Post

Navigating the Dual Mandate: DPDPA and Fintech Compliance in India

Navigating the Dual Mandate: DPDPA and Fintech Compliance in India

July 08, 2026, marks a pivotal moment for India’s burgeoning fintech sector. With the Digital Personal Data Protection Act, 2023 (DPDPA) now fully operational, complemented by its recently notified Rules, financial technology firms find themselves at the intersection of a comprehensive privacy framework and the Reserve Bank of India’s (RBI) stringent sectoral regulations. This dual compliance challenge necessitates a nuanced understanding of how the DPDPA’s principles augment, and occasionally tension with, existing RBI norms, pushing fintechs towards a more robust and data-centric governance model.

The DPDPA’s Foundational Shift for Financial Data

At its core, the DPDPA introduces a consent-driven paradigm for personal data processing. For fintechs, which thrive on collecting and analysing vast amounts of customer financial data, this means a significant overhaul of their data lifecycle management. Section 6 of the DPDPA mandates that personal data can only be processed for a lawful purpose for which the Data Principal (the individual) has given consent. This consent must be free, specific, informed, unconditional, and unambiguous, clearly distinguishing it from the often broad ‘terms and conditions’ acceptance seen previously. Fintechs must now ensure their consent mechanisms are granular, allowing customers to opt-in for specific data uses and providing a clear, easy-to-use option for withdrawal of consent at any time.

While Section 7 of the DPDPA outlines certain ‘legitimate uses’ where consent may not be required (e.g., for fulfilling a legal obligation), fintechs must exercise caution. The default position should always be consent, particularly given the sensitive nature of financial data. Furthermore, the principles of data minimisation and purpose limitation, enshrined in Section 10, compel fintechs to collect only that data which is necessary for the stated purpose and to use it strictly for that purpose. This aligns with, and further strengthens, RBI’s existing expectations around data governance and responsible lending practices.

Harmonising with RBI’s Robust Framework

The RBI has historically been a proactive regulator concerning data security and customer protection. Its Master Directions on IT Governance, Risk, Controls and Assurance Practices, Digital Lending Guidelines, and Payment System Data Storage norms already impose rigorous requirements on regulated entities, including many fintechs. For instance, the RBI mandates data localisation for payment system data and sets high standards for outsourcing arrangements.

The DPDPA complements these existing norms by providing a baseline privacy standard. Where RBI guidelines focus on security and operational resilience, the DPDPA emphasizes individual rights and accountability. For example, RBI’s outsourcing guidelines require due diligence on third-party vendors. The DPDPA (Section 12) reinforces this by making Data Fiduciaries (fintechs) responsible for ensuring that Data Processors (their vendors) comply with the Act. Moreover, the DPDPA’s provisions on data breach notification (Section 11(7)) will likely integrate with, or supersede, existing RBI circulars on cyber incident reporting, requiring prompt notification to the Data Protection Board of India and affected Data Principals.

A critical area of interplay arises with Data Principal rights under DPDPA Section 13, such as the right to access information, correction, and erasure. While DPDPA grants individuals the right to erase their data, financial regulations often mandate data retention for KYC, AML, and audit purposes for several years. In such cases, Section 7(a) of the DPDPA, which permits processing for “fulfilment of any obligation under law,” will be crucial. Fintechs must clearly articulate to customers when data cannot be erased due to statutory obligations, ensuring transparency.

The Significant Data Fiduciary and Enhanced Obligations

Many prominent fintech companies, due to the volume and sensitivity of personal data they process, are likely to be designated as ‘Significant Data Fiduciaries’ (SDFs) under Section 19 of the DPDPA. This designation triggers additional responsibilities, including appointing a Data Protection Officer (DPO), conducting Data Protection Impact Assessments (DPIAs), and undertaking regular data audits. These requirements align well with RBI’s emphasis on robust internal controls and risk management frameworks, providing a structured approach to integrating privacy into overall governance. The DPO, for instance, will work closely with existing CISO and compliance teams to ensure an integrated approach to data protection.

Practical Takeaway

For Indian fintechs, their General Counsels, and Data Protection Officers, the current landscape demands an integrated approach to compliance. Begin by conducting a thorough data mapping exercise to understand what data is collected, why, where it is stored, and with whom it is shared. Revamp consent mechanisms to be DPDPA-compliant, ensuring granularity and ease of withdrawal. Review and update vendor contracts to reflect DPDPA obligations for Data Processors. Develop clear internal policies and training programs for employees on data handling and privacy best practices. Finally, proactively engage with the RBI and the Data Protection Board of India to seek clarifications on potential overlaps or tensions, ensuring that customer trust and regulatory compliance remain paramount in this evolving digital financial ecosystem.

This post is licensed under CC BY 4.0 by the author.