How will DPDP Act impact the Indian BFSI sector?

November 7, 2023

Anahad Narain

Founder's Office


  • India's new data protection law mandates explicit consent for personal data use.
  • BFSIs must prepare to balance the obligations of multiple regulators, including RBI, SEBI, and IRDAI, alongside the new data protection requirements.
  • Failure to comply can bring heavy fines up to 250 Crore Rupees.
  • Integrating Consent Managers, overhauling data practices, and staying agile in the face of evolving data governance laws are now critical moves for every BFSI player.

Data is the very heart of the Banking, Financial Services and Insurance (BFSI) sector of India. From understanding customer needs to risk management and compliance, data drives almost every decision - converting risk to profit.

HDFC Bank - India’s largest private sector bank -  has a customer base of 12 crores. Bajaj Finserv - India’s largest NBFC has a customer base of 7.6 Crores. These are not just numbers. Each customer represents a wealth of data, essential for HDFC Bank and Bajaj Finserv to offer tailored financial solutions and expand their AUMs.

The imminent implementation of the Digital Personal Data Protection (DPDP) Act will mark a significant shift in how BFSI companies can handle personal data. With penalties up to 250 Crore Rupees, the stakes have never been higher and businesses will have to reconsider their operations across the board to remain compliant. 

First let us quickly go over the law.

What is the new DPDP Law?

For a detailed breakdown of the Digital Personal Data Protection Act refer to our articles on DPDP applicability, penalties, and exemptions on our Consent Blog.

Individuals have immense control over their personal data under the DPDP Regime.

When does the DPDP Act apply to you?

Under the DPDP Act, two key roles emerge: 'Data Fiduciaries' and 'Data Principals.' 

Think of Data Fiduciaries as the guardians of data – in this case, BFSI companies that collect and process customer information.  On the other hand, Data Principals are the individuals to whom this data belongs – the customers. 

What data is covered?

Digital Personal Data - any data that can be used to identify an individual is covered under the Digital Personal Data Protection Act. Even if the data is physically collected and digitized subsequently.

BFSIs regularly collect and process data like customers’ name, account number, Aadhar number, photograph, credit history etc. The DPDP Act would apply to all these and more. The Act also applies to personal data processed overseas if it concerns customers and business in India.

What are the DPDP obligations for processing personal data?

The DPDP Act predicates collection and usage of personal data on CONSENT.

The new law says that customers must explicitly agree to how their data is used by companies reshaping the traditional dynamics of data control. If any company processes personal data without consent they will violate the DPDP Act. Penalties up to 250 Crore Rupees may apply.

The limited exceptions to consent requirement pertain to “certain legitimate uses” like state functions, health emergencies and fulfillment of a legal obligation. These exceptions will rarely apply to data activities performed by BFSIs. This makes collection of proper consent a necessity. 

The era of customer data being a freely accessible asset is giving way to a new regime where customer consent dictates data strategies. Here are 7 Key changes for BFSIs in the age of the DPDP Act… 

Key obligations for BFSI Sector under DPDP Act

1. Transparent Notices

There is a pivotal shift in how BFSIs obtain consent. It's no longer about checking a box; it’s about complete transparency. BFSIs must now provide detailed notices explaining the specific purpose of data collection and future use, ensuring customers are fully informed. Consent itself must be expressed in a clear and affirmative action which throws into question many existing practices such as prefilled click wrap solutions.

The first consent notice is broad and unclear therefore non-compliant with the DPDP Act

That’s not all, the notice must also include clear instructions on grievance redressal and the option to withdraw consent. The notice must be in English as well as the 22 Indian languages mentioned in the Eighth Schedule. Most significantly, the burden of demonstrating that consent was collected in the manner prescribed is on the BFSIs. BFSIs will need to maintain detailed consent records for each customer to prove their data activities are not breaching the Digital Personal Data Protection Act 2023.

2. Purpose and Storage Limitations

The era of flexible data use is over. Data can now only be used for the purpose explicitly stated at the time of collection. If BFSIs veer off course and use data for any purpose not initially consented to, they risk breaching the DPDP Act. This reinforces the necessity for BFSIs to be precise and transparent about their data use intentions right from the start, requiring a more granular approach to consent collection.

BFSIs must also embrace a disciplined approach to data retention. Data collected with consent is bound to its purpose. Once the purpose is fulfilled or if the customer withdraws their consent, the data must vanish from the BFSIs’ systems. This marks a significant departure from the erstwhile practice of long-term data retention, ensuring data is kept only as long as absolutely necessary.

3. Empowered Customers

Since consent is key, the customers already have enormous control. The DPDP Act goes even further and provides additional powers to customers as Data Principals. Customers can withdraw their consent at any moment, prompting a halt in data processing. BFSIs must ensure that the process of withdrawing consent is as easy and accessible as the process of giving it.

The Act not only empowers customers to retract consent but also entitles them to a comprehensive view of how their data is being used. BFSIs are now obligated to provide, upon request, a summary of the customer's information, detailing the data processing activities undertaken and disclosing any third-party entities the data has been shared with. This level of transparency demands BFSIs to maintain meticulous records and be prepared to disclose this information swiftly.

4. Data Breach Prevention

If there is a breach of personal data, the responsible company is obligated to notify the Data Protection Board (DPB) and the affected customer. Penalties range up to 250 Crore. To prevent such costly breaches, BFSIs need to overhaul their data protection strategies at every organizational level. This involves extensive retraining of employees to align with the new standards of data handling and security. 

