The Government of India has introduced the Draft Digital Personal Data Protection (DPDP) Rules, 2025, aimed at enhancing data privacy and defining responsibilities for entities handling personal information. These rules, part of the DPDP Act, focus on safeguarding customer data within the banking and financial sector through robust compliance frameworks.
Banks and financial institutions, designated as data fiduciaries, are mandated to implement stringent data protection measures such as encryption, pseudonymisation and masking. The draft rules also require institutions to establish systems to monitor, control and log data access, reducing the risk of breaches. Backup mechanisms must be in place to ensure continuous data availability during disruptions.
The consent management is a key component of the proposed rules. Financial institutions handling data requiring explicit customer consent must register as consent managers, enabling platforms for customers to provide, modify, or withdraw consent. Records of consent history must be maintained for at least seven years, ensuring transparency and accountability.
Larger financial entities may be classified as Significant Data Fiduciaries due to the scale of data they handle. These entities will face additional responsibilities, such as conducting impact assessments and annual audits and ensuring transparency in data processing algorithms to minimise misuse risks.
The draft also addresses cross-border data transfers, stipulating that institutions must comply with government-imposed conditions to ensure data sovereignty and security. Data retention is permitted only for specific legal requirements and institutions must notify customers before deleting their data, giving them an opportunity to review or reclaim it.
To ensure accountability, the draft rules require institutions to report data breaches within 72 hours of discovery. Notifications must detail the breach’s nature, its impact and remedial actions taken.
Financial institutions are expected to invest in advanced data protection technologies, train personnel and update operational policies to align with these requirements. While compliance poses challenges, it also presents an opportunity for the sector to build trust and reinforce its commitment to customer data security.
The government has invited public feedback on the draft rules via the MyGov platform until 18th February, 2025. The finalisation of these rules will shape India’s data protection landscape, setting a new standard for privacy and operational excellence in the financial sector.
for news announcements/ press releases: anupam@b2bmarketmedia.com
