Introduction
India’s first standalone personal data protection legislation, the Digital Personal Data
Protection Act, 2023 has after two years received its operationalizing wings with the coming
of the Digital Personal Data Protection (DPDP) Rules, 2025. This marks as a huge milestone
in establishing a long-awaited framework to protect personal data digitally, while striking a
balance between individual privacy, State interests and Commercial developments.
At the heart of the DPDP regime lie three core actors: The Data Principal, the Data Fiduciary,
and the Consent Manager. The Data Principal is the individual to whom the data belongs; the
Data Fiduciary is any organisation that decides how and why personal data is processed; and
the newly envisaged Consent Manager is an entity that helps individuals manage their
permissions centrally (Rule 4). This division of roles is foundational. It places a legally
enforceable duty on data fiduciaries to be transparent, responsible, and accountable.
The DPDP framework also introduces a Data Protection Board of India (DPB), a body
empowered to adjudicate data protection disputes, impose penalties, and issue compliance
directions. It’s interesting to note that this Board is designed to be a ‘digital-first’ entity, with
complaint-filing and appeals handled online through Telecom Dispute Settlement and
Appellate Tribunal (TDSAT), which could encourage efficiency and accessibility and reduce
procedural burdens.
With the DPDP Rules in place, one must now focus on the profound implications it carries
for the financial sector, where banks, NBFCs, fintech platforms, insurers, and payment
aggregators process massive volumes of sensitive personal and financial data daily. The
Rules strengthen obligations around lawful consent, purpose-specific data use, accuracy of
financial information, and stringent deletion requirements once data is no longer needed.
They also heighten accountability for data breaches which is of critical concern for financial
services given the high-risk nature of financial data.
With mandatory consent logs, tighter grievance timelines, and increased fiduciary liability,
financial institutions must now upgrade their data-governance systems, reassess out sourcing arrangements, and implement effective compliance mechanisms. As a result, the DPDP
regime is set to reshape how financial entities collect, store, share, and secure data, pushing
the sector toward greater transparency and consumer trust.
Consent, Individual Rights and a Focus on Purpose Limitation
The Rules specifically emphasise the need for clarity around the concept of Consent. It puts
informed burden on the Data Fiduciaries to provide plain-language notices to citizens (Rule
3) explaining exactly what personal data of theirs will be collected and outlining the reason
behind it. This is intended to ensure that consent is informed, specific, and unambiguous.
Players in the Banking, financial services and insurance (BFSI) domain will be the Data
Fiduciaries who will be primarily responsible for ensuring compliance to the provisions of
the Act from a data protection stand- point. Where consent needs to form the basis of
processing information, lenders would be required to give Notice for the same as per the
DPDP Rules. The DPDP Rules can be read in tandem with RBI’s Digital Lending Guidelines,
which outlines that explicit consent of the borrower shall be taken, before sharing the
information with any third-party, except for cases where sharing is pursuant to a regulatory
requirement
The rules also outline the need for organizations to only collect the data they need, use it for
clearly defined purposes, and not retain it longer than necessary (Rule 8). Regulated entities
already follow the RBI guidelines when it comes to ensuring minimised and secure storage of
data, however, with the new Rules in place, they must ensure stronger record keeping and
better co-ordination between IT department, legal and compliance teams of organisations.
Strict requirements around consent and transparency is likely to impact the new customer
acquisition process, since products need to be modified to comply with the Act. It is also
likely to impact business growth as some of the customers may not want to go ahead with the
product if they are not comfortable in accepting the policy requirements.
Security Infrastructure & Breach Notification
Security is not an afterthought in the DPDP framework. Fiduciaries are legally required to
implement “reasonable security safeguards” to prevent unauthorized access and data
breaches. For the financial services industry, which handles some of the most sensitive
categories of personal and transactional data, these obligations significantly elevate the
compliance standard. Banks, NBFCs, insurers, fintech platforms, and payment intermediaries
will be compelled to modernise in-house legal systems, adopt real-time threat-detection tools,
and strengthen vendor-management frameworks, since they remain directly liable even for
breaches caused by outsourced processors.
In the event of a breach, the Rules require fiduciaries to report the incident to the Data
Protection Board within 72 hours and notify affected Data Principals promptly (Rule 7). For
financial institutions where, cyber incidents can trigger systemic risks, undermine market
confidence, and erode customer trust—this rapid-reporting requirement marks a decisive shift
towards accountability and transparency. Timely disclosures not only help protect consumers
but also reinforce trust in digital financial systems.
Cross Border Data Transfer and the Safeguards in Place
Transfer of personal data outside India are allowed, subject to specific conditions ensuring
that the recipient country or organization provides an adequate level of protection as
determined by the Central Government. As per rule 13 concerning Significant Data
Fiduciaries, Government can, based on recommendations from a government appointed
committee, specify categories of personal data and related traffic data that must not be
transferred outside India.
