Experts said India’s financial sector already operates with strong digital systems and consent-based governance. They added that the Digital Personal Data Protection Act (DPDPA) creates a stronger foundation for accountability in the digital space, though it also introduces certain challenges.
At the 9th Carnegie Global Tech Summit, during the session ‘India’s Approach to Data Governance’, panelists discussed the financial industry’s readiness for DPDPA and how tools like consent managers can help people manage their data. They also explained that age-gating mechanisms aim to protect children from harmful content.
Saranya Gopinath, Director of Government Affairs and Policy at Razorpay, said India’s well-regulated financial sector gives citizens a sense of trust and security.
“The financial sector in India is not only the most digitized or matured ecosystem, it’s also deeply regulated. As citizens, we can all take a lot of comfort in the fact that it is deeply governed,” she said.
When asked how the financial sector might change under the DPDPA, she explained that the industry already understands the ideas of consent and data sharing, and uses well-developed systems.
She added that individual rights have been carefully considered in this space.
She said banks regularly go through audits and follow proper protocols to manage data.
“Consent is not an alien term in the financial sector. It is an understood concept,” she said.
Officials and Industry Leaders Share Concerns and Opportunities
Bhuvnesh Kumar, Additional Secretary at the Ministry of Electronics and Information Technology, said the DPDPA grants rights such as the “right to be forgotten”.
He emphasized that detailed rules will play a vital role in enforcing the legislation.
Aman Jain, Director of Public Policy at Amazon, pointed out that global companies face issues with DPDPA’s storage and deletion requirements.
He said identifying the data principal becomes difficult when several people share one device, like in households.
“When the Act came out, a lot of us in the industry said, Look, this is progressive. This is different. You know, when the details came out and the rules came out, suddenly, the government announced that there’ll be a committee that will decide on what data subjects can be or topics can be under data localization,” he said.
He added that the draft rules ask e-commerce platforms to automatically delete a user’s data after three years, once it’s no longer needed.
“Let’s say you’ve gone on Amazon, you bought something today, and come 2027 we are required to delete your data if you’ve been inactive in that period. Now, practically, what ends up happening is we have enough use cases of folks coming back because they want to see if the warranty still exists for a TV they bought five years back, right? Or they just want to know the model you don’t remember it you bought something,” he said.
“I had a thing very recently, where I wanted to check what book I bought in 2015? And I need to be able to go back. And it doesn’t mean that I need to, you know, we’d love you to shop every single day. But if you were inactive for a little while and then you were going back, then you it just creates for bad experience, right? So, so that’s, I think, one so practical example,” he added.
Meta Welcomes a Tech-Neutral Law
Sunil Abraham, Public Policy Director for Data Economy and Emerging Tech at Meta India, supported the decision to keep the DPDPA technology-neutral and future-proof.
He said this kind of flexibility is a step in the right direction for businesses and consumers alike.
“It’s a step in the right direction,” he said.
global tech summit : DPDP
