What banks and financial institutions operating in India need to know about the Digital Personal Data Protection Act 2023 and RBI data governance guidelines — consent frameworks, data principal rights, significant data fiduciaries, cross-border transfer rules, and AI governance.
India's Digital Personal Data Protection Act (DPDPA), 2023 entered into force on August 11, 2023, establishing the country's first comprehensive legal framework for digital personal data protection. The DPDPA applies to any organization processing digital personal data of individuals in India, regardless of where the processing occurs. For banking and financial services institutions, the DPDPA works alongside existing Reserve Bank of India (RBI) guidelines on data governance and digital lending, creating a layered compliance environment that demands careful attention to both laws. Understanding these frameworks is essential for any bank operating in or serving customers in India.
The Act received Parliament's assent on August 11, 2023, and was operationalized through the Digital Personal Data Protection Rules 2025, finalized in November 2025. This timeline underscores India's commitment to establishing practical guardrails for personal data handling. For BFSI entities, the interplay between DPDPA requirements and RBI's sector-specific guidelines creates both obligations and opportunities to strengthen customer trust and operational maturity.
The DPDPA establishes a consent-based framework for processing digital personal data. The Act's core concepts include the "data principal" (the individual whose data is being processed), the "data fiduciary" (the entity deciding the purpose and means of data processing), and the "data processor" (any entity processing data on behalf of a fiduciary, typically under contract). A critical category exists for "significant data fiduciaries" (SDFs): entities whose scale of data processing or the sensitivity of data creates elevated risk to individuals' rights, national security, or democratic institutions.
The DPDPA's scope encompasses all digital personal data: information that can identify an individual, including financial information, transaction history, payment records, and loan details. Financial institutions are inherently significant data fiduciaries due to the volume and sensitivity of customer information they process. Banks process data across multiple contexts: account opening, KYC verification, credit assessment, transaction monitoring, and fraud prevention. Each context carries specific consent and processing requirement obligations under the DPDPA.
The DPDPA operates on a consent-based model for processing personal data. A data fiduciary must obtain explicit, informed consent from the data principal before processing, with narrow exceptions for critical processing activities such as compliance with law, prevention of fraud, or security. The Act requires that consent be specific to the purpose stated, unambiguous, and freely given. For banking applications, this means banks cannot rely on generic consent during account opening for all future processing activities; consent must map clearly to defined purposes.
The concept of "purpose limitation" sits at the core of the DPDPA. Banks must process personal data only for stated, specified purposes. Processing transaction data for fraud detection is permitted; using that same transaction data for cross-selling insurance products without separate consent violates the principle. Banks must also practice "data minimization": collect only the data necessary to achieve a stated purpose. This requirement pushes banks to audit their data collection practices and justify each field in account opening or KYC processes.
The DPDPA grants data principals robust rights. The right to access allows individuals to request and obtain information about what personal data a bank holds about them. Banks must respond to such requests within 30 days, providing information in a clear format. The right to correction permits individuals to challenge inaccurate or incomplete data held by banks. If a customer disputes their stored address, employment details, or risk profile, the bank must investigate and correct records if warranted.
The right to erasure, sometimes called the "right to be forgotten," permits individuals to request deletion of personal data when processing is no longer necessary or when consent is withdrawn. Banks face practical constraints here: erasure cannot violate regulatory retention rules set by the RBI or tax authorities. However, where data can be deleted without legal conflict, banks must do so. The right to grievance redressal requires banks to establish transparent, accessible complaint mechanisms. If a customer believes their data privacy rights have been violated, they can lodge a complaint with the bank, which must respond within 30 days and escalate unresolved matters to the Data Protection Board of India (DPBI).
The DPDPA imposes extensive obligations on data fiduciaries like banks. Entities must implement reasonable security measures to protect personal data from unauthorized access, disclosure, or breach. The Act does not prescribe specific technologies but requires measures proportionate to the sensitivity of data. For banks, this typically means encryption, access controls, network monitoring, and intrusion detection aligned with RBI cybersecurity guidelines and ISO 27001 standards.
