India’s new data protection law: Here’s how the landmark law can impact the country’s financial services sector

The Digital Personal Data Protection (DPDP) Act, 2023 has ushered in a transformative shift in the dynamics of the financial sector. This Act will necessitate a recalibration of conventional and business modalities in the financial services industry in four material ways in order to foster an environment conducive to protecting personal data of citizens.   

First the scope of the Act will capture a wide swathe of personal data in the hands of banks and financial institutions since it will apply to processing of personal data which is either collected in digital form or is subsequently digitised. Accordingly, this law shall apply not only to the financial services that use digital interfaces but also those that have digitized their customer records and data sets.  

Second, banks and financial institutions will be faced with a significant consent architecture. They must provide a notice to customers seeking consent to process their personal data. This needs to contain information about the personal data being collected, rights of the customer under the Act, details of the point of contact, and the procedure through which a customer can make a complaint to the Data Protection Board. Financial institutions must now be prepared to provide such notices to customers in constitutionally recognised Indian languages that they are comfortable in. It is important that banks take steps towards developing technical capabilities to maintain records of all such notices, consents and customer responses. A financial institution must process personal data only for the specified purpose for which consent has been given. Care will have to be taken to not use financial data collected for a specific purpose, such as processing a loan application, to garner information about such customers for products, schemes and services they did not sign up for.  

This consent architecture now also gives consumers the right to withdraw their consent for the processing of any personal data at any point of time. The technological ease of enabling withdrawal of consent must be at par with the ease with which consent was taken. Financial institutions will have to carefully navigate this requirement to meet compliance while at the same time ensuring that they are not caught unawares due to sudden withdrawal of consent, given that they must simultaneously comply with the Reserve Bank of India's (RBI) fairly extensive regulatory regime for banking and financial services.  

As a further step, financial institutions will also have to erase personal data when a customer withdraws consent. More critically, however, they will be required to erase personal data even when it is reasonable to assume that the ‘specified purpose is no longer being served’. Customers not approaching their financial institution, or not exercising their rights in relation to such processing for a prescribed period of time can amount to the ‘specified purpose not being served’. Without further clarification, this provision could lead to confusion and unintended consequences, as financial institutions may end up erasing personal data that customers may have actually wanted them to retain.  

Financial institutions must also specifically take note of the fact that they should continue to retain personal data if so required under any other laws. The RBI, for instance, under its KYC Directions of 2016, requires banks and other financial entities to maintain records of transactions with their customers for at least 5 years and also make note of any information relating to the identification and addresses of customers. Such requirements must be kept in mind while striving to achieve compliance with the DPDP Act.  

A third significant implication for many financial institutions, given the global interconnectivity of the modern-day financial sector, relates to the cross-border data sharing requirements of the Act. Thankfully, the DPDP Act takes a much more rational approach on this subject as compared to its draft version. It only restricts transfer of personal data outside India to those countries that shall be notified specifically for this purpose. Two factors will however have to be taken into consideration here. One, the Central Government may still choose to introduce safeguarding measures to be complied with by financial institutions before transferring personal data outside the country. Two, this law expressly enables any other law that provides for a higher degree of protection/ restriction on the cross-border transfer of personal data to prevail. This means that RBI’s data localisation requirements will continue to be in force and will have to be complied with by financial institutions. The intention appears to be to set a baseline level of protection for personal data across sectors, while allowing sectoral regulators to incrementally develop targeted regulations within their jurisdictions.  

Fourth, banks and financial institutions may be designated as significant data fiduciaries based on the volume and sensitivity of personal data that is being processed, risks to consumers and its impact on the sovereignty, integrity and security of the nation. They will then have to undertake additional compliances and obligations such as appointment of a resident data protection officer, conduct regular data protection impact assessments and periodic audits. As the criteria for designation of entities as ‘significant’ data fiduciaries is quite broad and subjective, one will have to wait and watch to understand how sparingly or liberally the government uses this power.  

Personal and financial data has always been a central asset around which financial institutions have developed products and services. Technological innovations have only served to enhance the value and utility of such data manifold. Protection of such personal data from breach and misuse is not only in the interest of customers but also in the interest of the financial sector itself, as it will guard against unscrupulous actors and encourage the adoption of best industry practices. The onus is now on the government to build on this foundation and set up a professional and well-staffed Data Protection Board, backed by a rationalized subordinate legislation regime that helps realize the objectives of the Act by protecting personal data without needlessly disrupting and restricting the usual course of business.  

Views are personal. Shroff is Managing Partner, and Goswami is Director – Public Policy, at Cyril Amarchand Mangaldas. Varun Mehta, Principal Associate; and Aryan Vij, Associate, at Cyril Amarchand Mangaldas, contributed to the article.