Digital Personal Data Protection Act 2023: Impact on India’s financial services sector

Businesses often use “Data is the new oil” to describe data’s value. Due to the digitalization of the Indian economy and recent technical advances, personal data (‘Data Principal’) and commercial processing have skyrocketed. The Digital Personal Data Protection Act (‘DPDPA’) is timely. The Act requires data fiduciaries, processors, and principals to be more accountable for fairness, purpose limitation, data minimization, storage limitation, accuracy, confidentiality, integrity, and availability.

Financial services (FS) are highly regulated in India. Through guidelines on customer protection and data privacy, outsourcing, information security, technology, and cyber risk management, regulators have stressed several DPDPA provisions. Under the Prevention of Money Laundering Act (PMLA), sector participants are ‘Reporting Entities’ and must collect and retain certain data. The convergence of these two Acts will compel financial sector players to take a more complex approach to DPDPA compliance than unregulated organizations. Since the sector has a lengthy history of complying with authorities’ tight privacy and data protection regulations, their approach and thorough procedures may be more mature than those of other enterprises.

Financial services firms’ primary tasks and processes affected by the DPDPA are:

1. Risk management: Many financial services organizations rely on risk transformation. Financial organizations assess customer and customer-induced transaction risk using customer data from many sources, including non-traditional alternative data sets. This helps organizations price credit risk, underwrite insurance, and estimate fraud risk to deploy a fraud risk engine. Firms must now closely evaluate what data is being acquired for these reasons, define the legal basis, and obtain customer consent. Since customers can decline or withdraw consent at any time, this may negatively affect risk management; therefore, enterprises must prepare to manage such events and may have to rethink product pricing without such data points.

2. Outsourcing: FS firms increasingly partner with Fintechs to outsource many tasks. Sectoral regulators have detailed rules for controlling outsourcing risk, including consumer data and privacy governance. However, data fiduciaries, who have the final responsibility to certify compliance with the Act, have important obligations beyond legislative restrictions. Firms must rethink their outsourcing agreements, review outsourced businesses’ customer data management, and align governance structures to ensure compliance.

3. Customer lifecycle management: The DPDPA has mandated new data handling rules, rights, and responsibilities for enterprises. Customer onboarding, risk assessment, profiling, marketing and customer engagement, customer care, data principal rights management, and customer relationship termination will change.

4. Product management: Data protection, transparency, and data primary rights must be incorporated into product design. The function should develop products with “privacy by design,” robust user consent and communication mechanisms, simple-to-understand user control and transparency, a well-defined data usage policy, and data protection and retention.

5. IT and cyber security: DPDPA’s emphasis on personal data and individual rights affects how these organizations manage their IT systems and protect customer data. Financial institutions hold a lot of personal and financial data, making them appealing targets for cybercriminals. The Act emphasizes cybersecurity, which may force financial services organizations to invest in advanced threat detection systems, strong encryption protocols, and regular security audits. By doing so, institutions may protect customer data from unwanted access and breaches. Read more about Penetration Testing services in Hyderabad.

6. Regulatory changes: DDPA requires the identification of Significant Data Fiduciaries, and we expect the Financial Services ecosystem to be designated as “Significant” and have many Act-related duties. We expect financial services authorities to embrace the DDPA and tailor it to their subsectors through regulatory guidance. Regulators should also train their supervisors in these new areas to improve supervision.

7. Increased compliance for Fintechs: Indian Fintechs are rapidly transforming the FS environment by working with existing Regulated Entities (RE) and using client data to create hyper-customized, inexpensive solutions digitally. Fintechs will be considered ‘data processors’ under DPDPA and must follow data fiduciary rules. The RE–Fintech collaboration model will change, with REs overseeing fintech data governance. The new data regulation will favour Fintechs with strong data governance systems and RE partners.

Finally, the Digital Personal Data Protection Act of 2023 marks a turning point for the nation and gives people data control. Although the Act empowers individuals, it may not have the desired effect until our view of privacy and data as commodities changes. The Act gives financial institutions a unique chance to improve data security, boost customer trust, and promote responsible data management. Financial service organizations may negotiate the changing regulatory landscape and protect consumer data in a data-driven age by adopting the Act.