Navigating India’s New Digital Data Protection Laws: What Banking and Financial Services Companies Must Do Now
Banks, NBFCs, and insurers must adopt a holistic compliance framework integrating legal, technical, and organizational elements to meet DPDP obligations, mitigate risks, and reinforce trust in their digital services
Background
The Ministry of Electronics and Information Technology has notified the Digital Personal Data Protection Rules, 2025 on 13th November 2025 under the Digital Personal Data Protection Act, 2023 (the “DPDP Regulations”). The DPDP Regulations impose significant obligations on the collection and processing of digital personal data, emphasizing individual rights alongside lawful data processing.
Applicability and Compliance Timeline
The DPDP Rules apply to digital personal data processing within India and cross-border processing related to goods or services provided to data principals in India. The compliance deadline for data fiduciaries is 18 months from November 13, 2025. Financial institutions must become fully compliant within this period.
Key Requirements Under the DPDP Rules
- Notice and Consent: Data fiduciaries must provide clear, standalone notices to data fiduciaries explaining what data is being collected, processing purposes, and rights like withdrawal consent. A consent manager, (an Indian company having a net worth of at least INR 2 crore) registered with the Data Privacy Board of India (“DPB”) must be engaged by data fiduciaries to facilitate management and revocation of consent for data principals.
- Data Security: The DPDP regulations make certain reasonable security safeguards mandatory for data fiduciaries. These include encryption, masking, access controls, logging access activities, maintaining backups, and incorporating security measures in contracts with data processors.
- Breach Notification: Data fiduciaries must promptly notify affected data principals and the DPB about personal data breaches. Detailed follow-up reports with mitigation efforts and preventive measures must be submitted within 72 hours of the time the data fiduciary becomes aware of the breach.
- Data Erasure: Data fiduciaries must erase the data collected from data principals upon request, or if the data is no longer needed. For erasure on grounds of obsolescence of data, a 48-hour advance notice to data principals is mandatory, allowing them to retain their data if desired.
- Special Categories: Specific consent protocols apply for processing data of children and persons with disabilities, including verifiable consent from parents, guardians, or legal representatives with proper identity verification.
- Significant Data Fiduciaries (SDFs): SDFs (to be notified by the central government) face enhanced obligations such as performing data protection impact assessments, regular audits, appointing data protection officers, and ensuring stronger data governance.
- Data Principal Rights: Data principals can access, correct, erase their data, and nominate representatives. Grievances must be resolved within 90 days through an effective grievance redressal system.
- Cross-border Data Transfers: Transfers outside India are permitted under Central Government conditions, barring countries specifically blacklisted, with safeguards to protect privacy and data security.
Existing RBI Requirements for Banks and Financial Institutions
Banks and NBFCs already follow stringent data protection rules under RBI Master Directions, including confidentiality, data minimization, sensitive data handling, and five-year mandatory data retention for transaction and identification records. Payment system data must be stored in India or brought back within 24 hours. The DPDP Rules add compliance layers, requiring harmonization of RBI and DPDP obligations.
Consequences of Non-compliance
Strong privacy frameworks play a crucial role in fostering innovation, trust, and sustainable business growth by enabling responsible product development. However, poor consent management practices can hinder this progress, delaying the adoption of new technologies and the launch of digital products. Non-compliance with privacy obligations may attract regulatory sanctions, which could include suspension of data processing or product launches until compliance gaps are resolved. Moreover, organizations face significant financial exposure, as monetary penalties under the Digital Personal Data Protection (DPDP) Act can reach up to `250 crore for data breaches, failure to notify authorities, or violations involving children’s data.
The DPDP Rules apply to digital personal data processing within India and cross-border processing related to goods or services provided to data principals in India.
Recommended Actions for Banks and Financial Services
Banks and NBFCs should undertake the following activities in order to ensure compliance with the DPDP Regulations:
- Conduct a Personal Data Inventory and Mapping Exercise: Catalogue all collected personal data, classify based on sensitivity, and map data flows including internal handoffs and third-party transfers with periodic updates.
- Build or Enhance Consent Management Systems: Implement secure, verifiable, and auditable consent capture frameworks accommodating easy withdrawal and special protocols for sensitive categories.
- Review and Upgrade Security Architectures: Deploy encryption, access controls, continuous monitoring, logging, and incident management systems aligned with DPDP requirements.
- Revise Vendor Management Policies and Contracts: Institute rigorous vendor due diligence protocols and draft comprehensive DPAs addressing DPDP mandates, ensuring ongoing vendor compliance monitoring and audit rights.
- Update Data Retention and Erasure Policies: Establish clear policies for data retention limits, erasure triggers, and customer notifications aligned with prescribed timelines and regulatory expectations.
- Institutionalize Governance and Training Programs: Appoint Data Protection Officers, conduct DPDP-focused training for all relevant stakeholders, and establish audit and compliance monitoring mechanisms.
- Establish Cross-Border Data Transfer Procedures: Develop legal and technical controls for compliant international data transfers consistent with governmental restrictions.
- Implement Customer Rights Enablement Platforms: Deploy user-friendly portals allowing customers to manage consents, access their data, and submit grievances with guaranteed response timelines
In summary, banks, NBFCs, and insurers must adopt a holistic compliance framework integrating these legal, technical, and organizational elements to meet DPDP obligations, mitigate risks, and reinforce trust in their digital services.
Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.