Banking Article Banking Finance Year 2025 February 2025 

Banking in the Era of “Data Privacy”: Impact of Digital Personal Data Protection Act (DPDPA) on the Banking Industry.

admin 0 Comments , , , , , , , , , , , , , , , , , , , , , ,

Abstract:

“Data Protection” is the new buzz phrase among the stakeholders of the Data Processing industry. The concept has gained importance in recent years, particularly in the context of growing personal data breach incidents over the years and consequent use and misuse of such unauthorized personal data. A watershed moment in the domain of personal data protection in India has been the passage of Digital Data Protection Act, 2023 (DPDPA). It provides legal recognition to an individual’s right to protect personal data. It aims to provide the common man full control over his personal data. The Act mandates specific obligations for entities that are responsible for deciding the means and objective of processing personal data”(Referred to as “Data Fiduciary “in the Act).

DPDPA will have a substantial impact on the financial sector in general and banking sector in particular. Banks collect a lot of personal data during their routine business activities. Hence, it is incumbent upon banks to comply with specific regulations of DPDPA when collecting, storing, processing, or sharing personal data of customers. Banks will need to adapt their operations to comply with the new data protection regime. Integrating the DPDPA framework in the bank’s processes will involve significant investments in technology, processes, and training of personnel. Against this backdrop, this piece aims to shed light on the various provisions of DPDPA having maximum relevance/ impact on the banking industry and the likely process tweaks that will be required in key functional areas of banking such as customer on boarding, credit assessment & risk management process.

“Data Protection” is the new buzz phrase among the stakeholders of the Data Processing industry. The concept has gained importance in recent years, particularly in the context of growing personal data breach incidents over the years and consequent use and misuse of such unauthorized personal data. A watershed moment in the domain of personal data protection in India has been the passage of Digital Data Protection Act, 2023 (DPDPA). It provides legal recognition to an individual’s right to protect personal data. It aims to provide the common man full control over his personal data.The Act grants certain rights to Data Principal (individual to whom the personal data relates) and at the same time mandates specific obligations for entities that are responsible for deciding the means and objective of processing personal data”(Referred to as “Data Fiduciary”in the Act).

In modern world, data is a valuable asset which helps in the revenue generation process of a company/organization. Hence, it needs to be handled responsibly and protected from potential misuse. In the context of business, the DPDPA intends to protect customer information and has the potential to disrupt the way business houses function in terms of processing personal data. The impact of DPDPA will be felt across industries; be it Information Technology, Manufacturing, Trading, Health Care, Banking, Financial Service & Insurance (BFSI), Education or any other.

DPDPA will have a substantial impact on the financial sector in general and banking sector in particular. Banks collect a lot of personal data during their routine business activities. Hence, it is incumbent upon banks to comply with specific regulations of DPDPA when collecting, storing, processing, or sharing personal data of customers. Banks will need to adapt their operations to comply with the new data protection regime. As a matter of fact, banks have been complying many of these areas as mandated under various banking regulations and Acts. Therefore, there are chances that certain provision of DPDPA might overlap with several existing sectoral laws and regulations, creating a complex regulatory landscape. Integrating the DPDPA framework in the bank’s processes will involve significant investments in technology, processes, and training of personnel .Against this backdrop, this piece aims to shed light on the various provisions of DPDPA having maximum relevance/ impact on the banking industry and the likely process tweaks that will be required in key functional areas of banking such as customer onboarding, credit assessment & risk management process. As any other risks faced by banks, level of data protection risk also needs to be measured, estimated and mitigated to the extent possible. Hence, certain aspects regarding management of data asset inventories of banks are also discussed.

Understanding “Personal Data”.

In common parlance we can think of personal data as a set of attributes (such as Name, an identification number, location data, etc.) which together can identify a natural person with a degree of certainty. The DPDPA-2023 defines personal data as follows: “Personal Data means any data about an individual who is identifiable by or in relation to such data. DPDPA act is applicable to only “Digital Personal Data” i.e. DPDPA is applicable to personal data collected in digital form or data collected physically but converted to digital form.

An indicative list of Personal Data commonly observed in the banking Space.

Rights of Individuals (Data Principal) granted by DPDPA.

Data Principals get the right to (i) Get information about their Personal data (ii) Doing modifications in personal data i.e. they can carry out correction, updation as well as ensure completion. Apart from this, they have the right to erasure of personal data (iii) grievance redressal in respect of any deficiency on the part of the Data Principal. Another unique right provided is the (iv) Right for nomination of personal Data (giving it a status of virtual asset).

Data Minimization and Purpose Limitation

As per Section 4 of DPDPA, a data fiduciary is allowed to process personal data for a lawful purpose (any purpose which is not expressly forbidden by law) for which he has received consent from Data Principal or for purposes which are declared as “Legitimate Uses”. Hence, banks need to be cautious during the data collection process. Only the bare minimum data is to be collected and the same to be used only for specified purposes, aligning with their core banking activities. This will require banks to carry out data audits and refinement of data collection practices.