Furthermore, internal protocols for data sharing and disclosure must be meticulously reviewed and strengthened, particularly in collaborations with Fintechs and other partners. The Fintechs will be cast as Data Processors and ultimately the burden of demonstrating compliance will still be on the Data Fiduciaries, i.e., the BFSIs. BFSIs will need to exercise greater caution in choosing trustworthy Fintechs to partner with. 

5. Data Analytics and Risk Assessment  

The assessment risk is the bedrock of successful finance operations and so much depends on data analytics: Measuring sales performance, credit and liquidity risk analysis, deploying targeted marketing,  product pricing, spotting trends to prevent fraud and so on. 

It's crucial to not only assess which data points are being collected but also to justify their legal basis and ensure explicit customer consent for each specific use. BFSIs must now navigate the delicate balance of obtaining customer consent while also being prepared for scenarios where consent is either denied or withdrawn. This dynamic could significantly impact critical functions like product pricing and fraud prevention, compelling BFSIs to devise flexible strategies that can adapt to varying levels of data availability. 

6. Customer Lifecycle Management

Marketing, profiling, onboarding, service and closure of customer relationships must all be in line with the DPDP Act. A customer that has shared their phone number for bank account opening cannot be called by the bank for promoting a credit card, unless specific consent for that has been given in the manner prescribed. Similarly, the product will need to reflect the same principles: notices on websites and phone apps must provide clear and concise notice about the data being collected and for what purposes flowing from a well-defined policy on usage of customer’s personal data, protection and retention. Read our blogpost on the impact of the DPDP Act on telemarketing to explore this further.

7. Significant Data Fiduciaries  

It is likely that the larger Banks, NBFCs and Insurance Companies may be categorized by the Data Protection Authority as Significant Data Fiduciaries (SDFs) given the sensitive nature and large volume of data processed by them. SDFs will have to comply with even stricter obligations such as appointing a dedicated Data Protection Officer, conducting data protection impact assessments, data audits and other measures as prescribed by the government. Bigger BFSIs will have higher responsibility to protect personal data and will likely face higher fines if they fall short.

What other BFSI regulations to keep in mind?

The Digital Personal Data Protection Act stipulates that the collection and processing of data must be for a lawful purpose. It does not matter if the Data Principal has given consent. If the use of data is violative of any existing law outside the DPDP Act it would automatically constitute a breach of the DPDP Act. 

The finance sector is regulated by the Reserve Bank of India (RBI) that supervises the functions of banks and NBFCs, the Securities and Exchange Board of India (SEBI) that regulates mutual funds, capital markets and the Insurance Regulatory and Development Authority of India (IRDAI) that oversees the Insurance Sector.

These bodies regularly notify circulars, rules and guidelines that apply to data governance practices. We will now consider some practical examples where the DPDP Act will intersect with other laws.

Navigating the interplay of existing regulations with the DPDP Act is no simple matter 

Consent Exception - The DPDP Act carves an exception to the consent requirement in case data is offered voluntarily by the Data Principal. However, the Digital Lending Guidelines applicable to Regulated Entities (RE) only allow access and sharing of data subject to prior and explicit consent of the prospective borrower for specified purpose, even if the data is being voluntarily offered. 

Data Retention - The DPDP Act requires entities to erase personal data after fulfillment of specified purpose, however NBFCs may retain data well beyond the specified purpose due obligations under the Prevention of Money Laundering Act (PMLA) or the RBI’s KYC Master Directions.  Hence, the period of retention of personal data will need to account for both the purpose limitation of the DPDP Act as well as the buffer period under the regulatory mandate. 

IT and Security Regulations - There are regulations pertaining to data localization, IT frameworks, information security standards and incident reporting further complicates the web of compliances. The RBI’s Storage of Payment System Data Circular of 2018, IRDAI (Maintenance of Insurance Records) Regulations, 2015, RBI’s Cyber Security Framework in Banks circular, Master Direction - IT Framework for NBFCs and many more regulations will need to be included in assessing the unfolding parameters of the DPDP Act. 

The Joint Parliamentary Committee Reports stressed the importance of ensuring that the rules in different industries match the data protection law. In cross-border data transfers, the DPDP Act says that if other laws or rules offer more protection or restrictions, those should still be followed. Whether this approach will apply for other conflicts is unclear at the moment. The Data Protection Board (DPB) or the upcoming Digital Personal Data Protection Rules may provide greater clarity.

The Road Ahead

The Digital Personal Data Protection Act is not just a regulatory update; it's a revolution in data governance. In this new era, customers reign supreme over their data, and BFSIs must adapt swiftly. The key? Clear, explicit consent for every data interaction. BFSIs now have the crucial task of ensuring customers retain ultimate control over their data - from its use to its deletion. This shift is monumental for a sector that thrives on data.

To steer through these uncharted waters, BFSIs must consider aligning with Consent Managers. These entities, introduced by the DPDP Act, are set to play a pivotal role, akin to the Account Aggregators of the financial world, but with a broader spectrum covering all personal data. Leegality has built India's first DPDP compliant Consent Manager. Most of the hurdles for DPDP compliance can be smoothly navigated by BFSIs with the strategic deployment of Leegality's Consent Manager. Take the lead in DPDP compliance by booking a demo for our Consent Manager today!

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.