Banks must ensure accuracy and keep personal data current, complete, and free from known errors. This obligation extends to correcting inaccurate data when the bank becomes aware of errors. The Act requires that banks not retain personal data longer than necessary for the stated purpose, except where law requires retention. Banks handling customer transaction data must balance DPDPA requirements for timely deletion against RBI's data retention mandates.
When a personal data breach occurs, banks must notify affected individuals and the DPBI without undue delay. The DPDPA requires notification if the breach is likely to cause harm to the data principal. This notification obligation is distinct from but complementary to RBI's cyber incident reporting requirements. Banks should establish integrated incident response workflows that capture both DPDPA notification timelines and RBI reporting deadlines.
The Central Government, on recommendations from an assessment committee, designates certain entities as Significant Data Fiduciaries (SDFs). Banks processing large volumes of sensitive financial data will very likely fall into this category. SDFs face heightened obligations under the DPDPA. They must conduct data protection impact assessments for processing activities that pose high risk to data principals' rights. SDFs must also implement mechanisms to enable data principals to exercise their rights more easily: dedicated grievance redressal officers, accessible data access portals, and documented procedures for processing data deletion requests.
Critical for banks, SDFs face restrictions on cross-border data transfers. The DPDPA restricts SDFs from transferring certain specified categories of personal data outside India's borders. The Central Government specifies which data categories face these restrictions based on sensitivity and national interest. For a typical bank designated as SDF, this means customer account information, transaction history, and KYC details cannot be transferred to overseas parent companies or third-party processors without explicit legal authority. Some routine business functions, such as overseas outsourced IT support or cloud infrastructure in other countries, may require architectural redesign to ensure data localization or anonymization.
The DPDPA establishes a foundational principle in Section 6: personal data shall not be transferred outside India except to notified jurisdictions. The Central Government publishes a list of jurisdictions where personal data may be transferred, provided the transfer is conducted according to rules specified in the DPDP Rules 2025. Banks must verify that any overseas transfer of customer data complies with this notified jurisdiction requirement. The rules also require that data fiduciaries put in place contractual mechanisms ensuring that overseas recipients provide data protections equivalent to those in the DPDPA.
Banks with overseas parent companies, subsidiaries, or service providers should conduct careful mapping of data flows. Transferring customer information to a parent company's data warehouse in Singapore, the United States, or the United Kingdom requires ensuring the jurisdiction is notified. Even where notified, contractual safeguards and documented data protection impact assessments must demonstrate that overseas processing will not expose Indian customers' data to lesser protections.
The DPDPA establishes the Data Protection Board of India (DPBI) as the primary enforcement authority. The DPBI investigates complaints from data principals, conducts inquiries into violations, and imposes penalties. Banking institutions must be aware that the DPBI operates with significant autonomy and authority, distinct from RBI oversight.
Penalties under the DPDPA are substantial. For violation of core obligations (such as failure to implement reasonable security measures or unauthorized processing), the DPBI can impose fines up to INR 250 crore (approximately USD 30 million) on data fiduciaries. For violations of specific provisions without designated penalty amounts, fines reach up to INR 50 crore (approximately USD 6 million). The DPBI considers factors such as the volume and sensitivity of affected personal data, the number of data principals impacted, and whether the violation was willful or negligent.
For data processors (such as outsourced vendors), penalties reach up to INR 100 crore. Banks contracting with vendors for data processing therefore have an incentive to establish strong oversight mechanisms. A breach by a bank's data processor may not absolve the bank of liability; the bank remains the data fiduciary and may face penalties if reasonable due diligence on the processor is not demonstrated.
The Reserve Bank of India has issued separate guidance on data governance, supplementing the DPDPA. RBI Circular on Storage of Payment System Data (dated April 6, 2018) mandates that all data relating to payment systems operated by or on behalf of banks, including transaction details, customer information, and system logs, must be stored within India. This data localization requirement applies to all payment system operators, including banks, payment gateways, wallet providers, and card networks.
