Banking Law, CIVIL LAW, THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023Advocate Tanwar

Potential Impact of Draft DPDP Rules, 2025 on Banks and NBFCs

The draft Data Protection and Privacy Rules (DPDP), 2025, introduced are set to significantly impact the financial sector, including banks and Non-Banking Financial Companies (NBFCs). These new regulations aim to strengthen data privacy laws, protect consumer personal information, and ensure that data usage by financial institutions is conducted responsibly and transparently. The DPDP Rules will affect banks and NBFCs in areas such as compliance costs, operational changes, data governance, and risk management. This article explores the implications of these rules and their impact on these sectors.

Overview of the DPDP Rules 2025

The DPDP Rules 2025 are designed to regulate the collection, processing, storage, and sharing of personal data by various entities, including financial institutions like banks and NBFCs. These rules align with global standards, such as the European Union’s General Data Protection Regulation (GDPR). The DPDP Rules provide a comprehensive framework for protecting privacy, ensuring transparency in data handling, and holding organizations accountable for data protection.

The key provisions in the draft DPDP Rules, 2025 are:

  1. Consent Management (Section 4): Financial institutions must obtain explicit consent from individuals before collecting, processing, or storing their personal data. The rules mandate that banks and NBFCs ensure that consent is freely given, informed, and unambiguous.
  2. Data Localization (Section 5): One of the key provisions under the DPDP Rules is data localization. Banks and NBFCs are required to store and process the personal data of Indian citizens within India. This provision aims to strengthen data sovereignty and minimize the risks associated with cross-border data transfer.
  3. Data Minimization (Section 6): This principle mandates that banks and NBFCs collect only the personal data necessary for a specific purpose. Over-collection of data is prohibited under these rules, encouraging financial institutions to gather only the information essential for their operations.
  4. Right to Access, Correct, and Erase Data (Sections 7-9): The DPDP Rules provide individuals with the right to access, correct inaccuracies, and request the deletion of their personal data. Banks and NBFCs must ensure they have mechanisms in place to comply with these rights within prescribed time limits.
  5. Data Protection Officers (Section 10): The rules require banks and NBFCs to appoint Data Protection Officers (DPOs). These officers are tasked with overseeing compliance with the DPDP Rules and serving as points of contact for regulatory authorities.
  6. Data Breach Notification (Section 11): Banks and NBFCs are required to notify the relevant regulatory authorities and affected individuals within a specific time frame in the event of a data breach. This section specifies timelines for reporting breaches to mitigate the risk of data misuse.
  7. Privacy by Design and Default (Section 12): The DPDP Rules require financial institutions to embed data protection measures into the design and development of their products and services. This ensures that privacy is considered at every stage of the product or service lifecycle.
  8. Cross-Border Data Transfer (Section 13): The rules set stringent conditions for transferring personal data outside of India. Cross-border transfers are allowed only if the destination country has adequate data protection laws or if the transfer is necessary for business purposes.

Impact on Banks and NBFCs

The introduction of the DPDP Rules will have significant implications for banks and NBFCs in India. These institutions will need to make substantial adjustments to their operations, policies, and practices to comply with the new data protection regulations. Below are the key effects of these rules on the banking and NBFC sectors:

1. Compliance Costs and Operational Overhaul

A key consequence of the DPDP Rules on banks and NBFCs is the increase in compliance costs. These institutions will need to invest in new technologies, systems, and human resources to ensure compliance with the rules, particularly around consent management[1] and data localization[2]. For example, financial institutions will have to develop robust consent management systems to collect and store explicit customer consents. Moreover, banks and NBFCs will have to ensure their data storage infrastructure complies with data localization provisions.

In addition, regular audits and assessments, as outlined in Section 10 on the appointment of Data Protection Officers (DPOs), will become essential to verify adherence to data protection norms. Non-compliance could lead to significant fines and reputational risks.

2. Data Governance and Management

The DPDP Rules mandate stronger data governance frameworks for banks and NBFCs. In particular, Section 6 and Section 12 emphasize that financial institutions should not collect or retain unnecessary personal data. Banks and NBFCs will need to establish clear data policies and procedures to handle the collection, processing, storage, and sharing of personal data securely.

Data governance will also necessitate regular risk assessments [3] to identify vulnerabilities in data security systems. DPOs, as per Section 10, will play a crucial role in ensuring that data processing activities comply with the DPDP Rules and that security measures are implemented effectively.

3. Enhanced Consumer Trust and Transparency

The DPDP Rules will enhance transparency regarding how banks and NBFCs handle consumer data. By obtaining explicit consent for data usage, financial institutions will build consumer trust. The Right to Access, Correct, and Erase Data under Sections 7-9) provisions give individuals greater control over their data, empowering them to correct inaccuracies or request data deletion. Banks and NBFCs will need to implement systems for responding to these requests promptly, ensuring a seamless consumer experience and fostering trust.

Banks that prioritize these measures will be perceived as responsible stewards of consumer data. The transparency provided by the DPDP Rules is likely to improve customer loyalty and enhance the reputation of financial institutions that take proactive steps toward data protection.

4. Impact on Cross-Border Operations

For banks and NBFCs with global operations or reliance on third-party vendors located outside India, Section 13 of the DPDP Rules presents challenges. The rules impose strict conditions on cross-border data transfers, which will affect any financial institutions that rely on overseas data centers or vendors. To comply, banks and NBFCs may need to re-evaluate their outsourcing agreements and adjust their international data flows.

Data localization as per Section 5 mandates that personal data be stored and processed within Indian borders. As a result, these institutions may need to establish data centers within India or collaborate with local partners to ensure compliance. While this may incur additional costs, it is necessary to comply with the law and ensure that consumer data remains protected.

5. Risk Mitigation and Data Breach Response

A critical aspect of the DPDP Rules is the emphasis on data breach notifications (Section 11) and risk mitigation. In the event of a data breach, banks and NBFCs will be required to notify both regulatory authorities and affected customers within a specific timeframe. Banks will need to implement effective breach detection and response mechanisms, as well as cybersecurity protocols, to protect customer data from unauthorized access or theft.

Non-compliance with Section 11 could result in severe penalties, not only due to fines but also because of reputational damage. Banks and NBFCs must therefore invest in building resilient cybersecurity infrastructure, as well as employee training on incident response procedures.

Conclusion

The Draft DPDP Rules 2025 mark a significant shift in how banks and NBFCs in India must handle personal data. While these regulations present challenges in terms of compliance costs, operational changes, and data governance, they also provide an opportunity for financial institutions to enhance consumer trust, strengthen data security, and adopt global best practices in data privacy.

Banks and NBFCs will need to take proactive steps to comply with the DPDP Rules, including investing in new technologies, appointing Data Protection Officers as per Section 10, and conducting regular risk assessments. By doing so, they can navigate the evolving regulatory landscape and emerge as trusted custodians of consumer data. Successfully implementing these rules will ultimately benefit both financial institutions and their customers, fostering a secure and transparent financial ecosystem in India.

Contributed By- Saubhagya Bansal

[1] Section 4, Draft DPDP Rules, 2025

[2] Section 5, ibid.

[3] Section 11, ibid.