India has made significant progress in driving access to financial services, reaching even the most remote areas, thanks to its strong digital public infrastructure.

The Digital Personal Data Protection (DPDP) Bill aims to establish a comprehensive framework for data protection, regulating how personal data is collected, processed and stored. Given the extensive access to sensitive customer data by companies in the financial sector like lenders, payment service providers, asset management companies and other entities in the BFSI sector, strict adherence to the DPDP’s guidelines on data collection, consent, processing, and record-keeping is paramount.

The GDPR in the European Union established a comprehensive framework for data protection and privacy, and while the DPDP Act seeks to align with such global standards, it introduces unique provisions to address India’s specific context. The Bill’s emphasis on mandatory reporting of data breaches and stringent penalties underscores its commitment to accountability. Understanding these nuances is vital for compliance, particularly for organisations operating in both jurisdictions.

The DPDP mandates that all data breaches be reported to the Data Protection Board and affected individuals, regardless of risk assessment, whereas GDPR requires notification only for breaches that pose a risk to rights and freedoms.

Obtaining consent

Similar to GDPR, DPDP framework underscores the importance of obtaining consent in a manner that is ‘specific’ to ensure consent provided is tailored for the specific process with the individual knowing what they are agreeing to, ‘informed’ with clear information of how the data will be used, and ‘unambiguous’ by obtaining a clear affirmative action like checking a box or ticking a button rather than an implied consent. In terms of penalties, the DPDP is more stringent, imposing a maximum fine of ₹250 crore ($30 million) compared to GDPR’s maximum of $20 million or 4 per cent of global turnover.

While awaiting the issuance of the DPDP Bill, companies can take several proactive measures to prepare for a seamless implementation. First, conducting thorough data audits across the organisation is essential to understand what data is being collected, processed and stored. This is an opportune moment to review and enhance existing data protection policies, focusing on strengthening security measures such as access controls and encryption. Classifying data according to its sensitivity and importance is critical.

Additionally, companies may also institute training programmes for their employees on data protection principles, fostering a culture of awareness and responsibility. Finally, maintaining a transparent communication with stakeholders about their data protection practices will ensure everyone is aligned and prepared for compliance once the Bill is passed. By taking these steps, companies will not only be ready for the new regulations but also enhance their overall data security posture.

The DPDP Bill represents a significant step towards protecting personal data in India’s financial services industry. By fostering trust and accountability, it will contribute to the sustainable growth and development of the sector. As India continues its digital journey, the DPDP Bill will play a vital role in ensuring a secure and transparent financial landscape for its citizens.

Mohanty is Director, and Kumar is Managing Director, CAMS