Banks in India must urgently initiate a strategic privacy transformation to comply with the Digital Personal Data Protection Act (DPDPA) 2023 and the draft DPDP Rules, 2025, warns a new Protiviti report released on June 6th. The regulatory and operational impact of the Digital Personal Data Protection Act (DPDPA) will be far-reaching, the report notes, adding that the banks must re-engineer their critical functions according to privacy-by-design principles to comply with India’s most comprehensive data protection law to date.
Titled “Navigating DPDPA in Banking: Compliance, Impact, and AI-Powered Strategies for
Futureproofing”, the Protiviti report was unveiled at the 4th IBA CISO Summit 2025 hosted by
Indian Banks’ Association. The report notes that banks are likely to be classified as Significant
Data Fiduciaries (SDFs) under the DPDPA due to the scale and sensitivity of data they handle.
This designation will subject them to enhanced obligations, including data protection impact
assessments (DPIAs), algorithmic transparency, performing Data audits and mandatory
appointment of a Data Protection Officer (DPO).
Rather than treat compliance as a one-time project, the report urges banks to adopt a risk-
based, adaptive operating model that keeps pace with evolving threats, technology shifts, and
regulatory expectations. Further, the report encourages to integrate AI wherever applicable to
maximize efficiency and optimize processes.
Building on Protiviti’s State of Data Privacy in India – Survey Report—where the banking sector
was the most represented—the findings had revealed that 52% of organizations had
experienced a privacy breach in the past five years, yet only 42% had a fully defined privacy
program. Alarmingly, just 24% felt prepared to manage privacy concerns related to emerging
technologies. While 68% of banking and financial services organizations had defined privacy
processes, reliance on IT teams remained high, often in the absence of dedicated privacy office.
The latest report, released at the 4th IBA CISO Summit 2025, reinforces the urgent need for
stronger governance, cross-functional accountability, and AI-powered technology-driven privacy
journey within the banking ecosystem. The paper emphasizes that customer trust, regulatory
alignment, and digital innovation must go hand-in-hand.
Key Highlights from the Report
● Sector-Specific Insights: Tailored guidance for banks on how DPDPA intersects with
RBI and SEBI regulations, ensuring a harmonized compliance approach.
● Unique Privacy Risks: A deep dive into banking specific risks related to algorithmic
profiling, third-party data sharing, and consent management.
● Operational Playbook: Practical strategies for integrating privacy by design, managing
consent, and automating compliance across core banking functions—from KYC to fraud
detection.
● Technology and AI as an Enabler: Exploration of privacy-enhancing technologies
(PETs), AI powered use cases, and scalable automation to futureproof privacy
programs.
Future-Ready Roadmap: A blueprint for establishing Data Protection Offices, conducting
DPIAs, and embedding privacy into enterprise risk management.
“The DPDPA marks a new era of accountability for banks. Embedding strong governance,
leveraging privacy-enhancing technologies, and aligning with regulatory expectations will be key
to sustainable compliance” – Sandeep Gupta, Managing Director, Protiviti Member Firm for
India.
“In banking, trust is the currency—and compliance with the DPDPA is no longer just a regulatory
mandate, it’s a strategic necessity. By harnessing AI and Privacy Enhancing Technologies to
embed privacy by design into the digital infrastructure, we will not only be protecting personal
data but strengthening the very trust that powers every customer relationship” – Vaibhav Koul,
Managing Director, Protiviti Member Firm for India.
Drawing from sector-specific case studies, regulatory analysis, and forward-looking strategies,
the report offers a structured playbook for banks preparing to comply with India’s most
comprehensive data protection law to date.
It maps out critical banking functions, including digital onboarding, AML, and risk analytics, and
explains how each must be re-engineered in line with privacy-by-design principles. Common
threads include the need for explicit, granular consent from data principals, transparent privacy
notices at every touchpoint, limits on data processing for secondary or commercial purposes,
and cross-border safeguards for data transfers.
It further outlines three key operational imperatives, starting with the adoption of privacy-
enhancing technologies (PETs) and AI for data discovery, classification, encryption, and
consent management and Data subject access management automation. The second
imperative for banks is establishment of a centralized Data Privacy Office (DPO) to coordinate
privacy governance across business, IT, legal, and risk. Finally, banks must invest in role-based
privacy training, internal audits, and real-time compliance metrics to ensure enterprise-wide
alignment.
The report also notes that the DPDPA will intersect or overlap with sectoral regulations issued
by the Reserve Bank of India (RBI) and Securities and Exchange Board of India (SEBI),
creating multiple layers of accountability. For example, data retention obligations under RBI
must now be reconciled with DPDPA’s “data minimization” and “storage limitation” principles.
Similarly, breach reporting requirements will need to cater to both financial regulators and the
newly formed Data Protection Board of India.
