Impact of the DPDP Act on the Indian BFSI Sector

The core of the Indian banking, financial services, and insurance (BFSI) industry is data. Data is used to inform practically every decision, from risk management and compliance to customer demands analysis and profit maximization.
The largest private sector bank in India, HDFC Bank, has 12 crore customers. The largest NBFC in India, Bajaj Finserv, has 7.6 crore customers. These are not merely numerical values. In order for HDFC Bank and Bajaj Finserv to provide individualized financial solutions and increase their AUMs, each customer represents a wealth of data.
The Digital Personal Data Protection (DPDP) Act, which is about to go into effect, will significantly alter how BFSI businesses are allowed to handle personal data.

The stakes are higher than ever, with fines of up to 250 crore rupees, and companies will need to reevaluate every aspect of their operations to stay in compliance.
Let’s briefly review the laws first.

When does the DPDP Act apply to you?

Data Fiduciaries and Data Principals are two new significant roles that emerge under the DPDP Act.
Consider data fiduciaries, or BFSI organizations that gather and handle consumer data, as the guardians of data. Conversely, the people who own this data—the customers—are known as the data principals.

Which data sets are included?
The Digital Personal Data Protection Act applies to digital personal data, which is any data that can be used to identify an individual. even in cases where physical data collection is followed by digitization.
BFSIs routinely gather and handle client information such as name, account number, Aadhar number, photo, credit history, and so forth. All of these and more would be covered by the DPDP Act. The Act is also applicable to personal data processed outside of India if it relates to clients and business operations there.

What DPDP requirements apply to the processing of personal data?
The DPDP Act focuses the gathering and use of personal information on CONSENT.
Customers have to explicitly agree to companies using their data in ways that alter the traditional dynamics of data control, according to the new rule. Any business that processes personal data without consent is in violation of the DPDP Act. There could be fines of up to 250 crore rupees.
The few “certain legitimate uses” that are exempt from the consent requirement are state functions, medical emergencies, and the fulfilment of a legal obligation. Rarely will these exclusions apply to data activities carried out by BFSIs. This makes getting the right consent absolutely essential.

Key obligations for BFSI Sector under DPDP Act

1. 1. Transparent Notices
      The manner in which BFSIs acquire consent has undergone a significant change. It’s about total transparency now, not about clicking a box. In order to ensure that customers are fully informed, BFSIs are now required to give explicit notices outlining the specific intent of data collection and future usage. The requirement that consent be stated in a clear and satisfactory manner calls into question a number of current procedures, including prefilled click wrap solutions.

      Not only that, but the notice needs to provide precise guidelines for handling grievances as well as the ability to revoke consent. The Eighth Schedule lists 22 Indian languages, including English, in which the notification must be provided. Above all, it is the BFSIs’ responsibility to prove that consent was obtained in the right manner. BFSIs will have to keep complete records of every customer’s consent in order to demonstrate that their data practices do not violate the Digital Personal Data Protection Act of 2023.

    

   2. Purpose and Storage Limitations

   The days of using data in a flexible way are gone. Now, data may only be utilized for the purposes specified in full at the time of data collection. The DPDP Act may be violated by BFSIs if they stray from the path and use data for purposes other than those for which consent was first given. This means that a more detailed approach to consent collection is needed, and it emphasizes the need for BFSIs to be clear and upfront about their intentions regarding the use of data from the outset.
   BFSIs have to adopt a structured strategy for data retention as well. Consent-based data collection is restricted to the intended use. The data must be removed from the BFSIs’ systems after the intended use is completed or if the client withdraws their consent.

   This ensures that data is kept for only as long as absolutely necessary, which is a significant change from the previous practice of long-term data retention.

   3. Empowered Customers

   Consent is essential, so customers already have an extensive amount of control. Going one step further, the DPDP Act gives customers as Data Principals additional power. Consumers have the right to revoke their consent at any time, which will stop data processing. BFSIs are required to make sure that the procedure for withdrawing consent is just as simple and open as the one for providing it.
   Customers who wish to change their mind about how their data is being used can do so by using the Act, which also gives them the ability to withdraw their consent. A summary of the customer’s information, including the data processing activities carried out and the identities of any third-party entities with whom the data has been shared, must now be provided by BFSIs upon request.

   Because of this level of transparency, BFSIs must keep accurate records and be ready to provide this information quickly.

   4. Data Breach Prevention

   If there is a breach of personal data, the responsible company must notify both the Data Protection Board (DPB) and the affected customer. Penalties can go up to 250 crore. To avoid such costly breaches, BFSIs must rethink their data protection practices at all organizational levels. This entails considerable retraining of personnel to comply with the new data management and security standards.
   Furthermore, internal rules for data sharing and disclosure must be thoroughly examined and strengthened particularly when working with FinTechs and other partners. FinTechs will be designated as Data Processors, and the burden of establishing compliance will remain with the Data Fiduciaries, i.e., the BFSIs. BFSIs will need to have greater precaution when selecting trustworthy Fintech partners.

