Sector Guides7 min read

DPDP Act and Rules 2025: A Practical Compliance Guide for BFSI Enterprises

An operational breakdown of the Digital Personal Data Protection Act 2023 and Rules 2025 for Indian banks and NBFCs, focusing on KYC retention, breach intimation, and creating regulator-ready audit trails.

Written bySanket Sharma· Former Advocate, Supreme Court of India · ComplyDP Co-Founder

Last updated:

Overview for BFSI Compliance Leaders

With exactly 303 days remaining until the DPDP hard compliance deadline of 13 May 2027, compliance heads at major banks and NBFCs in Mumbai face a distinct operational challenge. The Digital Personal Data Protection Act, 2023 introduces strict requirements for managing personal data across legacy core systems, customer portals, and third-party processors. For a financial institution with thousands of staff, compliance is not just about legal mapping, but proving systemic adherence to the Data Protection Board of India (DPBI). The objective is to build an evidence pack that satisfies both internal audit and external regulators without requiring a multi-year GRC overhaul.

What the DPDP Act Says on Lawful Purpose, Retention, and Transfer

Section 4 of the Act dictates that a Data Fiduciary may process the personal data of a Data Principal only for a lawful purpose. For this processing, consent is the primary basis, except where Section 7 legitimate uses apply. Section 8 details data retention and explicitly addresses the intersection of privacy and sectoral mandates. For example, if a customer closes a savings account, Section 8 permits the bank to retain identity records for ten years if required by applicable banking laws, overriding the standard obligation to erase data when the initial purpose is served.

Cross-border data transfers are addressed under Section 16 of the Act. Transfers of digital personal data outside India are generally permitted unless the Central Government restricts transfers to a notified negative list of countries. However, Section 16 explicitly states that if other laws mandate a higher degree of protection or restriction, those laws prevail. For a Mumbai-based bank, this means RBI data localization directives remain fully enforceable and dictate where financial data must reside, regardless of the DPDP baseline.

Act vs Rules 2025: Operational Changes for BFSI

While the 2023 Act provides the statutory framework, the DPDP Rules notified in November 2025 define the actual mechanics control owners must execute. The Rules introduce specific formats for itemised notices, which financial institutions must present in multiple languages before collecting data through mobile banking apps or loan origination systems. Furthermore, the Rules outline precise workflows for verifiable parental consent, requiring banks offering minor accounts to implement specific age-gating and consent verification mechanisms that scale across millions of users.

For entities processing massive volumes of financial data, the Rules also formalise Significant Data Fiduciary (SDF) obligations. Banks and large insurers will likely meet the volume and risk thresholds for SDF designation. This requires appointing a Data Protection Officer based in India, conducting regular Data Protection Impact Assessments (DPIA), and undertaking independent data audits. These obligations shift the compliance burden from one-time policy updates to generating a continuous, regulator-ready audit trail.

What Every Data Fiduciary Must Do Now

The immediate task for a Chief Compliance Officer is establishing a dynamic Record of Processing Activities (RoPA) that maps data flows across legacy systems, cloud environments, and third-party vendors. Spreadsheets may work for a small fintech, but tracking consent artefacts and processor agreements across a 1000-person enterprise breaks down rapidly without automation. Your team needs a central mechanism to prove that data collected via an online loan application is not unlawfully repurposed for cross-selling insurance products.

Compliance leaders often worry about adopting yet another dashboard that overlaps with existing GRC tools. A credible approach isolates the specific DPDP workflows, such as consent tracking and Data Principal rights requests, integrating these controls into existing operational layers. When a customer withdraws consent, the system must trigger automated alerts to the respective control owner to halt processing, while preserving the RBI-mandated KYC data securely in the core banking system.

Breach Notification Specifics Under the Rules

Personal data breaches carry the highest financial and reputational risk under the new regime. The DPDP Rules 2025 mandate a dual-track reporting mechanism for any breach. First, the Data Fiduciary must send a breach intimation to the affected Data Principals without delay, providing them with actionable steps to protect themselves.

