Draft DPDP Rules Reveal New Data Guidelines for Financial Institutions

Draft DPDP Rules

The Government of India has proposed the Draft Digital Personal Data Protection Rules, 2025, as part of its ongoing efforts to safeguard individual data privacy and establish clear responsibilities for entities handling personal data. The draft rules outline provisions for India’s banking and financial sector and describes compliance frameworks and responsibilities for securing customer information.

Compliance with Data Fiduciary Obligations

Banks and financial institutions, categorised as data fiduciaries under the DPDP Act, are required to implement data protection measures. This includes securing personal data through encryption and masking. These institutions must also establish systems to restrict unauthorised access to customer information. These provisions aim to protect financial data in a digitised ecosystem.

The draft rules specify that data fiduciaries must adopt security measures to prevent data breaches, including encryption, pseudonymisation, and masking. Access to data must be controlled, monitored, and logged to detect unauthorised access. Backup systems must ensure continuous data availability during events.

The Role of Consent Management

The draft rules emphasise a consent management framework. Financial institutions must register as consent managers if they handle customer data requiring explicit consent. This involves creating platforms for customers to provide, modify, and withdraw consent. The consent mechanisms must comply with the principle of informed consent, allowing customers control over how their data is processed.

Consent managers must ensure that data subjects can access records of their consent, requests, and withdrawal history. The rules mandate maintaining these records for a minimum of seven years. Institutions must also provide communication channels for customers to manage their consent.

Classification as Significant Data Fiduciaries

Large banks and financial entities may be classified as “Significant Data Fiduciaries” due to the scale of data they handle. These entities have additional responsibilities, including conducting data protection impact assessments and audits. The rules also require transparency in the algorithms used for processing customer data to reduce risks of data misuse.

Significant Data Fiduciaries are also required to prepare reports on compliance with security and privacy standards. These reports must be submitted to the Data Protection Board annually. The institutions must ensure that their data handling algorithms do not introduce risks to the rights of data subjects.

Restrictions on Cross-border Data Transfers

The draft rules regulate the cross-border transfer of personal data. Financial institutions transferring data outside India must follow conditions specified by the central government. Such transfers are subject to restrictions to ensure the sovereignty and security of the nation. This provision affects banks that process or store customer data abroad.

Cross-border data transfers must comply with contractual obligations and restrictions set forth by the government. Institutions must ensure that personal data is stored and processed in a manner that does not contravene Indian laws.

Data Retention and Deletion Requirements

Financial entities are required to delete customer data once it is no longer needed for its collected purpose. Data retention is allowed only if mandated by existing laws. This provision reduces risks associated with unnecessary data retention and supports data minimisation principles.

The draft rules include provisions for notifying data subjects before data deletion. Financial institutions must inform customers at least 48 hours before deleting their personal data unless retention is legally required. Such notifications provide users the opportunity to review or reclaim their data.

Obligation to Notify Data Breaches

The rules require notification of data breaches. Banks and financial institutions must inform affected customers and the Data Protection Board of India in case of a breach. Notifications should include details such as the nature of the breach, its effects, and measures being taken to address risks. This aims to ensure accountability and timely actions.

Data fiduciaries must report breaches within 72 hours of discovery. They must also outline remedial actions taken to prevent recurrence and provide an assessment of potential impacts on affected data subjects.

Operational Impact on Financial Institutions

Compliance with these draft rules will impact financial institutions. They will need to invest in data protection technologies and train personnel to manage compliance. Institutions may also need to revise their policies to align with the DPDP Act requirements. These rules aim to balance privacy frameworks with business operations.

The operational changes include the adoption of logging, audit processes, and automated systems for managing data lifecycle operations. These measures are essential for achieving compliance while maintaining service continuity.

Also Read | Strengthening Digital Governance with the Digital Personal Data Protection Rules 2025

The government has invited public feedback on these draft rules, with stakeholders encouraged to submit their inputs via the MyGov platform before 18 February 2025. The finalisation of these rules will define the data protection framework in India.

The draft rules under the DPDP Act, 2025, describe data protection measures for banks and financial institutions in India. These rules bring both obligations and opportunities for the sector. Compliance will require investment and operational changes, but it also offers a way to build trust with customers. As custodians of financial data, banks and financial institutions have the chance to reinforce confidence by adhering to these rules. The discussions and implementation of these rules will influence the future of data protection in the sector. The banking and financial industry can take steps now to align with these requirements and explore the benefits of regulatory compliance.

"Exciting news! Elets Banking & Finance Post is now on WhatsApp Channels Subscribe today by clicking the link and stay updated with the latest insights!" Click here!

Elets The Banking and Finance Post Magazine has carved out a niche for itself in the crowded market with exclusive & unique content. Get in-depth insights on trend-setting innovations & transformation in the BFSI sector. Best offers for Print + Digital issues! Subscribe here➔ www.eletsonline.com/subscription/

Get a chance to meet the Who's who of the Banking & Finance industry. Join Us for Upcoming Events and explore business opportunities. Like us on Facebook, connect with us on LinkedIn and follow us on Twitter, Instagram & Pinterest.