BTL 872 - DPDP Act and Banking

 

The Banking Tutor’s Lessons

BTL 872                                                                               21-02-2026

DPDP Act and Banking  

The Digital Personal Data Protection (DPDP) Act, 2023, fully operationalized by the DPDP Rules 2025 on 14 November 2025, establishes a strict framework for how banks in India handle customer data.

Banks are classified as Data Fiduciaries, making them legally responsible for the security and lawful processing of customer information like KYC details and financial history.

Key Compliance Mandates for Banks

Explicit Consent & Notice: Banks must obtain free, specific, and informed consent before processing data. Consent requests must be accompanied by clear notices in English or any of the 22 regional languages listed in the Constitution.

Legitimate Uses: Consent is not always required for "legitimate uses," such as fulfilling legal obligations (e.g., KYC under PMLA), responding to medical emergencies, or processing data of loan defaulters to assess assets and liabilities.

Data Minimisation & Erasure: Banks can only collect data necessary for a specific purpose and must delete it once that purpose is met, unless retention is required by other laws (like the Reserve Bank of India (RBI)'s 5-year KYC retention rule).

Breach Notification: In the event of a data breach, banks must notify the Data Protection Board (DPB) and all affected customers "without delay," typically within 72 hours.

Significant Data Fiduciary (SDF): Many banks will likely be designated as SDFs due to the volume of sensitive data they handle. This requires additional duties:

Appointing a dedicated Data Protection Officer (DPO) based in India.

Conducting periodic Data Protection Impact Assessments (DPIAs) and independent audits.

Interplay with Existing Banking Regulations

The DPDP Act adds a horizontal layer over existing rules from the RBI and CERT-In.

Conflict of Laws: If a conflict arises between the DPDP Act and a sector-specific law (like stricter RBI data localization norms), the sectoral regulation prevails.

Outsourcing: Banks remain ultimately accountable for data breaches caused by third-party processors (e.g., fintech partners, cloud providers), necessitating stricter vendor risk management and updated contracts.

Penalties for Non-Compliance

Non-compliance can result in massive financial penalties:

₹250 crore for failing to implement reasonable security safeguards to prevent breaches.

₹200 crore for failing to notify the DPB or individuals about a data breach.

Banks have an 18-month phased implementation period from November 2025 to achieve full compliance, with some core duties like consent notices and breach reporting taking effect sooner.

The Act applies to all financial institutions in India, covering digital data collected online or digitized offline.

Sekhar Pariti

+91 9440641014