India’s New Data Regime Forces a Reckoning in Financial Governance

The Digital Personal Data Protection Act 2023 and its Rules represent a decisive shift in India’s privacy architecture, placing individuals at the center of the data economy and requiring institutions to justify every act of data processing. With India’s rapid digital expansion and the vulnerabilities that accompany it, the regime fills long-standing legislative gaps. The Rules notified on November 14, 2025, operationalise the framework and create a compliance environment that demands clarity, discipline, and continuous oversight.

At its core, the regime is simple: ask clearly, explain honestly, collect only what is essential, and handle personal data with the care owed to something that in reality belongs elsewhere.  For individuals or the Data Principles, it means the right to see, correct, erase, or withdraw what they once shared. For the institutions designated as Data Fiduciaries, it carries heavy obligations including stricter record-keeping, faster breach disclosures, clearer accountability, and penalties that can touch ₹2.5 billion. Significant Data Fiduciaries (SDFs) will face even higher standards, including dedicated Data Protection Officers and regular impact assessments. The push for localisation and controlled cross-border transfers adds a layer of sovereignty consistent with global norms.

Few sectors feel this shift as sharply as finance. Banks sit at the intersection of identity, behaviour, credit and digital engagement, handling some of the densest and most sensitive datasets. The move to SDF status is therefore an inevitability. For decades, data practices in banking grew in fits and starts - fields added over time, workflows layered without clean mapping, and retention shaped more by convenience or commercial factors than privacy. The new regime overturns this inherited posture completely, necessitating a new compliance dictum.

Two practical implications flow immediately. First, data capture can no longer be treated as a generic operational routine — every field for data collected must map to a defined purpose, retention horizon, and consent state. Second, accountability will span the entire data supply chain, extending equally to cloud hosts, technology vendors, BCs, fintech partners, consent managers, and algorithmic service providers. In effect, the regime recasts personal data as a ‘regulated asset class’, requiring same discipline and responsibility from the custodians as financial assets themselves. 

Structural Shift
The DPDP reform is thus not cosmetic regulatory tightening. The three-phase rollout over 18 months will compel a systemic reset around the principle of ‘data dignity’, requiring institutions to treat personal information as an extension of the individual. This shift must begin at the top, effectively elevating data governance to a Board-level doctrine as a matter of data practice legitimacy combined with strategic stewardship.  Boards must now track data flows with the same rigour they bring to capital and liquidity decisions. Data oversight can no longer remain a back-office function and must stand beside prudential supervision as a test of institutional trust.

Rising cyber security and outsourcing oversight impelled by rapid automation has already set banks on an accelerated path to modernize their data-management and security foundations.  But much of this has been piecemeal. The new regime demands an architecture that holds together end to end, protecting data whether the interaction happens in a branch, a call centre or the cloud. Privacy by Design must move to being a foundational doctrine which embeds confidentiality and integrity into every operational and service process: consent systems that capture what customers intended, zero-trust environments, strong encryption and multi-factor authentication as routine practice. AI can help track unusual patterns and prevent accidental leaks, and even routine communication can be screened for inadvertent disclosures. Together, these create a privacy parameter that adjusts continually rather than sitting static. 

Familiar privacy techniques like anonymisation, pseudonymisation, tokenisation, and geo-fencing remain essential for analytics value without exposing identity. Localisation rules too force hard choices on infrastructure to be reinforced; on-premises centres, domestic cloud arrangements, or hybrid models where sensitive datasets remain on tightly governed local nodes while allowing low-risk information flows through controlled pipelines. Test environments require discipline encompassing proper masking, SIEM monitoring and strong intrusion-detection tools.

A risk-weighted umbrella to data is critical. Some datasets are routine; others can cause real harm if misused. The protection should match the stakes, not legacy system design.

Yet technology alone cannot deliver the desired outcomes. Regulation expects human judgement to work alongside machine controls. Breaches often arise not from sophisticated attacks but from routine lapses such as misunderstood obligations, behavioural indiscipline  or processes drifting from intent. Banks must redraw workflows which assign responsibility with precision, mandate traceability in every data-linked decision, and adapt their internal processes to the evolving texture of regulation continuously. These should be further fortified by policies on retention, disposal, and access function as living instruments, supported by targeted training to build both technical capability and regulatory intuition.

A culture rooted in ethics and transparency is equally important. Customers should never be left guessing what they have agreed to and how their data moves. This implicitly demands communication mechanics of timely, plain-language notices, intuitive consent tools, fraud-awareness interfaces, real grievance pathways, and visible escalation channels.    

As outsourcing grows, institutions cannot escape accountability. Every partner, including vendors, will be held to the ‘privacy bar’ on par with banks.   That requires clearer contracts, tougher audits, and compliance that runs through the entire chain, not just within the bank’s own systems.

To sustain this, banks need teams that cut across old silos. Lawyers, cybersecurity specialists, risk managers, modellers, technologists and customer-facing units must work together under an empowered Data Protection Officer. Progress must be measured not by the absence of breaches but by evidence of discipline; cleaner retention logs, stronger anonymisation, faster grievance resolution and more reliable vendor adherence.

The transition may well involve significant costs. But privacy, if taken seriously, can become a competitive strength. As algorithms increasingly shape the core financial operations, explainability becomes indispensable. Banks must be able to clarify why a model behaved the way it did, test it for hidden bias and show that decisions are grounded in fairness rather than opaque logic. Models must be auditable, and the trail of how a decision was reached, easy to follow.

Institutions that embrace this shift will gain more than compliance; they will build resilient systems, stable cultures, and long-term readiness for a privacy first financial ecosystem 

*The views expressed are personal.