The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Industry Guide

DPDPA Compliance for Fintech & Banking

Navigating data protection requirements for banks, NBFCs, payment processors, digital lenders, and financial technology providers under DPDPA 2023.

Dual Regulatory Framework

Financial services entities must comply with both DPDPA 2023 AND sectoral regulations including RBI data localisation requirements, SEBI cybersecurity guidelines, and IRDAI data protection norms. DPDPA operates as a baseline; sectoral requirements may impose additional obligations.

Who This Applies To

Banks & NBFCs

Scheduled banks, small finance banks, NBFCs, HFCs

Payment Processors

Payment aggregators, gateways, UPI service providers

Digital Lenders

Lending apps, P2P platforms, BNPL providers

Insurtech

Insurance companies, brokers, web aggregators

Fintech Specific Compliance Requirements

1. KYC Data Processing

KYC data collection may rely on Section 7 legitimate use (legal obligation under RBI KYC norms). However:

KYC data cannot be used for purposes beyond regulatory compliance without separate consent
Marketing use of KYC data requires explicit Section 6 consent
Data retention must align with both RBI guidelines and DPDPA Section 8(7)
Privacy notice must distinguish legal obligation vs. consent based processing

2. Payment Data Localisation

RBI circular on storage of payment system data mandates that payment transaction data be stored only in India. Under DPDPA:

DPDPA Section 16 permits cross border transfers unless blacklisted
RBI localisation requirement is stricter and prevails for payment data
Non payment personal data follows DPDPA Section 16 framework

Maintain separate data flow documentation for payment vs. non payment data.

3. Credit Scoring and Profiling

Fintech lending models rely heavily on data driven credit decisions. DPDPA implications:

Consent must cover data sources used for creditworthiness assessment
Data Principal has right to access credit evaluation data under Section 11
Purpose limitation: Credit data cannot be repurposed for unrelated services
SDFs must conduct DPIA before deploying new credit scoring models

4. Data Processor Management

Fintech ecosystems involve multiple data processors:

Cloud Service Providers

Section 8(2) contract; ensure Indian data centre for payment data

Analytics Vendors

Purpose limitation; no unauthorised data use

Credit Bureaus

Shared Data Fiduciary relationship; document basis

Collection Agencies

Data Processor; strict purpose limitation

Significant Data Fiduciary Designation

Large banks, NBFCs with substantial customer bases, and payment processors are likely candidates for SDF notification under Section 10. Implications include:

Mandatory DPO appointment (India resident, senior management)
Annual compliance audits by registered Data Auditor
DPIA before new data processing initiatives

Learn about SDF obligations →

Fintech DPDPA Compliance Checklist

Map all personal data processing and classify by legal basis (consent vs. legal obligation)

Update app/website privacy notices with Section 5 compliant disclosures

Implement granular consent management for different processing purposes

Review and update Data Processor agreements per Section 8(2)

Establish Data Principal rights fulfilment workflows

Implement 72 hour breach notification capability

Assess payment data localisation compliance (RBI + DPDPA)

Document credit scoring data sources and consent basis

Prepare for SDF designation if applicable

Align data retention with both RBI and DPDPA requirements

Compliance Deadline

Full DPDPA compliance required by 13th May 2027. Financial services regulators (RBI, SEBI, IRDAI) may issue sectoral guidance aligning with DPDPA timeline.

Assess your compliance readiness →