There is a “negative list” approach, where the government can “blacklist” countries, and
transfers will be prohibited to those listed. This ensures that future foreign transactions of
digital data of individuals is protected and safeguarded under the new framework.
Fintech companies will be required to implement appropriate security measures to prevent
data breaches and unauthorised access. This is likely to result in the adoption of robust
cybersecurity protocols within the Fintech sector. The adoption of policies concerning crossborder data transfers strikes a balance between promoting international data flows essential
for Fintech innovation and ensuring that data remains protected even beyond national borders
Compliance Roadmap & Phased Implementation
Recognising that not every organization is ready overnight, the DPDP Rules provide a phased
implementation roadmap which will be fully enforceable over a 12–18 month period. This
grace period is particularly meaningful for start-ups, MSMEs, and smaller digital players that
may lack the resources of large tech firms to build privacy-first systems quickly.
For the financial services industry, the phased 12–18 month implementation period offers
both relief and strategic opportunity. Banks, NBFCs, insurers, fintech start-ups, and payment
intermediaries operate in a deeply data-intensive ecosystem, and updating legacy
infrastructure to meet DPDP-grade privacy standards requires time, capital, and coordinated
governance. The extended compliance window allows larger institutions to gradually upgrade
their data-governance systems, re-engineer consent workflows, strengthen breach-response
mechanisms, and renegotiate vendor contracts without disrupting service continuity.
Overall, the staggered timeline reduces compliance burden, allows for more realistic
operational planning, and ensures that financial service providers, regardless of their size can
transition into the DPDP regime without compromising customer experience or regulatory
stability.
Non-compliance to the Rules is not just a regulatory headache, it’s financially significant.
The Act establishes a penalty regime with fines that can go up to ₹250 crore for failing to
maintain reasonable security safeguards or violating Data Principals’ rights on part of the
Data Fiduciaries.
The power to impose such penalties makes data protection not just an ethical concern, but a
serious business risk.
Bombay
Conclusion
For businesses, particularly those in fintech, platforms, or data-intensive services, the
question is no longer whether to comply, but how to ‘future-proof their privacy
infrastructure’. Ultimately, the DPDP Act represents more than a regulatory overhaul, it is a
foundational step toward building a resilient, privacy-respecting digital economy. For the
financial sector, compliance is an opportunity to rebuild systems with privacy at the core,
restore confidence in digital interactions, and align India’s financial ecosystem with global
best practices. As the nation moves towards a more secure and responsible data environment,
the financial industry stands to play a leading role in shaping a future where innovation and
privacy go hand in hand
Institutions that embrace this transition proactively will not only mitigate regulatory risks but
also strengthen their competitive advantage in a market increasingly defined by data ethics
and consumer trust.
Citations
A closer look at the DPDP rules 2025. IKIGAI LAW. (2025, November 14).
https://www.ikigailaw.com/article/647/a-closer-look-at-the-dpdp-rules-2025
DPDP rules, 2025 notified. Press Information Bureau Government of India. (2025,
November
17).
https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/nov/doc202511
17695301.pdf
Data Protection Rules 2025. (2025, November 14).
https://www.meity.gov.in/documents/act-and-policies/digital-personal-dataprotection-rules-2025gDOxUjMtQWa?pageTitle=Digital-Personal-Data-ProtectionRules-2025
The Digital Personal Data Protection Act, 2023 (no. 22 of 2023). (2023, August 9).
https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
Technology Law Team. (2025, January 27). India’s New Data Protection Regime,
One Step Closer: Draft Compliance Rules Issued . Nishith Desai Associates: Nishith
Desai.
Bahl, R., & Bagai, R. (2024, March 13). India: Digital Personal Data Protection Act,2023 part three –data
transfers. azb partners.
Butani, V. (2025, January). Key Highlights of the Digital Data Protection Rules 2025.Economic Law Practice.
https://elplaw.in/wp-content/uploads/2025/01/KeyHighlights-of-the-DPDP-Rules-2025-1.pdf
Verma, A. (2025, November 19). DPDP Act and 2025 rules: Recasting privacy, governance, accountability in the Digital ETGovernment.com.
https://government.economictimes.indiatimes.com/news/secure-india/revolutionizing
digital-privacy-indias-dpdp-act-and-2025-rules-explained/125424652
Sanwalka, D., et al., (2025). Implications of the DPDP Act 2023 on India’s Financial Services
Sector age. Grant Thornton.
https://www.iamai.in/sites/default/files/research/bain_microsoft_iamai_digest_from_b
uzz_to_reality_the_accelerating_pace_of_ai_in_india.pdf
Shome, S. (n.d.). Reimagining Compliance: Implications of Draft DPDP Rules for
Financial Sector Entities. Vinod Kothari Consultants
