The DPDP Act is live. Fines reach ₹250 Cr, and every day matters.Run a free check
Sammati
All posts
DPDPBFSIComplianceBanking

DPDP Act 2023: What Banks and NBFCs Need to Know

30 April 20268 min readBy Sammati

Why BFSI Faces the Highest DPDP Risk

Banks, NBFCs, insurance companies, and payment processors sit at the intersection of three high-stakes factors under India's Digital Personal Data Protection Act, 2023:

1. Volume — BFSI entities process more personal data per customer than almost any other sector (KYC, transaction history, credit bureau data, health-linked insurance data)

2. Sensitivity — Financial data is classified as sensitive under most interpretations of the Act

3. Significant Data Fiduciary exposure — Large BFSI players are likely candidates for SDF designation, triggering additional obligations: mandatory DPO, DPIAs, and periodic external audits

Non-compliance penalties reach ₹250 crore per violation — a material risk even for large institutions.

What the DPDP Act Requires from BFSI

1. Consent for Data Processing

Banks historically relied on bundled consent hidden within account-opening forms. Under DPDP, this is no longer valid. Consent must be:

  • Free — not a condition for opening an account
  • Specific — one consent per purpose (e.g., KYC verification vs. marketing vs. credit bureau sharing)
  • Informed — backed by a plain-language notice explaining what data is collected and why
  • Unconditional and unambiguous — a clear affirmative action, not a pre-ticked checkbox

BFSI entities must audit all consent touchpoints: account opening, app onboarding, loan applications, insurance proposals, and co-branded card offers.

2. Privacy Notice Requirements

Every interaction that involves personal data collection must be preceded or accompanied by a DPDP-compliant notice. The notice must state:

  • What personal data is being collected
  • The specific purpose of processing
  • Rights available to the customer
  • How to withdraw consent or file a grievance

For banks, this means updating website privacy policies, in-app disclosures, branch forms, and call centre scripts.

3. Data Principal Rights

Customers now have legally enforceable rights:

  • Right to access their data
  • Right to correction of inaccurate data
  • Right to erasure when the purpose is fulfilled
  • Right to grievance redressal via a published grievance mechanism — under the DPDP Rules, 2025 (Rule 14(3)), grievances must be resolved within a period not exceeding 90 days

> The Rules prescribe a turnaround only for grievance redressal (≤90 days). They set no fixed day-count for access, correction or erasure — fiduciaries should respond within a reasonable, policy-defined time.

Banks must build or procure rights management workflows that handle these requests at scale. For a large bank with millions of customers, this requires automation — not manual email handling.

4. Data Breach Notification

BFSI entities already face RBI's data breach reporting requirements. Under DPDP, they must also notify the Data Protection Board of any breach involving personal data. Delays in notification attract penalties up to ₹200 crore.

5. Vendor and Sub-Processor Management

BFSI entities share customer data with: fintech partners, payment gateways, credit bureaus, insurance aggregators, co-brand partners, and analytics vendors. All of these are Data Processors under DPDP. You must:

  • Conduct due diligence on each processor
  • Execute a binding Data Processing Agreement (DPA)
  • Ensure processors comply with your data protection obligations

Significant Data Fiduciary Exposure

Large banks and NBFCs are likely SDF candidates. If designated, additional obligations apply:

ObligationDetail
Data Protection OfficerMandatory DPO appointment (can be internal or external)
Data Protection Impact Assessment (DPIA)Required before new high-risk processing
Periodic external auditBy a qualified data auditor
Data localisationIf specified by Central Government notification

Preparing for SDF designation now — rather than after it happens — is the prudent approach.

Practical Compliance Steps for BFSI (90-Day Plan)

Month 1 — Assess

  • Map all personal data flows across customer lifecycle touchpoints
  • Identify all third-party data processors and review existing DPAs
  • Conduct the free DPDP self-assessment to score your current readiness

Month 2 — Build

  • Update consent capture at all onboarding touchpoints (app, web, branch, IVR)
  • Implement a consent management platform to record, store, and manage consent artifacts
  • Draft DPDP-compliant privacy notices in plain language; translate to regional languages

Month 3 — Test & Operate

  • Run a rights fulfilment simulation: how fast can you respond to an access request?
  • Test the breach notification workflow: who does what, within what timeframe?
  • Appoint a Grievance Officer and publish their contact details
  • Train frontline staff and compliance teams

How Sammati Helps BFSI

We work with banks, NBFCs, and insurers to design and operationalise the consent and rights stack DPDP requires:

  • Immutable consent artifact capture (SHA-256 hash-chain) integrated with onboarding journeys
  • Consent notices delivered in all 22 Eighth Schedule languages — critical for rural banking customers
  • Rights fulfilment workflows that meet the 90-day grievance ceiling (Rule 14(3)) and your own SLAs for access, correction and erasure
  • Audit-ready export pipelines for Data Protection Board reporting
  • Deployment patterns that respect RBI data localisation requirements (BYOC / in-VPC)

Request a BFSI compliance consultation →

Check your DPDP compliance readiness

62 questions · 15 obligation areas · Instant results · No login

Take the Assessment

More from the library

Browse all posts