Media article

Digital Personal Data Protection Act 2023: What does it mean for India’s financial services sector

Rohan Lakhaiyar,
Vivek Iyer
insight featured image
Regulators, through guidelines on customer protection and data privacy, outsourcing, information security, technology and cyber risk management, among others, have emphasized many of the aspects that are now codified in the DPDPA.

“Data is the new oil” is a term that has been used ad nauseam to describe the value of data to businesses. The increasing digitalization of the Indian economy and the recent technological developments together have led to an explosion in the availability of individuals’ personal data (‘Data Principal’) and their processing by businesses (Data Fiduciary). In this context, the legislation of the Digital Personal Data Protection Act (‘DPDPA’) is timely. The Act is predicated on the principles of fairness, purpose limitation, data minimization, storage limitation, accuracy, confidentiality, integrity and availability of data, and demands higher accountability from data fiduciaries, data processors and data principals alike.

Financial Services (FS) is one of the most regulated sectors in India. Regulators, through guidelines on customer protection and data privacy, outsourcing, information security, technology and cyber risk management, among others, have emphasized many of the aspects that are now codified in the DPDPA. Further, the sector participants are also a ‘Reporting Entity’ under the Prevention of Money Laundering Act (PMLA), which mandates the collection and retention of certain data by the reporting entities. The intersection of these two Acts will require the financial sector participants to evolve a more nuanced approach towards compliance with the DPDPA as compared to unregulated entities. Given that the sector in general has a long history of complying with strict privacy and data protection rules set by regulators, their approach and detailed procedures towards compliance are likely to be more mature than those of firms in other sectors.

Following are the key functions and processes within Financial Services firms that will be impacted by the DPDPA:

1. Risk management: Risk management forms the bedrock of many financial services firms, as their core business is risk transformation. Financial institutions use customer-related information from multiple sources including non-traditional alternative data sets to aid in the assessment of risk associated with customer and customer-induced transactions. This allows firms to price credit risk appropriately, underwrite insurance efficiently, and assess risk associated with fraud to deploy a suitable fraud risk engine, among others. The firms will now be required to critically assess what data points are being collected for these purposes, identify the legal basis for collection and obtain specific consent from the customers. Since consent may be declined or can be withdrawn at any time by the customer, this may adversely impact the efficacy of risk management function, and therefore, firms must prepare themselves to manage such events and may have to relook their product pricing in the absence of such data points.

2. Outsourcing: Firms in the FS sector outsource several activities to third parties and in recent times have increasingly partnered with Fintechs. There are elaborate extant guidelines from sectoral regulators on managing outsourcing risk, of which governance around customer data and privacy is a key aspect. However, obligations cast on data fiduciaries under DPDPA, who have the ultimate responsibility to demonstrate compliance with the Act, are significant and go beyond the regulatory mandates. Firms will have to re-examine their outsourcing arrangements, review customer data management processes within the outsourced entities and align their governance frameworks to manage compliances.

3. Customer lifecycle management: The DPDPA has introduced new requirements, rights and responsibilities that the firms have to adhere to when handling customer data throughout their journey. Customer onboarding, risk assessment and profiling, marketing and customer engagement, customer service, managing data principal rights, and cessation of customer relationship, are key aspects of customer lifecycle management that will undergo significant change.

4. Product management: The product management function will have to incorporate product design elements that emphasize data protection, transparency, and data principal rights. Key considerations for the function to develop products that have elements of ‘privacy by design’, robust mechanism for user consent and communication, simple-to-understand user control and transparency aspects, well-defined policy on usage of customer data, and data protection and retention aspects.

5. IT and cyber security: DPDPA’s strong emphasis on the protection of personal data and the rights of individuals directly influences how these firms manage their IT systems and safeguard customer information. Financial institutions are entrusted with a wealth of personal and financial data, making them an attractive target for cybercriminals. The Act’s provisions emphasize the need for stringent cybersecurity measures, which may require financial services firms to invest in advanced threat detection systems, robust encryption protocols, and regular security audits. By doing so, institutions can create an environment where customer data is shielded from unauthorized access and potential breaches.

6. Regulatory changes: DDPA states that Significant Data Fiduciaries will need to be identified and we expect the Financial Services ecosystem to be tagged as “Significant” and thereby have a wide array of responsibilities under the Act. We expect the financial services regulators to adopt the DDPA and customize it to the sub-industries that they regulate through appropriate regulatory directions. It would also be worthwhile for the regulators to train their supervisory staff in these new areas for stronger and more robust supervision. 

7. Increased compliance for fintechs: The Indian fintechs have been rapidly changing the FS landscape by partnering with incumbent Regulated Entities (RE) and leveraging customer data to deliver hyper-customized products to them at affordable prices, digitally. Under DPDPA, fintechs will be classified as ‘data processors’ and will have to comply with requirements that apply to data fiduciaries. In times to come, the RE–Fintech partnership model will be reset, where REs will now exercise greater oversight on data governance practices of fintechs. The fintechs with superior data governance processes will be sought-after partners for the REs and will thrive under the new data regime. 

Finally, the Digital Personal Data Protection Act of 2023, emerges as a watershed moment for the country and provides individuals the opportunity to exercise control over their data. However, while the Act empowers individuals unless our attitude towards privacy and data as a commodity changes significantly, it may not have the impact it seeks to make. The Act offers a unique opportunity for financial institutions to enhance data security, build customer trust, and lead the way in responsible data management practices. By embracing the Act’s provisions, financial service companies can not only navigate the evolving regulatory landscape but also position themselves as guardians of customer data in an increasingly interconnected and data-driven world.

This article first appeared in Financial Express on 06 September 2023.