Impact of Digital Personal Data Protection (DPDP) Act in BFSI Sector

In our digitized world, there are growing trends across various areas including AI, ML, IoT cloud computing etc., implying the value of personal data as one of the crucial needs for businesses. Management of personal data of customers or end users is the key to handling business activities. However, with the immense value of personal data comes a pressing need for privacy and security to build threat free environment. The Digital Personal Data Protection Act (DPDP) of 2023 coming up in India addresses these issues, aiming to protect personal data, empower individuals, and impose strict data handling standards. This digital act is not just another piece of legislation; it is a game-changer. This act is created after lots of discussions and key considerations on safeguarding personal data, giving individuals more control over their information, and establishing rigorous data protection standards. It is a benchmark towards ensuring that the data is protected, and we live in a safe and secure India. There are key responsibilities and ownership across various sectors to safeguard the data. However, one of the critical sectors in managing personal data is BFSI sector where humongous data is crucially managed. We would take some time to see the influence of this act on the financial services sector, which is expected to be significantly high, specifically on the key regulatory changes required in the presence of non-traditional actors, and its digital transformation. The Act serves as the guiding framework for managing digital personal data, delicately balancing the preservation of individual rights with the necessary data processing requirements.

The highly regulated Financial Services sector faces challenges of aligning with existing financial regulations adding to which DPDP Act 2023 is an additional key responsibility to protect customer data. BFSI sector needs to take some strict measures on embedding data privacy policy into enterprise security policy and have a more mature approach to compliance than other sectors.

Impact on Financial Services functions:

The DPDP act brings significant effects to various functions within the financial services sector. Banks and other financial institutions manage a large volume of sensitive customer data which is crucial to business. Hence, protecting the data is vital and the consequences of any data breach are irretrievable. This makes banking a high-risk sector with respect to data privacy and data protection. The impact of the DPDP bill on the financial sectors can be seen across all the activities executed starting from the time the customer is onboarded into the banking system till the time the data is disposed-off from the system. Some of the key impacts across the BFSI sector are –

Regulatory changes

Significant Data Fiduciaries in the financial services sector will have increased responsibilities under the DPDP bill/act. Regulators expect the organizations/stakeholders under BFSI sector to customize DPDP obligations as per the business requirements and train officials accordingly.

Risk management

Risk management plays a crucial role in managing and adhering the regulatory requirements. Data fiduciaries and regulators expect an organization to be responsible for DPDPA compliance. Risk management is central to their core function, and they must ensure consent is obtained before processing personal data.

IT, Cybersecurity and Resilience

DPDPA’s focus on personal data protection reshapes IT and data safeguarding practices to ensure business resilience. BFSI sector should do a due diligence having in mind DPDP and invest in the right set of security controls enabling advanced threat detection, strong encryption, advanced response process, automation, and regular audits to safeguard customer data from cybercriminals and maintain a robust security culture.

Data Retention

The DPDP changes how organizations manage customer data starting from on boarding a customer, due diligence, acquisition, service, retention, and loyalty. It emphasizes explicit security safeguards, consent, clear data policies, data minimization and maintaining data for necessary purposes only.


Third Party Risk Management (TPRM) is one of the high dependencies for many organizations be it BFSI or NON-BFSI. To manage a third – party compliance, Data fiduciaries hold primary compliance responsibility to comply third party regulatory requirements.


BFSI sector widely outsources and partners with various stakeholders to expand and manage business, and this leads to some additional compliance to comply with DPDP bill to adhere to third party related fiduciaries.

Increased compliance for BFSI sector

Under DPDP act, Indian BFSI, in partnerships with financial institutions, must adhere to stringent data fiduciary regulations, likely leading to a transformation in the current BFSI collaboration model.

Penalties for Non-Compliance:

As per the DPDP act, the Data Protection Board, a new regulatory body to be set up by the government and the board can impose a penalty of up to ₹250 crores if there is non-compliance by a person/individual/group found to be substantial. Unlike the EU GDPR, the DPDP Act does not consider the turnover of a business when determining the amount of fine. Instead, Schedule A to the DPDP Act lists predetermined ranges for each violation.

Following the implications of these penalties can empower individuals and organizations to adhere more effectively to the DPDP Act, thereby securing personal data and evading substantial penalties. turn data

Best Practices in Financial Services for Data Protection:

Financial service organizations encompass various roles that deal with managing personal data of customers. Data security is a mixture of processes, applications and tools that aims to protect an organization’s critical/sensitive data. Data protection is very important both at rest and in transit. Some of the best practices to protect and safeguard personal data are as follows:

  • Re-look into existing Corporate Governance framework and embed DPDP requirements.
  • Develop a centralized data inventory using data discovery techniques.
  • Implement Privacy by Design mechanism to collect, maintain, track, and update personal information.
  • Training and Awareness.
  • Develop mechanisms to provide notices to data principals as applicable in the Privacy Act and ensure valid supplier contracts to protect data.
  • Establish and maintain robust technical and organizational security measures to safeguard personal data.

The DPDP Act of 2023 stands as a testament to the evolving regulatory guidelines in the BFSI sector. By increasing the compliance requirements and mandating transparency, consent, and robust security measures, its focused on building a secured Indian threat landscape to protect individuals’ personal data and reduce data breaches.

Disclaimer :

“The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are solely her own and do not represent the views of her company or her customers.”

About the Author :

Cyber security

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – R&C BFSI

Tata Consultancy Services


Ms. Kavitha Srinivasulu has around 20+ years of experience focused on  Cybersecurity, Data Privacy & Business Resilience across BFSI, Financial  services, Retail, Manufacturing, Health care, IT Services and Telecom domains. She has demonstrated her core expertise in Risk Advisory, Business Consulting and Delivery assurance with diverse experience across corporate and Strategic Partners.She is a natural leader with versatility to negotiate and influence at all levels.

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India


Ms. Kavitha Srinivasulu is an Executive Committee Member CyberEdBoard Community

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn :

Also read Ms. Kavitha’s earlier article: