DPDP Act could reshape BFSI sector in India

The Digital Personal Data Protection (DPDP) Act, accompanied by its draft rules, underscores the importance of transparency in managing personal data, setting a new standard for entities in the Banking, Financial Services, and Insurance (BFSI) sector. 

A core requirement is providing clear and detailed notices about data collection, usage, and consent withdrawal processes, ensuring these are accessible in English and all 22 Indian languages. This mandate not only redefines how BFSI entities communicate with customers but also introduces operational and technological challenges.
Under the draft rules, data fiduciaries must ensure that customers are fully informed about how their data is collected, processed, and used. Notices must include details such as:

•    The purpose of data collection.
•    Categories of data being collected.
•    Data retention timelines.
•    Potential third-party sharing arrangements.

For the BFSI sector, this means designing customer-facing notices that are comprehensive yet easily understandable. For example, a bank collecting biometric data for enhanced security must clearly outline how this data will be stored, secured, and eventually deleted. This level of transparency could foster greater trust among customers, especially in an industry where data sensitivity is paramount.

The DPDP Act redefines the BFSI sector's data practices, emphasizing purpose limitation, transparency, and customer empowerment. While compliance demands significant changes, it offers BFSI entities an opportunity to lead in responsible data governance, build trust, and enhance their reputation in a privacy-focused digital economy.

The DPDP Act mandates Significant Data Fiduciaries to appoint DPOs, conduct impact assessments, and undergo audits, with penalties for non-compliance reaching ₹250 crore. This necessitates overhauling data security protocols and employee training.

The DPDP Act intersects with regulations from the RBI, SEBI, and IRDAI, requiring financial institutions to align data practices with both the Act and sector-specific mandates. Non-compliance could lead to breaches across multiple frameworks, increasing risks and penalties.