In preparation for the Digital Personal Data Protection Act (DPDPA), 2023, large banks with annual revenue above ₹1,000 crore are planning to set aside over ₹5 crore for their data privacy programs, highlighting a strong push toward DPDP compliance, according to Protiviti’s report titled “Navigating DPDPA in Banking.”
The report describes personal data in banking as being managed across many different areas—core banking systems, fintech partnerships, third-party vendors, digital services, etc. All of this is going to make privacy more difficult.
“What we’ve seen,” according to Vaibhav Koul, Managing Director of Protiviti, “is from our survey we took a large number of financial services specifically, we looked at all sectors and the general trend is that large organisations are investing a lot more into privacy, while smaller organisations are struggling to find budget.”
For example, 37% of high-revenue companies across industries are investing more than ₹5 crore, while only 4% of low-revenue companies are doing the same. On the other hand, 26% of low-revenue companies haven’t allocated any budget at all, compared to only 5% of high-revenue firms. Koul noted that the banking sector likely reflects these trends, especially as many firms are still developing their own internal technologies.
Role of DPDP Compliance in Banking
The report highlights that the DPDP Compliance Act introduces roles like data fiduciaries (banks), data processors (such as outsourced vendors and fintech firms), and consent managers. These distinctions will help delineate roles and responsibilities better.
Organizations that provide outsourced services such as KYC checks, fraud checks, and a digital banking platform are “data processors”. The bank is always ultimately responsible for the data, and processors are also obligated to comply with extremely strict privacy legislation.
To guarantee this compliance, banks should always have robust contracts with processors (e.g. Data Processing Agreement), and always conduct audits of their work.
There are also consent managers, a new category of provider under the Act, which are third-party platforms that manage the data consent of users. This will help banks and their partners maintain compliant activities much more easily.
Data Protection Challenges
The report also points out that handling children’s data under the new law will need more clarity. Koul said that while opening an account for a child might remain the same, banks will now have the added task of securing verified consent from a parent or guardian. This adds another layer of responsibility.
In summary, the report emphasizes that banks need to align customer experience with data privacy at every stage—from onboarding to data sharing with third parties. How well banks adapt these legal frameworks into their day-to-day operations will define their success in complying with DPDPA.