The RBI rule is unambiguous: within six months of the circular (implemented by October 2018), all data must reside in systems located only in India. For the foreign leg of a transaction (if any), data may temporarily reside overseas during processing but must be returned to India and deleted from foreign systems within one business day. Banks must appoint a CEO/MD-level officer responsible for confirming compliance with payment data localization requirements twice annually.
The RBI's Guidelines on Digital Lending, issued in 2022 and refined in subsequent circulars, address data protection, outsourcing, and cybersecurity for digital lending platforms. Banks must ensure that digital lending platforms (whether operated directly or through third-party partnerships) implement robust data protection measures, maintain clear audit trails of data access, and implement automated controls limiting employee access to customer personal information.
RBI guidance also addresses third-party vendor management. Banks outsourcing digital lending functions to fintech partners must conduct detailed due diligence, including assessment of cybersecurity maturity, data protection controls, and regulatory compliance track records. Service level agreements must include specific security requirements and audit rights allowing banks to verify compliance. The bank remains liable for DPDPA and RBI compliance regardless of outsourcing relationships.
AI governance in Indian banking sits at the intersection of DPDPA requirements and emerging RBI guidance. In June 2023, the RBI issued a Discussion Paper on AI governance in banking, followed by consultations with industry. The framework contemplates that AI systems used for credit decision-making, fraud detection, and customer segmentation must operate within DPDPA's consent, purpose limitation, and data minimization constraints. Banks cannot train AI models on customer personal data without establishing lawful basis (typically consent) and cannot use AI models for purposes beyond those originally stated.
The Data Protection Board of India has not yet issued extensive guidance on AI-specific obligations, but the DPDPA's existing framework applies. Processing personal data through an AI model is still "processing" under the Act, requiring consent and subject to data principal rights. An AI system that denies credit based on a protected characteristic (such as caste, religion, or gender, which is "sensitive personal data" under the DPDPA) would violate the Act regardless of model accuracy. Banks adopting AI systems must ensure transparency: if an AI system materially influences credit decisions, the customer has a right to understand how their data was processed.
For banks and financial services firms, DPDPA compliance demands structured, systematic effort. The first step is a data inventory: mapping all systems and processes that collect, process, or store personal data. Categorize data by sensitivity. For each data category, document the lawful basis for processing (consent, contractual necessity, legal obligation, or other authorized purpose).
Review consent mechanisms. Many banks have broad consent statements from account opening that do not satisfy DPDPA requirements for explicit, purpose-specific consent. Banks must revise consent frameworks, creating modular consent options that allow customers to grant consent for specific processing activities separately from others. This is a significant operational lift but essential for legal compliance.
Establish a privacy governance structure with clear accountability. Designate a Data Protection Officer (DPO) or Privacy Officer responsible for DPDPA compliance. Create documented processes for responding to data access requests, correction requests, and erasure requests within the 30-day timeline specified in the Act. Establish breach response procedures that integrate DPDPA notification requirements with RBI cyber incident reporting.
Corvair's platform enables banks to operationalize DPDPA compliance through centralized data governance, consent management, and privacy controls. By mapping data flows, automating consent tracking, and integrating incident response workflows, Corvair reduces the manual effort of DPDPA compliance while providing audit-ready documentation of compliance measures. For banks managing complex outsourcing arrangements and cross-border data transfers, Corvair's third-party risk and data localization monitoring tools ensure alignment with RBI guidelines and DPDPA restrictions on significant data fiduciaries.
Schedule a BriefingChina's Personal Information Protection Law imposes comparable consent, data principal rights, and cross-border transfer obligations for banks operating in or serving Chinese customers.
Read guideThe EU's GDPR provides a well-developed framework for data protection in AI, with significant parallels to the DPDPA's consent, purpose limitation, and accountability requirements.
Read guideA regional comparison of Asia-Pacific privacy frameworks — Japan APPI, South Korea PIPA, Australia, and emerging regimes — for banks with multi-jurisdictional APAC operations.
Read guide