Sector Guides7 minutes

DPDP Act And Rules 2025: A Practical Guide For Fintech Founders

A complete guide for fintech founders in Bengaluru on navigating the DPDP Act and Rules 2025. Learn how to align rapid product cycles with consent requirements, breach notifications, and investor due diligence.

Written bySanket Sharma· Former Advocate, Supreme Court of India · ComplyDP Co-Founder

Last updated:

Overview What Fintech Founders Need To Know Now

As a Seed to Series B fintech founder in Bengaluru, the Digital Personal Data Protection Act, 2023 is no longer just a legal abstraction. It is a strict item on the investor due diligence checklist and a common enterprise deal blocker in security questionnaires. With exactly 302 days remaining until the DPDP hard compliance deadline of 13 May 2027, treating privacy as a future problem threatens enterprise readiness. Fintechs handling payments data, lending KYC, and account aggregator APIs must now align rapid product cycles with clear compliance frameworks. According to Section 1(1), the legislation is officially called the Digital Personal Data Protection Act, 2023. Under Section 1(2), it shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint. Crucially, different dates may be appointed for different provisions of this Act, meaning fintechs must prepare for staggered enforcement and rolling compliance milestones over the coming months.

What The DPDP Act Says About Lawful Processing

At the core of the Act is Section 4, which dictates how personal data can be handled. Under Section 4(1), a person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose. Section 4(2) clarifies this extensively by stating that the expression “lawful purpose” means any purpose which is not expressly forbidden by law. To fulfill Section 4(1), processing requires either that the Data Principal has given her consent (under clause a), or it must fall under certain legitimate uses (under clause b). Consent is the primary basis for processing, except where Section 7 legitimate uses apply. The Act covers digital personal data processed within India, as well as processing outside India if it is connected to offering goods or services to Data Principals in India.

Section 17 Exemptions: Loan Defaults And Research

For lending startups, Section 17 provides critical operational clarity regarding loan recoveries and credit assessments. The law specifically outlines a scenario where a Data Principal defaults in paying her monthly loan repayment instalment on the date on which it falls due. In such an event, the Data Fiduciary may process the personal data of the Data Principal for ascertaining her financial information and assets and liabilities. This ensures that debt recovery and asset assessment are not severely hindered by consent withdrawal. Furthermore, Section 17(2)(b) states that the provisions of the Act shall not apply in respect of the processing of personal data when it is necessary for research, archiving or statistical purposes, provided the personal data is not to be used to take any decision specific to a Data Principal. Section 17 also allows the Central Government to notify specific instrumentalities of the State that are exempt from the Act in the interests of sovereignty, integrity of India, security of the State, friendly relations with foreign States, or maintenance of public order.

DPDP Act Vs Rules 2025 What Changed For Fintechs

While the 2023 Act laid the legislative foundation, the DPDP Rules notified in November 2025 operationalise the exact mechanics required for day-to-day compliance. The Rules 2025 dictate the structure of itemised notices that must precede consent, directly impacting your digital onboarding flows and user interfaces. They outline specific mechanics for obtaining verifiable parental consent if your financial literacy product or youth-focused payment app reaches minors. Furthermore, the Rules establish exacting criteria for Significant Data Fiduciary obligations based on the volume and risk of the data processed. This means fast-growing lending platforms or high-transaction payment gateways might cross the threshold into becoming a Significant Data Fiduciary sooner than founders might anticipate, triggering requirements for independent data auditors and Data Protection Officers based in India.

What Every Data Fiduciary Must Do Now

Your startup acts as a Data Fiduciary when determining the purpose and means of processing personal data. The ongoing operational burden involves significantly more than just a one-time privacy policy update. You must maintain verifiable consent records at scale, manage dynamic withdrawal requests, and tightly oversee third-party Processors like KYC vendors, account aggregators, or cloud hosting providers. For digital lenders, these DPDP obligations overlap significantly with RBI digital lending guidelines regarding data minimization and strict purpose limitation. A competent engineering team can run basic compliance on internal spreadsheets for the first few hundred users, but this breaks at scale when handling thousands of account aggregator API calls and managing dynamic consent updates across multiple platforms. Tooling becomes absolutely vital to maintain a SOC2-style compliance posture without heavily draining your startup's financial runway.

