Navigating India’s New Digital Data Protection Laws: What Banking  Navigating India’s New Digital Data Protection Laws: What Banking and Financial Services Companies Must Do Now

Read Article

Banks, NBFCs, and insurers must adopt a holistic compliance framework integrating legal, technical, and organizational elements to meet DPDP obligations, mitigate risks, and reinforce trust in their digital services

Background

The Ministry of Electronics and Information Technology has notified the Digital Personal Data Protection Rules, 2025 on 13th November 2025 under the Digital Personal Data Protection Act, 2023 (the “DPDP Regulations”). The DPDP Regulations impose significant obligations on the collection and processing of digital personal data, emphasizing individual rights alongside lawful data processing.

Applicability and Compliance Timeline

The DPDP Rules apply to digital personal data processing within India and cross-border processing related to goods or services provided to data principals in India. The compliance deadline for data fiduciaries is 18 months from November 13, 2025. Financial institutions must become fully compliant within this period.

 

Key Requirements Under the DPDP Rules

  • Notice and Consent: Data fiduciaries must provide clear, standalone notices to data fiduciaries explaining what data is being collected, processing purposes, and rights like withdrawal consent. A consent manager, (an Indian company having a net worth of at least INR 2 crore) registered with the Data Privacy Board of India (“DPB”) must be engaged by data fiduciaries to facilitate management and revocation of consent for data principals.
  • Data Security: The DPDP regulations make certain reasonable security safeguards mandatory for data fiduciaries. These include encryption, masking, access controls, logging access activities, maintaining backups, and incorporating security measures in contracts with data processors.
  • Breach Notification: Data fiduciaries must promptly notify affected data principals and the DPB about personal data breaches. Detailed follow-up reports with mitigation efforts and preventive measures must be submitted within 72 hours of the time the data fiduciary becomes aware of the breach.
  • Data Erasure: Data fiduciaries must erase the data collected from data principals upon request, or if the data is no longer needed. For erasure on grounds of obsolescence of data, a 48-hour advance notice to data principals is mandatory, allowing them to retain their data if desired.
  • Special Categories: Specific consent protocols apply for processing data of children and persons with disabilities, including verifiable consent from parents, guardians, or legal representatives with proper identity verification.
  • Significant Data Fiduciaries (SDFs): SDFs (to be notified by the central government) face enhanced obligations such as performing data protection impact assessments, regular audits, appointing data protection officers, and ensuring stronger data governance.
  • Data Principal Rights: Data principals can access, correct, erase their data, and nominate representatives. Grievances must be resolved within 90 days through an effective grievance redressal system.
  • Cross-border Data Transfers: Transfers outside India are permitted under Central Government conditions, barring countries specifically blacklisted, with safeguards to protect privacy and data security.

Existing RBI Requirements for Banks and Financial Institutions

Banks and NBFCs already follow stringent data protection rules under RBI Master Directions, including confidentiality, data minimization, sensitive data handling, and five-year mandatory data retention for transaction and identification records. Payment system data must be stored in India or brought back within 24 hours. The DPDP Rules add compliance layers, requiring harmonization of RBI and DPDP obligations.

Consequences of Non-compliance

Strong privacy frameworks play a crucial role in fostering innovation, trust, and sustainable business growth by enabling responsible product development. However, poor consent management practices can hinder this progress, delaying the adoption of new technologies and the launch of digital products. Non-compliance with privacy obligations may attract regulatory sanctions, which could include suspension of data processing or product launches until compliance gaps are resolved. Moreover, organizations face significant financial exposure, as monetary penalties under the Digital Personal Data Protection (DPDP) Act can reach up to `250 crore for data breaches, failure to notify authorities, or violations involving children’s data.

The DPDP Rules apply to digital personal data processing within India and cross-border processing related to goods or services provided to data principals in India.

