve international clients or use global data platforms. The DPDP Act restricts transfer of personal data to countries not approved by the Central Government. Firms must evaluate whether their data flows involve cross-border transfers and, if so, whether the destination countries are on the approved list.

Practical Steps for Compliance

Valuation firms should begin by conducting a data mapping exercise to understand what personal data they process, where it is stored, how it flows through their systems, and who has access. Based on this mapping, firms should update their engagement letters to include DPDP-compliant privacy notices, implement or upgrade security measures, establish data subject request handling procedures, and train staff on data protection obligations.

The DPDP Act represents a significant evolution in India's data protection framework. Valuation firms that proactively address compliance will not only avoid regulatory risk but also build client confidence in their data handling practices.