DPDPA- Impact Areas

Managing Data Asset Inventories : The Data asset of a bank is located across multiple locations in multiple systems operated by multiple employees of the bank. Besides, some data may be with contractual parties in their premises. Further, some data may be in a virtual environment. Hence, a logical first step to protect the data would be to identify the data locations. An inventory of personal data that a bank holds need to be documented including aspects such as where the data came from, and to whom it may be shared. For effective data management, bank must implement/ revisit the following areas:

  • Data Classification Policy: Formulating a comprehensive Standard Operating Procedure (SOP) for data classification system to classify data into broad groups like Personal and Non- Personal. Within Personal data, further sub classification as “Employee- Non-Employee”, Minor -Adult etc. needs to be done for recording granular details.
  • Data Flow Mapping: In the new Data Protection regime, banks are under obligation to provide Data principal access to their personal data and concede to their request to withdraw consent etc. Hence, mapping the flow of personal data within the bank to identify potential risks and vulnerabilities is of prime importance. Consolidating vast amounts of data into a centralized pool would make inventory management easier and compliance with DPDPA more systematic. But such a task is itself a challenge especially for the bigger banks. This will require lot of investment in technology and manpower upskilling.
  • Customer On-Boarding Process: The customer onboarding process followed hitherto will need certain modification in light of DPDPA. “Consent requirements” as well as “Data Minimization” principals contained in the Act will have to be embedded in the customer information collection and verification process.

Key change areas:

1. Customer onboarding forms must be redesigned to align with data minimization principles and provide clear consent options.

2. Consent management system to record and manage customer consent during onboarding is crucial.

3. Data privacy notices indicating type of data collected, purpose of data collected etc.  in multiple languages in accordance with DPDPA will have to be designed.

4. Employee engaged in customer on -boarding process needs to be trained on DPDA regulations and practices.

5. Investing in data protection technologies, such as unstructured data scanning, encryption, cookie compliance, and access controls, is essential.

( C ) Credit Assessment & Risk Management Process.

Data minimization and purpose limitation introduced by DPDPA will restrict certain credit assessment practices done by banks. The policy for use of customer data for risk management purposes will also need to be relooked considering privacy obligations of DPDPA.  Given below are some of the probable implications:

Lean Credit Assessment Models: Credit Assessment models may have to be modified. Extra data requirements, if any, will have to be pruned from the existing credit assessment models. Newer models, which rely on fewer data points or incorporates data points from alternative data sources (e.g., behavioral data, data from social media, open banking data etc.) may have to be developed for supplementing traditional methods of credit assessment.

Data Sharing with Credit Bureaus – Another area requiring relook will be the sharing mechanism of customer data with third-party credit bureaus (CIBIL etc.). While customer consent is obtained at present also for sharing data with credit bureaus. But the consent mechanism as well as the type of data shared needs to be revisited in order to make it DPDPA compliant.

Restricted Data Usage for Risk management – Risk Management is fundamental to banks. At present, banks leverage large pool of diverse customer-related data for risk assessment purposes. Post DPDPA the scenario is likely to change. Risk management function will have to ensure that consent is available before processing or conducting any analytics on the personal data submitted by data principals.

Formal Framework for Data Protection Risk – Bank needs to have a formal data privacy risk framework for management of risks associated with digitized data. Standard operating procedures need to be established for periodic monitoring, tracking, and reporting of deviations identified from a data protection perspective. Banks also need to develop Key Risk Indicators (KRIs) to ensure that any potential deviations from requirements of the DPDPA is highlighted and escalated at periodic intervals to consequently avoid any breach resulting in reputational loss and financial penalties.

( D) Managing Outsourced Entities

There are a lot of instances wherein outsourced entities are engaged for maintenance of day-to-day activities of a bank. On many occasion, customer or employee personal data are shared with some of these entities like vendor, CSPs, software providers etc. for completion of the mandated tasks. As such they become Data Processors in DPDPA parlance.  DPDPA mandates that such engagement of Data Processor has to be done basis a valid contract and the liability regarding the use of Data Processor lies with the Data Fiduciary. Hence, banks need to relook the following areas:

  • Conducting thorough due diligence on third-party service providers handling personal data with respect to the data security norms.
  • Ensuring relevant data protection clauses in contracts with third parties.
  • Implementing effective monitoring and oversight mechanisms for third-party activities related to personal data processing like Requirements of periodic compliance certificates, evidence of controls established etc.

Sharing customer data with third-party service providers will require robust contractual arrangements and data protection safeguards

Conclusion: –

The banking sector by virtue of being one of the most regulated industries in India is already privy to a lot of guidelines regarding data privacy, information security, cyber risk management, outsourcing etc. But the point to note here is that DPDPA introduces a comprehensive framework for personal data protection. In contrast, existing laws like the Information Technology Act, RBI Acthave their own specific focus areas. It is obvious that there will be areas of overlap between DPDPA and sector specific laws /regulations.  Several aspects codified by the present DPDPA have already been mandated upon by existing banking sector specific regulations. Other areas will be identified in due course as and when the follow up rules of DPDPA, 2023 are notified by the government. The overlaps will be more pronounced once the complete sets of rules are defined. It is to be noted that DPDPA, 2023 will co-exist with ITA, 2000 and other sectoral regulations or any of their amended version. Overlapping regulations can create confusions. In real life business scenario, regulatory overlap can inflict real costs on businesses through repetitive data collection and duplicity in compliance efforts. The overlaps areas need to be addressed in the subsequent rules to be brought in by the government.While framing the follow up rules, the authorities should keep in mind that the data protection regulations, primarily aimed at protecting consumer information, should not place disproportionate bindings on businesses. This may hinder their growth and stifle innovation.  Meanwhile, bank will need to align its compliance efforts to address the overlapping areas and new obligations imposed by the DPDPA.

(“Views and Opinions expressed in the article are of the author and not of the Bank’’).

Article by:

Abhijit De

Chief Manager (Research)

State Bank Academy, Gurugram.

You May Also Like

ministry of finance

Finance Minister asks private banks to take part in financial inclusion

admin 0

CBIC notifies procedural changes to GST rules easing the compliance burden on small players

admin 0

RBI issues norms to improve safety of payment systems

admin 0

Popular from web