Breach Notification Specifics Under The Rules

Fintechs are high-value targets for malicious actors, and incident response is heavily regulated under the new framework. Under the Rules 2025, if a personal data breach occurs, you must provide intimation to affected Data Principals without delay. Simultaneously, you must submit a detailed breach report to the Data Protection Board of India within exactly 72 hours of becoming aware of the incident. This dual notification obligation means your security and compliance teams need automated workflows completely ready before an incident happens. Manual investigations and ad-hoc response plans almost always fail to meet the strict 72-hour regulatory window, exposing the company to massive statutory fines.

Common Misconceptions In Fintech Privacy

Misunderstanding the law leads to wasted engineering hours and bloated product roadmaps. First, many incorrectly assume the Act creates a formal category for highly confidential data like financials or health records. DPDP 2023 does not create a separate higher-risk class of data; risk and volume matter for SDF designation, but the base rules apply uniformly to all digital personal data. Second, regarding cross-border transfers, the law does not require specific destination approvals. Transfers are generally permitted unless the Central Government restricts transfer to specific countries on a notified negative list. Finally, founders often mistakenly think they must always ask for permission for everything. While consent is the primary basis for processing, the law outlines Section 7 legitimate uses for scenarios like employment purposes or responding to medical emergencies, meaning alternatives to consent do exist.

Implementation Checklist For Time To Compliant

1. Map all personal data flows across payment gateways, loan origination systems, and account aggregators to understand exactly where data resides [In-house feasible].

2. Draft and integrate itemised notice screens into the user onboarding sprint cycle to ensure clear communication before data collection [Tooling assisted].

3. Establish a central registry to systematically log consent issuance, modifications, and withdrawals with cryptographic audit trails [Tooling assisted].

4. Update vendor agreements with all third-party Processors to contractually enforce data deletion and strict breach reporting timelines [In-house feasible].

5. Set up an automated incident response workflow to guarantee compliance with the 72-hour DPBI reporting deadline [Tooling assisted].

6. Regularly assess user volume and processing risk to check for potential Significant Data Fiduciary designation [In-house feasible].

Penalties And Enforcement Risk

The Data Protection Board of India holds the statutory authority to direct inquiries, investigate breaches, and penalize non-compliance. Financial penalties under the DPDP Act are severe and proportionate to the nature of the breach, with fines reaching up to Rs 250 crore for failing to take reasonable security safeguards to prevent a personal data breach. Additionally, failing to notify the Board and the affected Data Principals of a breach can result in separate penalties up to Rs 200 crore. These massive figures mean non-compliance is now a material financial risk that will inevitably surface during any Series A or Series B funding due diligence process.

How ComplyDP Helps

ComplyDP enables fast-moving fintechs to integrate scalable consent management and breach reporting workflows directly into their product cycles. Our platform provides the exact audit trails needed to clear investor due diligence and unblock enterprise deals without derailing your core engineering sprints. To see where your startup's onboarding flows currently stand against the rigorous November 2025 Rules, run a comprehensive gap assessment at freescan.complydp.com today and secure your compliance roadmap.

Sources

Frequently asked questions

Does the DPDP Act apply to Bengaluru fintech startups?

Yes. The Act covers digital personal data processed within India. If you collect KYC or payments data from Data Principals in India, your startup is a Data Fiduciary and must comply.

How long do we have to comply with the DPDP Act?

Exactly 302 days remain until the DPDP hard compliance deadline of 13 May 2027. Under Section 1(2), the Central Government may notify different enforcement dates for different provisions in the Official Gazette, so founders should start updating their onboarding flows now to avoid last-minute delays.

Can we handle consent management in-house?

A competent engineering team can log initial consents on spreadsheets for a small user base. However, handling thousands of account aggregator API calls and dynamic withdrawal requests breaks at scale and requires dedicated tooling to ensure accurate record-keeping.

What are the penalties for ignoring DPDP compliance?

The Data Protection Board of India can impose financial penalties up to Rs 250 crore for failing to take reasonable security safeguards to prevent a breach. Poor compliance posture is also a major deal blocker in enterprise security questionnaires and investor audits.

How does the DPDP Act treat financial data?

DPDP 2023 does not create a separate higher-risk category for financial data; all digital personal data follows the same foundational rules. However, the volume and risk of financial processing can contribute to a startup being designated as a Significant Data Fiduciary under the Rules 2025.

What happens to data processing if a user defaults on a loan?

Under Section 17, if a Data Principal defaults in paying her monthly loan repayment instalment on the due date, the Data Fiduciary may lawfully process her personal data for ascertaining her financial information and assets and liabilities without needing fresh consent for this recovery process.