India’s BFSI sector is sitting on a data time bomb, and most organisations don’t know it yet. Having worked closely with banks, insurers, and financial institutions on their data compliance journeys, I’ve seen a recurring pattern: organisations treat regulatory compliance as a destination rather than an ongoing discipline. The Digital Personal Data Protection Act (DPDPA) 2023 changes that equation entirely.
Founder & CEO
GoTrust
Data Is a Liability with DPDPA in BFSI
For decades, data was the silent fuel powering BFSI growth, credit scoring, fraud detection, and personalisation. Under DPDPA 2023, that same data is now also a regulated liability. Customers share identity details, financial transactions, behavioural patterns, and credit history with financial institutions. Misuse or mismanagement of any of it carries real consequences: penalties that can run into hundreds of crores, and reputational damage that no marketing budget can repair.
The Act establishes four foundational pillars – data minimisation, purpose limitation, lawful processing, and accountability. These aren’t legal checkboxes. They fundamentally reshape how data flows between banks, third-party vendors, analytics platforms, and partner ecosystems. Organisations that haven’t yet mapped these flows are already behind.
Compliance Is a Continuous Practice, Not a Checklist
The biggest mistake I see BFSI firms make is treating DPDPA compliance as a one-time audit exercise. It isn’t. It’s a continuous discipline across the entire data lifecycle.
Financial institutions must ensure personal data is collected only for legitimate, stated purposes, not retained indefinitely, not repurposed without consent, and not shared beyond what’s necessary. Breaches must be reported promptly. Users must have genuine control, including the right to erasure.
This demands alignment between technology and compliance frameworks across CRM systems, banking platforms, analytics tools, and every touchpoint in between. Data classification and mapping are not optional; they are the foundation. And critically, compliance obligations don’t stop at the BFSI firm’s boundary. They extend to cloud service providers, outsourcing partners, and fintech integrations. Every weak link in that chain is an organisational risk.
Consent Is Now a System, Not a Signature
One of the most significant shifts under DPDPA is the redefinition of consent. What used to be a lengthy, buried clause in an onboarding form is now required to be purpose-specific, clear, and withdrawable at any time.
For BFSI organisations, this is a genuine architectural challenge. Data is used across multiple functions simultaneously – fraud detection, underwriting, cross-selling, and personalisation. Each of these requires its own consent layer, tracked and enforceable. When a customer withdraws consent, that signal must trigger an immediate stop to processing and, in many cases, deletion of the relevant data.
The firms that build this infrastructure well will earn something more valuable than compliance: customer trust. Transparency in data usage is increasingly a deciding factor for customers choosing between financial service providers. Getting consent right isn’t just a legal obligation; it’s a competitive advantage.
Accountability Has Moved to the Boardroom
DPDPA has made customer data accountability a boardroom-level concern. Gone are the days when data protection lived only in the IT department. Customer data must now be treated as a trust asset, not a commercial commodity to be monetised without limits.
This has direct implications for product design. Privacy and security must be embedded into products from the start, not bolted on later. AI-powered tools, credit scoring models, and fraud detection engines must be auditable and free from discriminatory bias.
When breaches occur, the response matters enormously. DPDPA mandates prompt notification to regulators. How organisations communicate with affected customers in those moments will define their reputation far beyond the breach itself. The Act also carries penalties that can exceed hundreds of crores for serious non-compliance, making data governance a financial risk, not just a regulatory one.
The Real Challenge: Legacy Systems and Scale
Let me be direct about the implementation reality: it’s hard. Most BFSI institutions are running on legacy infrastructure that was never designed with modern data protection in mind. Retrofitting these systems is expensive and time-consuming, but it is not optional.
The scale challenge is equally real. Banks processing millions of transactions daily cannot manage real-time consent and data governance through manual processes. Automation is essential. For smaller institutions, the resource gap is acute, but regulators will not exempt them from compliance obligations.
The human element is often underestimated. Technology alone cannot ensure compliance. Employees who handle data from front-line bank staff to data engineers need structured, ongoing training. A compliance framework with an undertrained workforce is a framework in name only.
The Bottom Line
DPDPA is not a burden. It is a long-overdue framework that brings Indian financial services in line with global data protection standards. The organisations that invest in genuine compliance, not surface-level box-ticking, will build stronger customer relationships, reduce their risk exposure, and earn a competitive edge in an increasingly trust-driven market.
Data’s role in BFSI is not diminishing. It’s growing. The question is whether organisations will manage it with the discipline and accountability that customers and regulators now demand.
