Research & Opinion
BFSI Sector Grapples with Data Breaches: Is It Ready for DPDP Rules 2025?
The recently unveiled draft rules under the Digital Personal Data Protection (DPDP) Act are poised to transform how banks, non-banking financial companies (NBFCs), and insurance firms manage customer data. The proposed regulations emphasize explicit customer consent for data sharing and restrict its use to predefined purposes, posing potential challenges to cross-selling strategies and operational workflows in the financial sector.
One significant shift under the new rules is the prohibition on financial institutions sharing customer data with subsidiaries without explicit consent. This disrupts the prevalent practice of banks and NBFCs utilizing subsidiary networks to promote products such as insurance, mutual funds, and other financial services.
Registrations Open for FutureCrime Summit 2025: India’s Largest Conference on Technology-Driven Crime
Transparency takes center stage in the draft regulations, requiring financial entities to provide clear and detailed notices about data collection and usage. These notices must include information on withdrawing consent and be accessible in both English and 22 Indian languages to ensure inclusivity.
The Act also enforces stringent data retention norms. Customer data can only be retained and used for the purpose specified at the time of collection. Once that purpose is achieved or consent is withdrawn, the data must be deleted. Additionally, customers gain greater control over their data, with rights to request summaries of its usage and withdraw consent at any time, effectively halting further processing.
FCRF Digital Privacy Leadership Awards: Nominate Now!
These proposed rules signal a paradigm shift in the handling of customer data, urging financial institutions to rethink their data management strategies while aligning with the principles of transparency and customer empowerment.