Impact of Digital Personal Data Protection Act (DPDPA), 2023 on the Financial Services sector

In our digitalised world, "data is the new oil," signifying the value of personal data for businesses. It drives decisions, personalisation, and innovation. However, with the immense value of personal data comes a pressing need for privacy and security. The Digital Personal Data Protection Act (DPDPA) of 2023 addresses these issues, aiming to protect personal data, empower individuals, and enforce strict data handling standards.

The Act is not just another piece of legislation; it is a game-changer. This Act is all about safeguarding personal data, giving individuals more control over their information, and establishing rigorous data handling standards. It is a landmark step towards ensuring that the data-driven world we live in operates ethically and securely.

DPDPA's influence on the financial services sector is expected to be significant, particularly in light of the sector's regulatory changes, the presence of non-traditional actors, and its digital transformation. The Act serves as the guiding framework for managing digital personal data, delicately balancing the preservation of individual rights with the necessary data processing requirements.

Deepankar Sanwalka"I believe personal data is sacrosanct and businesses that treat it so, while harnessing and processing this data to gain competitive advantage, will be the ones that will earn consumer trust and loyalty. It is now up to organisations to look at the Digital Personal Data Protection Act 2023 as a business opportunity and create a safe and digital-first #VibrantBharat."
Deepankar Sanwalka, Senior Partner, Grant Thornton Bharat

Value of personal data in business

Personal data has transformed into a valuable asset that powers various aspects of modern business operations. Companies within the financial services sector leverage personal data for:

Regulatory landscape in the Financial Services sector

The highly regulated Financial Services sector faces the challenge of aligning DPDPA 2023 with existing regulations such as the Prevention of Money Laundering Act (PMLA). This intersection calls for carefully considering legal requirements for data collection, retention, sharing with authorities, and compliance roadmap development. Financial firms, accustomed to strict privacy and data protection rules, are likely to have a more mature approach to compliance than other sectors.

Existing regulations, guidelines, and frameworks related to data privacy and security

Impact on Financial Services functions

The DPDPA brings transformative effects to various functions within the financial services sector:

Regulatory changes

Significant Data Fiduciaries in the financial services sector will have increased responsibilities under the DPDPA. Regulators are expected to customise DPDPA requirements to sub-sectors they regulate and train supervisory staff accordingly.

Risk management

Players in the BFSI domain will become primary data fiduciaries responsible for DPDPA compliance. Risk management is central to their core function, and they must ensure consent is obtained before processing personal data. 

IT and cybersecurity

DPDPA's focus on personal data protection reshapes IT and data safeguarding practices. Financial institutions must invest in advanced threat detection, strong encryption, and regular audits to safeguard customer data from cybercriminals.

Product management

Product management must prioritise data protection, transparency, and user rights. This includes integrating "privacy by design," strong consent mechanisms, clear user control, transparent communication, and well-defined data usage policies.

Customer lifecycle management

The DPDPA changes how organisations manage customer data across their journey, impacting stages such as acquisition, onboarding, service, retention, and loyalty. It emphasises explicit consent, clear data policies, and data minimisation. 

Outsourcing

Indian financial services companies that often outsource and partner with FinTechs face additional compliance due to DPDPA 2023. Data fiduciaries hold primary compliance responsibility, while significant data fiduciaries, will have added duties. 

Increased compliance for FinTechs

Under DPDPA 2023, Indian FinTechs, in partnerships with financial institutions, must adhere to stringent data fiduciary regulations, likely leading to a transformation in the RE-Fintech collaboration model.

Implications on Global Capability Centers

Global Capability Centers (GCCs) in the Indian banking sector face significant challenges due to the DPDPA 2023. To comply with the Act, GCCs must identify cross-border data and establish controls for data processed in India but related to activities abroad. They also need to manage and store personal data of their large employee base effectively, ensuring consent and security while minimising data acquisition.

Conclusion

The DPDP Act of 2023 stands as a testament to the evolving regulatory guidelines in the Fintech sector. By mandating transparency, consent, and robust security measures, it has elevated compliance standards for Fintech companies. Through data minimisation, purpose limitation, and cross-border data transfer regulations, the Act has struck a balance between innovation and user protection.

Download the report