   5. Data Analytics and Risk Assessment  

   The assessment of risk is the foundation of effective financial operations, and so much depends on data analytics: measuring sales performance, credit and liquidity risk analysis, deploying targeted marketing, product pricing, detecting patterns to avoid fraud, and so on.
   It is critical to not only identify which data points are being gathered, but also to establish their legal basis and obtain explicit consent from customers for each individual usage. BFSIs must now strike a fine balance between acquiring consent from consumers and being prepared for situations in which consent is rejected or revoked. This dynamic might have a substantial influence on important operations such as product pricing and fraud protection, forcing BFSIs to develop flexible techniques that can react to changing levels of data availability.

   6. Customer Lifecycle Management

   The DPDP Act applies to all aspects of marketing, profiling, onboarding, service, and customer relationship closure. A consumer who has supplied their phone number for bank account creation cannot be phoned by the bank to promote a credit card unless they have given express approval in the way required. Similarly, the product must adhere to the same principles: notifications on websites and phone applications must offer clear and concise information about the data being collected and for what objectives, as derived from a well-defined policy on the use, protection, and preservation of customers’ personal data. To learn more, check out our blog post about the DPDP Act’s impact on telemarketing.

   7. Significant Data Fiduciaries  

   The Data Protection Authority may classify larger Banks, NBFCs, and Insurance Companies as Significant Data Fiduciaries (SDFs) because to the sensitive type and volume of data they process. SDFs will be required to comply with further strengthened obligations, such as establishing a dedicated Data Protection Officer, undertaking data protection impact assessments, data audits, and other steps mandated by the government. Larger BFSIs will be held more accountable for protecting personal data, and they will most certainly face heavier fines if they fail.

What other BFSI regulations to keep in mind?

The Digital Personal Data Protection Act requires that data be collected and used only for legitimate purposes. It makes no difference whether or not the Data Principal consented. If the use of data violates any existing legislation outside of the DPDP Act, it is immediately a violation of the DPDP Act.
The Reserve Bank of India (RBI) supervises the functions of banks and NBFCs; the Securities and Exchange Board of India (SEBI) regulates mutual funds and capital markets; and the Insurance Regulatory and Development Authority of India (IRDAI) oversees the insurance sector.
These bodies provide circulars, regulations, and guidelines for data governance procedures on a regular basis.

These bodies provide circulars, regulations, and guidelines for data governance procedures on a regular basis. We will now look at some actual instances of how the DPDP Act will connect with other legislation.

1. Consent Exception – The DPDP Act allows an exemption to the consent requirement if data is provided willingly by the Data Principal. However, the Digital Lending Guidelines applicable to Regulated Entities (RE) only enable access and exchange of data subject to prior and express approval of the prospective borrower for specific purposes, even if the data is supplied willingly.
2. Data Retention– The DPDP Act requires businesses to remove personal data when the defined purpose is met; however, NBFCs may hold data for much longer due to responsibilities under the Prevention of Money Laundering Act (PMLA) or the RBI’s KYC Master Directions. As a result, the term of personal data retention must take into consideration both the DPDP Act’s purpose limitation and the buffer time required by the regulatory obligation.
3. IT and Security Regulations – Regulations governing data localization, IT frameworks, information security standards, and incident reporting add to the complexity of compliance. The RBI’s Storage of Payment System Data Circular of 2018, the IRDAI (Maintenance of Insurance Records) Regulations of 2015, the RBI’s Cyber Security Framework in Banks circular, the Master Direction – IT Framework for NBFCs, and many other regulations must all be considered when evaluating the DPDP Act’s evolving parameters.

The Joint Parliamentary Committee Reports emphasized the necessity of ensuring that the norms in various businesses align with data protection law. In cross-border data transfers, the DPDP Act states that if other laws or norms provide additional protection or limits, those should be followed.

It is now uncertain if this method will apply to other conflicts. The Data Protection Board (DPB) or the forthcoming Digital Personal Data Protection Rules might give further clarification.

What’s Next..?

The Digital Personal Data Protection Act is more than just a statutory reform; it represents a significant shift in data governance. In this new era, customers control their data, and BFSIs must respond quickly. What’s the key? Each data interaction requires explicit, clear consent. BFSIs now have the critical duty of ensuring that customers have complete control over their data, from its usage to its disposal. This is an enormous advancement for a data-driven industry.