Sexual Harassment at the Workplace
POSH Act, 2013
Mandatory from 10+ employees. No exceptions for law firms.
HIGHCompliance Risk
The Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act applies to every employer with 10 or more employees. Law firms are not exempt. The 2025 Companies (Accounts) Amendment Rules now require detailed POSH disclosures in the Board's Report.
What goes wrong
- No Internal Complaints Committee (ICC) constituted
- ICC formed but missing external NGO member or female chair
- No POSH policy circulated to staff
- No annual training conducted or documented
- No annual report filed with District Officer
- No defined complaint handling timeline (90-day inquiry rule)
How CTD closes it
- ICC constitution review and refresh with prescribed composition
- Policy drafted, displayed, signed by all staff
- Annual training calendar with external trainer
- Annual report drafted and filed with statutory authority
- Documented complaint procedure handed at onboarding
- Board's Report disclosures kept current (2025 amendment)
| Violation | Penalty | Source |
|---|
| First offence — non-compliance | Up to ₹50,000 | POSH Act, Section 26 |
| State-enhanced fine (e.g., Tamil Nadu) | Up to ₹1,00,000 | State directives, 2024 |
| Repeat offence | 2× original + licence risk | POSH Act, Section 26(2) |
| Failure to disclose in Board's Report | Companies Act penalty | 2025 Companies Rules |
Data Protection
Digital Personal Data Protection Act, 2023
Operational since 13 November 2025. Substantive obligations enforceable by May 2027.
CRITICALCompliance Risk
Law firms are Data Fiduciaries by default under the DPDP Act 2023. You determine the purpose and means of processing personal data — employees, candidates, clients, prospects, opposing parties. Some firms may be designated Significant Data Fiduciaries with enhanced obligations.
What goes wrong
- Personal data scattered across personal Gmail, partner laptops, shared drives
- No consent framework for candidate, client or employee data
- No breach response runbook
- No data inventory or processing register
- Sensitive data (Aadhaar, financial) on uncontrolled storage
- No Data Protection Officer designated
How CTD closes it
- DPDP readiness audit: data inventory, access map, risk assessment
- Consent framework rolled out across HR, BD and client onboarding
- Breach response runbook with named owners and DPB reporting protocol
- Data Processing Impact Assessment (DPIA) templates
- Fractional DPO arrangement until in-house role makes sense
- All CTD-managed pipelines built DPDP-aligned from day one
| Violation | Penalty | Source |
|---|
| Failure to take reasonable security safeguards | Up to ₹250 crore | DPDP Act 2023, Schedule |
| Failure to notify breach to DPB | Up to ₹200 crore | DPDP Act 2023, Schedule |
| Children's data obligations breach | Up to ₹200 crore | DPDP Act 2023, Schedule |
| Significant Data Fiduciary obligations breach | Up to ₹150 crore | DPDP Act 2023, Schedule |
Professional Conduct
Bar Council of India Rules & Advocates Act, 1961
Solicitation, advertising, fee-sharing and conduct standards.
MEDIUMCompliance Risk
The BCI Rules constrain how advocates and firms market themselves. The line between permissible thought leadership and impermissible solicitation is narrower in India than in many jurisdictions. With BCI liberalisation reshaping the market, firms need a marketing strategy bold enough to grow and disciplined enough to stay inside the lines.
What goes wrong
- Aggressive paid advertising of legal services
- Direct solicitation language in outreach
- Testimonial or success-rate claims in marketing
- Fee-sharing arrangements with non-lawyers
- Misleading partner profiles or firm descriptions
- Inappropriate name/branding under firm-name rules
How CTD closes it
- Content marketing built on thought leadership, not solicitation
- BD outreach scripts reviewed against BCI standards
- Partner LinkedIn discipline that informs without overstepping
- Speaker/panel positioning that builds reputation without conflict
- Engagement letters and fee structures aligned with BCI norms
- Liberalisation watch — track BCI updates so the firm adapts early
Employment Law
Labour Law & Employment Compliance
EPF, ESI, S&E, gratuity, professional tax, new Labour Codes.
MEDIUMCompliance Risk
The same firms that draft employment contracts for clients sometimes leave their own arrangements informal. Once a firm crosses statutory thresholds — EPF (20 employees), ESI (10+ in covered areas), S&E, professional tax — non-compliance starts to compound silently.
