Navigating the Data Labyrinth: DPDPA's Impact on Fintech under RBI's Watch

India’s fintech sector, a global leader in innovation and adoption, now operates under a dual regulatory imperative: the Reserve Bank of India’s (RBI) stringent prudential norms and the overarching Digital Personal Data Protection Act (DPDPA), 2023. As of May 2026, with the DPDPA and its associated rules fully operational, fintech entities face the complex task of harmonising these frameworks, ensuring robust data protection while fostering continued growth. The DPDPA introduces a principles-based, comprehensive data protection regime that supplements, rather than replaces, the sector-specific mandates already in place.

Converging Mandates: DPDPA and RBI’s Data Governance

For years, RBI has been a proactive regulator in data governance, issuing directives on data localisation, IT security, outsourcing of financial services, and customer protection. These norms have implicitly aimed at safeguarding customer data within the financial ecosystem. The DPDPA now provides a statutory foundation, elevating data protection from a regulatory guideline to a fundamental legal obligation. Fintechs, acting as Data Fiduciaries, must ensure their existing compliance frameworks, built around RBI circulars (e.g., Master Direction on Outsourcing of Financial Services, IT Framework for the Banking Sector), are re-evaluated through the lens of the DPDPA. This means integrating DPDPA’s explicit requirements for consent, purpose limitation, and data principal rights into their operational policies and technical safeguards. Where RBI norms impose a higher standard, those will continue to apply, while DPDPA sets a baseline for all digital personal data processing.

Rethinking Consent and Purpose Limitation

One of the most significant shifts for fintechs under DPDPA is the elevated standard for consent. Section 6 mandates that consent must be free, specific, informed, unambiguous, and clearly affirmative. This departs from the often broad, implied consents prevalent in many digital service agreements. Fintechs frequently collect extensive personal data for various purposes – onboarding, credit scoring, fraud detection, cross-selling, and personalised offers. Under DPDPA, each distinct purpose requires fresh, explicit consent. For instance, using transaction data for offering a new loan product, beyond the original purpose of processing the transaction, would necessitate separate consent.

Furthermore, Section 5 of the DPDPA requires data processing to be for a “specified, clear, and lawful purpose.” This “purpose limitation” principle will challenge fintechs to articulate and adhere strictly to the reasons for data collection. While Section 7 outlines certain “legitimate uses” where consent is not required (e.g., for legal obligations or public interest), fintechs must carefully assess if their ancillary data processing activities truly fall under these exemptions or if they require explicit consent. This might necessitate a re-engineering of data collection workflows and user interfaces to ensure granular consent capture and management, aligning with both DPDPA and RBI’s customer protection mandates.

Enhanced Data Fiduciary Obligations and Data Principal Rights

The DPDPA imposes substantial obligations on Data Fiduciaries (Section 8), particularly for Significant Data Fiduciaries (SDFs) (Section 10), which many large fintechs will qualify as. These include implementing reasonable security safeguards to prevent data breaches (Section 8(5)), notifying the Data Protection Board of India and affected Data Principals in case of a breach (Section 8(6)), and potentially appointing a Data Protection Officer (DPO) and conducting Data Protection Impact Assessments (DPIAs). RBI’s existing IT security guidelines already mandate robust security measures, but DPDPA adds a statutory duty to notify, with specific timelines likely detailed in the DPDP Rules.

Data Principals (customers) are also empowered with new rights under DPDPA (Sections 11-15), including the right to access information about their data (Section 11(1)), correction and erasure (Section 12), and grievance redressal (Section 13). The “right to erasure” presents a unique challenge for fintechs, given RBI’s extensive record-keeping requirements for KYC, AML, and transaction history. However, Section 11(3) of the DPDPA clearly states that the right to erasure does not apply where data retention is necessary for a legal purpose. Fintechs must meticulously document their legal obligations for data retention to navigate this potential conflict, ensuring that data is erased only when legally permissible and no longer required by RBI or other statutes.

Cross-Border Data Transfers: Reconciling DPDPA with RBI Localization

Section 16 of the DPDPA permits cross-border transfer of personal data, unless specifically restricted by the Central Government. This is a significant departure from the earlier IT Rules, 2011, which were less clear, and contrasts sharply with RBI’s strict data localisation mandates for payment system operators and certain other regulated entities. For fintechs operating payment systems or handling sensitive financial data, RBI’s directives (e.g., for payment data storage within India) will continue to take precedence. The DPDPA’s general permissibility for cross-border transfers does not override specific sectoral regulations that impose stricter conditions. Fintechs must therefore adhere to RBI’s localization requirements where applicable, while also ensuring that any permissible cross-border transfers comply with DPDPA’s principles, such as ensuring adequate protection for the transferred data. This dual compliance means that while DPDPA offers a broader framework, specific RBI norms act as non-negotiable guardrails for the financial sector.

Practical takeaway: Indian fintechs, General Counsels, and DPOs must adopt a holistic, risk-based approach to DPDPA compliance. Start by mapping all personal data collected, processed, and stored, identifying the legal basis for each activity. Implement robust consent management platforms that capture specific, unambiguous consent as per Section 6. Review and update data retention policies, carefully balancing DPDPA’s right to erasure with RBI’s mandatory record-keeping periods, citing Section 11(3) where applicable. Strengthen security safeguards and establish clear data breach notification protocols in line with Section 8(5) and 8(6) and upcoming DPDP Rules. Finally, invest in comprehensive training for all employees on DPDPA principles and their intersection with existing RBI guidelines, fostering a culture of privacy-by-design and default.