The draft rules under the Digital Personal Data Protection (DPDP) Act, released recently, are set to impose significant changes on how banks, non-banking financial companies (NBFCs), and insurance firms handle customer data. The proposed regulations, which mandate explicit customer consent for data sharing and restrict its use to specific purposes, could challenge the financial sector’s cross-selling strategies and operational efficiencies.

Under the new norms, financial institutions will no longer be permitted to freely share customer data with their subsidiaries without obtaining explicit consent. This change disrupts the current practice where banks and NBFCs leverage subsidiary networks to offer products like insurance, mutual funds, and other financial solutions. With the draft rules emphasising transparency, entities must provide clear, detailed notices about data collection, usage, and the process for withdrawing consent, all while ensuring the notices are available in English and 22 Indian languages.

The Act also imposes strict limitations on data retention. Customer data must be used solely for the purpose stated at the time of collection and deleted once the purpose is fulfilled or consent is withdrawn. Additionally, the Act empowers customers to demand a summary of their data usage and allows them to withdraw consent at any time, halting further data processing.

The impact

Banks and NBFCs, especially those operating in semi-urban and rural areas, may face hurdles in obtaining consent from customers unfamiliar with digital platforms. Traditional, branch-reliant customers pose a particular challenge, necessitating new outreach and education strategies.

For larger entities categorised as Significant Data Fiduciaries, the compliance burden is set to intensify. These institutions may need to appoint dedicated Data Protection Officers, conduct impact assessments, and adhere to rigorous data audits. Moreover, penalties for non-compliance, including data breaches, could reach Rs 250 crore, compelling the sector to overhaul data security protocols and employee training programs.

The DPDP Act intersects with existing regulations by the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), and Insurance Regulatory and Development Authority of India (IRDAI). Financial institutions must ensure their data practices comply with these frameworks to avoid breaching multiple regulatory mandates.

While the Act aims to enhance customer data protection, it could significantly impact functions like targeted marketing, fraud prevention, and product pricing, forcing the BFSI sector to recalibrate its strategies for managing data and customer relationships.