What goes wrong
- EPF / ESI registration thresholds missed silently
- S&E registration not renewed in time
- Professional tax filings inconsistent across states
- Gratuity provisioning not done (applies to 10+)
- Employment contracts inconsistent across roles
- Labour Codes transition not tracked
How CTD closes it
- HR onboarding includes labour compliance audit
- EPF, ESI, S&E, PT registrations tracked centrally
- Statutory returns & filings calendar maintained
- Standard contract templates per role type
- Leave, exit, grievance, gratuity policies signed off
- Labour Codes transition plan as states notify
Client Data & Privilege
Confidentiality, Privilege & IP Assignment
The firm's most valuable asset is its information. Most don't treat it that way.
HIGHOperational Risk
Privileged communications, client files, partner know-how, internal templates and matter precedents are the firm's compounding intellectual asset. Without IP-assignment clauses in employment contracts, work product done by departing lawyers can become contested.
What goes wrong
- No IP assignment in employment contracts
- No information classification scheme
- Sensitive client matter data on personal devices
- No retention & disposal policy — data accumulates indefinitely
- No formal conflict-check procedure
- Privileged communications mixed with non-privileged routinely
How CTD closes it
- Employment contract refresh: IP assignment, confidentiality, non-solicit
- Information classification: privileged / confidential / internal / public
- Device & storage policy — firm devices, firm storage, no personal Gmail
- Retention & disposal schedule aligned with DPDP and BCI
- Conflict-check workflow at intake with documented trail
- Annual confidentiality refresh as part of policy training
For CA & CS Firms
ICAI Peer Review · ICSI Peer Review · Secretarial Standards
Phased mandates already live. Listed-company services now fully covered.
HIGHCompliance Risk
ICAI Peer Review: Mandatory for practising CAs and firms since 2017, phased by scope. Phase II (1 July 2024): unlisted public companies with paid-up capital ≥ ₹500 cr, turnover ≥ ₹1,000 cr, plus all firms with 5+ partners doing attestation. Phase III (1 July 2025): public-interest entities and 4+ partner firms. Phase IV (31 December 2026): firms with 3+ partners doing attestation, including PSU bank-branch audits.
ICSI Peer Review: Initially top-100 listed cos (2020), expanded to top-500 (2021), then all listed cos (2022), now covering all companies for whom a PCS issues a Secretarial Audit Report or Annual Return certification. Mandatory under SEBI (LODR) for top-100 by market cap.
What goes wrong
- No Peer Review Certificate obtained before accepting a peer-review-mandatory assignment
- Quality control manual missing or outdated for the firm size
- Working papers, sampling, supervision evidence not documented to ICAI/ICSI standards
- FRRB / QRB observations from prior engagements not closed out
- NFRA notice received and not responded to within the statutory window
- Independence and rotation rules (Sec 144, 139 Companies Act) not tracked centrally
- ICAI/ICSI advertising guidelines breached (no testimonials, no comparative marketing, no firm-name violations)
How CTD closes it
- Peer Review readiness audit: quality control framework, sampling, working-paper review
- Reviewer empanelment + scheduling, observation tracking, certificate renewal calendar
- Documentation templates aligned with ICAI Statement on Peer Review & ICSI Peer Review Guidelines
- FRRB / QRB / NFRA response workflow with named partner-owner and timeline
- Independence and rotation register maintained quarterly
- BD content reviewed against ICAI Council Guidelines No. 1-CA(7)/02/2008 and ICSI advertisement code
- Same RACI discipline applied to compliance as to BD — nobody “forgets” a filing
| Trigger | Consequence | Source |
|---|
| Accepting peer-review-mandated assignment without certificate | Disciplinary proceedings; assignment void | ICAI Peer Review Mandate; ICSI Peer Review Guidelines |
| FRRB / QRB adverse observation unresolved | Disciplinary referral; reputational risk | FRRB / QRB processes |
| NFRA penalty for audit failure (listed cos) | Monetary penalty + debarment up to 10 years | NFRA Rules 2018, Sec 132 Companies Act |
| ICAI advertising / professional conduct breach | Disciplinary action under Schedule I/II | ICAI Council Guidelines; CA Act 1949 |
If you run a CA or CS firm
CTD’s engagement is identical — same five pillars, same monthly cadence, same RACI. The compliance backbone shifts from BCI to ICAI/ICSI. See the CA/CS landing page for how the five pillars translate.