Protiviti’s latest report urges Indian banks to adopt AI, enhance governance, and embed privacy to meet DPDPA standards.
A new report by Protiviti says Indian banks must urgently improve their data privacy practices. This is to comply with the Digital Personal Data Protection Act (DPDPA) 2023 and the upcoming 2025 draft rules. The report warns that compliance isn’t just a checklist—it will deeply affect how banks operate. It says banks must redesign key systems and processes. They should follow “privacy by design” principles to meet the standards of India’s most detailed data protection law to date.
The report is titled “Navigating DPDPA in Banking: Compliance, Impact, and AI-Powered Strategies for Futureproofing.” It was released at the 4th IBA CISO Summit 2025, hosted by the Indian Banks’ Association. The report states that banks handle large amounts of sensitive data. Because of this, they will likely be classified as Significant Data Fiduciaries (SDFs) under the DPDPA. This classification brings stricter duties. These include data protection assessments, transparent algorithms, regular audits, and the appointment of a dedicated Data Protection Officer (DPO).
Instead of viewing compliance as a short-term task, Protiviti advises banks to build a flexible and risk-based model that can adapt to changing technologies and threats. The report also recommends using AI technologies to improve efficiency and automate privacy processes wherever possible.
The findings draw from Protiviti’s earlier State of Data Privacy in India survey, which had strong participation from the banking sector. The results were concerning:
- 52% of organisations had faced a privacy breach in the last five years.
- Only 42% had a fully developed privacy framework.
- Just 24% felt ready to tackle privacy challenges related to new technologies.
Even though 68% of financial institutions had some privacy processes in place, most depended heavily on IT teams, often without a dedicated privacy office.
The new report reinforces the need for stronger governance structures in banks. It urges clear accountability across all departments. Banks should also adopt modern tools like AI and privacy-enhancing technologies (PETs). These tools will help build a long-term, sustainable privacy strategy. It highlights that regulatory compliance, customer trust, and digital growth must go hand in hand.
Sandeep Gupta, Managing Director at Protiviti India, said,
“The DPDPA introduces a new level of responsibility for banks. Success will depend on good governance, smart use of privacy technologies, and staying aligned with regulatory expectations.”
Vaibhav Koul, also a Managing Director at Protiviti India, added,
“In banking, trust is everything. Following the DPDPA isn’t just about rules—it’s a strategic move. Using AI and privacy tools to build privacy into systems from the start will strengthen customer trust and protect data.”
