Home
>
Blog
>
BFSI Data Protection

How will DPDP Act impact the Indian BFSI sector?

November 7, 2023

Anahad Narain

Founder's Office

Summary

  • India's new data protection law mandates explicit consent for personal data use.
  • BFSIs must prepare to balance the obligations of multiple regulators, including RBI, SEBI, and IRDAI, alongside the new data protection requirements.
  • Failure to comply can bring heavy fines up to 250 Crore Rupees.
  • Integrating Consent Managers, overhauling data practices, and staying agile in the face of evolving data governance laws are now critical moves for every BFSI player.

What is the DPDP Act, and how does it affect BFSI?

The DPDP Act has outlined new rules for digitally handling personal data. Roles under the DPDP Act that are critical for the BFSI sector include:

  • Significant Data Fiduciaries/ Data Fiduciaries: Organizations, like banks and NBFCs, that collect and process customer data.
  • Data Principals: The individuals to whom the data belongs — the customers.

The DPDP Act aims to protect all personal data that can be used to identify an individual. This includes the person’s name, account number, Aadhaar details, credit history, photograph etc.

DPDP Act also applies to personal data that is processed outside India if it relates to Indian customers or business.

What is the current compliance challenge for BFSI under the new DPDP Act?

Data is at the centre of the BFSI sector in India. All BFSI entities process significant amount of personal data for the purpose of their business operations.

The implementation of the DPDP Act will mark a significant shift in how BFSI companies can handle personal data, with penalties up to ₹250 crore for non-compliance. 

What does the DPDP Act mean for the BFSI Sector?

The DPDP Act mandates CONSENT for collection and usage of personal data. The new law says that customers must explicitly agree to how their data is used by companies reshaping the traditional methods of data collection and use. Any personal data being processed without clear consent, will be a violation of the DPDP Act. 

For BFSIs, the DPDP Act marks a big shift in data governance:

  • Data Fiduciary: BFSIs are legally responsible for obtaining lawful consent and manage collected personal data as per the provisions of the act.
  • Explicit Consent Required: Consent must be informed, documented, and given via clear affirmative actions and the consent notice must be available in multiple Indian languages.
  • Purpose-Driven Data Use: Data must only be used if consent to use the data has been provided by the individual. The data must be immediately deleted if the consent is withdrawn or the purpose of collecting the personal data has been fulfilled.
  • Enhanced Customer Rights: Customers can access data usage summaries and easily withdraw consent at any time.
  • Strict Breach Notification: BFSIs must notify the Data Protection Board and affected customers immediately about any data breach.
  • Significant Data Fiduciaries (SDF): BFSIs with a large user base will have more compliance obligations regarding personal data which includes appointing Data Protection Officers and conducting impact assessments.
  • Overlap with Existing Regulations: DPDP compliance must coexist with RBI, SEBI, IRDAI rules.

The first consent notice is broad and unclear therefore non-compliant with the DPDP Act

How can BFSIs comply with the DPDP Act?

To meet DPDP requirements, BFSIs should:

  • Adopt Consent Management: Diligently use consent management platforms that will help them automate consent collection, provide multi-language support, and generate full audit trails.
  • Implement Purpose-Based Data Governance: Tag data by purpose and automate retention and deletion workflows aligned with legal mandates.
  • Empower Customers: Provide user-friendly portals for consent withdrawal and data access requests.
  • Strengthen Cybersecurity and Third-Party Oversight: Enhance data breach prevention, incident response, and conduct strict compliance audits of fintech and third-party vendors.
  • Align Regulations: Form cross-functional compliance teams to unify DPDP with sectoral laws and update policies regularly.
  • Train Teams: Conduct organization-wide training on new data protection obligations and customer rights.

What is the road ahead for BFSI sector?

The DPDP Act is not just a regulatory update; it's a revolution in data governance. In this new era, customers have absolute control over their data, and BFSI entities must adapt quickly. With Leegality, Banks and NBFCs can comply with the DPDP Compliance Rules and future-proof their organisation’s data compliance. 

Leegality’s ConsentIn offers:

  • multilingual, granular consent capture and management.
  • Dashboard to maintain legally compliant, auditable consent records with purpose specificity.
  • Customer portals for transparent consent control and data access.
  • Seamless integration with BFSI CRM, analytics, and partner ecosystems.
  • Support to BFSIs in fulfilling SDF obligations through advanced governance features.

Download Blog as PDF
Content

Related articles

Sector Reckoner
November 3, 2023
How does the DPDP Act affect Telemarketing?

Pushkal Dubey

10
min read
Legal Explainer
December 5, 2023
What is DPDP Act in India?

Anahad Narain

4
min read
Legal Explainer
December 3, 2023
Why is DPDP Act 2023 needed

Anahad Narain

8
min read

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.