The draft Digital Personal Data Protection (DPDP) rules require banks to get clear, explicit consent from customers before using their data for anything beyond the original purpose. While many banks already follow this principle, experts say these formal rules leave no room for regulatory shortcuts or loopholes.
Experts also say it’s still too early to fully understand how these rules will affect business. However, once finalized, banks will need to create proper data processing agreements with third-party companies. This will help ensure they meet the rules.
Banks often cross-sell products from their subsidiaries or partner companies to their customers. Although banks generally get consent before sharing customer data for cross-selling — as part of good governance — there have been exceptions. In some cases, this practice has not always been properly followed.
“Banks and NBFCs were not sharing data without the explicit consent of customers with their subsidiaries. Formal regulations make the requirement very explicit and leave no room for regulatory arbitrage. We do not foresee any business impact as such on account of the regulations. In fact, we see this as a great opportunity to build trust within the financial services ecosystem,” said Vivek Iyer, Partner, Financial Services Risk Advisory, Grant Thornton Bharat LLP.
Experts believe the draft rules are a positive move for customers because they improve data protection and bring India’s practices in line with global standards.
But corporate advisor Srinath Sridharan points out another concern. He questions whether banks are fully prepared for the operational challenges these rules bring. Banks will now need explicit consent before using customer data for anything beyond its original purpose. Except for a few large banks that have already started working on DPDP readiness, most of the sector still has a long way to go.
“One would assume that with the draft rules open for comments, the RBI might get the sector to ideate on this, through the Indian Banks’ Association (IBA) to help them prepare for DPDP implementation. This will require investment from banks — financial, technological, process change and training. A playbook of minimum acceptable operational norm could be expected from the regulator soon,” he added.
Currently, banks and insurance companies are reviewing the draft rules, which are open for public comment. They haven’t yet finalized their views or decided on their next steps.
“We are studying the draft rules and will finalise our views in some time. However, for us, since mobilisation of customers is done by bank staff who are qualified for selling insurance, they get the forms filled by the customer with their consent duly signed,” said a senior private sector insurance executive.
At the same time, a senior private sector banker warned that because many businesses rely on cross-leveraging group customers, requiring explicit consent could result in some business leakage.
According to Tisha Bhambry, Director Analyst at Gartner, the DPDP rules will require banks to set up strong consent management systems. These systems must allow customers to easily give consent, manage it, and withdraw it whenever they choose.
Besides that, banks must also have clear agreements with third-party partners to stay compliant. While these changes strengthen data protection and align with international standards, they also bring both challenges and opportunities for banks to build more customer trust through better privacy practices.