Recommended Actions for Banks and Financial Services

Banks and NBFCs should undertake the following activities in order to ensure compliance with the DPDP Regulations:

  • Conduct a Personal Data Inventory and Mapping Exercise: Catalogue all collected personal data, classify based on sensitivity, and map data flows including internal handoffs and third-party transfers with periodic updates.
  • Build or Enhance Consent Management Systems: Implement secure, verifiable, and auditable consent capture frameworks accommodating easy withdrawal and special protocols for sensitive categories.
  • Review and Upgrade Security Architectures: Deploy encryption, access controls, continuous monitoring, logging, and incident management systems aligned with DPDP requirements.
  • Revise Vendor Management Policies and Contracts: Institute rigorous vendor due diligence protocols and draft comprehensive DPAs addressing DPDP mandates, ensuring ongoing vendor compliance monitoring and audit rights.
  • Update Data Retention and Erasure Policies: Establish clear policies for data retention limits, erasure triggers, and customer notifications aligned with prescribed timelines and regulatory expectations.
  • Institutionalize Governance and Training Programs: Appoint Data Protection Officers, conduct DPDPfocused training for all relevant stakeholders, and establish audit and compliance monitoring mechanisms.
  • Establish Cross-Border Data Transfer Procedures: Develop legal and technical controls for compliant international data transfers consistent with governmental restrictions.
  • Implement Customer Rights Enablement Platforms: Deploy userfriendly portals allowing customers to manage consents, access their data, and submit grievances with guaranteed response timelines

In summary, banks, NBFCs, and insurers must adopt a holistic compliance framework integrating these legal, technical, and organizational elements to meet DPDP obligations, mitigate risks, and reinforce trust in their digital services.

Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.

Latest Articles

Consolidated framework for NFB facilities by regulated entities

Society Self Redevelopment Financing

SNG & Partners Announces Seventh Edition Of ‘The Banking Law: In Theory And Practice’

Internship & Articleship

Error: Contact form not found.

Disclaimer

By proceeding further and clicking on the “I ACCEPT” button below, you acknowledge that you of your own accord wish to know more about SNG & Partners (“The Firm”) for your own information and use. You further acknowledge that there has been no solicitation, invitation or inducement of any sort whatsoever from SNG & Partners or any of its employees, partners, associates or members to create an attorney-client relationship through this website. You further acknowledge having read and understood this Disclaimer.

This website is a resource for informational purposes only and is intended, but not promised or guaranteed, to be correct, complete, and up-to-date. While SNG & Partners has taken utmost care to ensure accuracy and completeness of the information contained on this website, the Firm does not warrant that the information contained on this website is accurate or complete, and hereby disclaims any and all liability for any loss or damage caused or alleged to have been caused to any person by relying on any information contained on this website. The contents of this website should not be construed as an opinion, legal or otherwise, on any issue or subject. 

SNG & Partners further assumes no liability for the interpretation and/or use of the information contained in this website, nor does it offer a warranty of any kind, either expressed or implied. The owner of this website does not intend links from this site to other Internet websites to be referrals to, endorsements of, or affiliations with the linked entities. The Firm is not responsible for, and makes no representations or warranties about the contents of websites to which links may be provided from this website.

Furthermore, the owner of this website does not wish to represent anyone desiring representation based solely upon viewing this website or in a Country/State where this website fails to comply with local laws and ethical rules of that state. You may note that the use of the internet or email for conveying confidential or sensitive information is susceptible to risks of disclosure associated with sending email over the internet.

The Firm advises against the use of the communication platform provided on this website for exchange of any confidential, business or politically sensitive information. User is expected to use his or her judgment and such information shared will be solely at the user’s risk.

Communication through this website in any form shall be for the purpose of enquiries only and shall not hold good for service of any kind of court proceedings, summons, advance notice, pleadings etc. For service of any such document and/or notice to the Firm and/or to any of its partners under the act or rules including under CPC, Cr. PC and/or any other law shall be served at our concerned office or to the concerned advocate dealing with the matter.

I Accept