Second, the enterprise must submit a detailed report to the DPBI within 72 hours of becoming aware of the breach. This 72-hour window requires tight coordination across the security operations center, legal counsel, and the DPO. Preparing an evidence pack within this timeframe is practically impossible if your incident response plan relies on manual data gathering across disparate IT departments.

Common Misconceptions in Financial Services

First, there is a widespread myth regarding consent. Consent is not the only lawful basis for processing; Section 7 legitimate uses allow banks to process data for employment purposes or responding to medical emergencies without explicit consent. Second, the DPDP Act does not classify specific data types into a heightened risk tier. There is no legally defined sensitive data classification; instead, the volume and nature of the data determine if the entity qualifies as an SDF. Third, cross-border rules operate on a negative list basis, meaning transfers are allowed unless explicitly restricted.

Implementation Checklist for Banks and NBFCs

1. Map personal data across legacy core banking systems (In-house feasible for initial RoPA, Tooling required for dynamic updates).

2. Draft itemised notices for all digital touchpoints and mobile apps (In-house feasible for legal teams).

3. Deploy a consent artefact tracking mechanism linked to customer identities (Tooling-assisted for scale).

4. Configure the 72-hour breach intimation workflow for the DPBI (Tooling-assisted for cross-team SLA tracking).

5. Establish verifiable parental consent workflows for minor accounts (Tooling-assisted for age verification).

6. Reconcile Section 8 erasure requests with RBI KYC retention mandates (In-house legal policy, Tooling for execution).

Penalties and Enforcement Risk

The financial consequences of non-compliance are severe and proportionate to the volume of data handled by financial institutions. The DPBI can impose penalties of up to 250 crore rupees for failing to take reasonable security safeguards to prevent a personal data breach. Additionally, failing to notify the Board and the affected Data Principals of a breach carries a penalty ceiling of up to 200 crore rupees. These figures guarantee board-level scrutiny on how the compliance function manages DPDP readiness.

How ComplyDP Helps

Preparing for the May 2027 deadline requires translating legal statutes into operational reality across complex financial systems. ComplyDP provides the specific consent artefact tracking, breach intimation workflows, and automated RoPA generation needed to build a regulator-ready evidence pack, without duplicating your existing GRC platforms. To understand where your current legacy systems may fail an independent DPBI audit, start with a targeted gap assessment at freescan.complydp.com.

Sources

Frequently asked questions

Does the DPDP Act require banks to delete KYC data when a customer requests erasure?

No. Section 8 of the DPDP Act explicitly allows Data Fiduciaries to retain personal data if required for compliance with any law. For banks, RBI mandates requiring 10-year retention of KYC records override a Data Principal's erasure request.

What is the exact deadline for DPDP Act compliance?

The hard compliance deadline for the DPDP Act is 13 May 2027. Financial institutions have exactly 303 days until this date to fully map their legacy systems, deploy consent mechanisms, and ensure readiness for DPBI audits.

How quickly must a bank report a personal data breach under the new rules?

According to the DPDP Rules 2025, a Data Fiduciary must send a detailed breach report to the Data Protection Board of India within 72 hours. Simultaneously, they must send a breach intimation to affected Data Principals without delay.

Do we need a separate tool for DPDP if we already have a GRC platform?

While GRC platforms manage high-level risk and policy, DPDP compliance requires granular tracking of consent artefacts, itemised notices, and strict 72-hour breach workflows. Purpose-built tools integrate with existing GRC systems to provide the specific audit trails regulators demand without overlap.

Are cross-border data transfers allowed for Indian financial institutions?

Section 16 permits cross-border transfers unless the Central Government notifies a specific negative list of restricted countries. However, existing sectoral laws that mandate higher protection, such as RBI data localization directives, remain in full force and must be followed.