India’s Digital Personal Data Protection (DPDP) Act has sent ripples across industries. But this is not a new law arriving out of nowhere. The Act was passed in 2023 after an open public review process. What’s new are the operational rules notified in 2025 that finally put real teeth, and clear timelines, behind implementation. Institutions now have a finite runway to turn data stewardship from a policy on paper into a production-grade discipline. Those that delay will face greater regulatory exposure, material financial penalties, and higher remediation costs.
This article looks at the DPDP Rules through a banking lens, unpacking what they change, where the operational pressure points will emerge, and how banks can respond with a pragmatic, scalable path to compliance.
What DPDP really asks of banks
DPDP is not a banking-only mandate. Much like the EU’s GDPR, it is sector agnostic and binds any organization that collects, stores, processes, or shares personal data. What makes it particularly urgent for banks is the sheer depth and sensitivity of the data they hold and the scale at which they, and their partners, operate. At its core, DPDP reframes the customer as the ultimate authority over personal data: consent must be explicit, informed, granular, and revocable; rights to access, correction, and erasure must be operable; and breaches must be reported with specificity. Penalties for non-compliance are substantial, and while enforcement is adjudicatory, the obligations themselves are designed to bite immediately.
While DPDP is inspired by EU’s GDPR, the philosophies are not identical. The Indian regime is explicitly consent first and principle based, leaning into simplicity and digital adoption; GDPR is rights heavy and prescriptive, reflecting a longer tradition of privacy maximalism. DPDP focuses on digital personal data, whereas GDPR covers personal data in any form. Both frameworks bind governments, with limited exemptions, underscoring the universal direction of travel: stronger individual rights, clearer accountability, and auditable governance.
The four pillars to get right - now
- Consent management.
DPDP raises the bar from broad consent to specific, informed, purpose-linked consent. For banks, that means giving customers an itemised account of the data being collected, the purpose for which it is being processed, and a consent request written in clear, plain language, with the option to access it in English or any language in the Eighth Schedule to the Constitution. Just as importantly, consent must be as easy to withdraw as it is to give.
- Rights of the data principal.
DPDP makes the customer an active rights-holder, not a passive record in the bank’s systems. Data Principals can seek access to a summary of the personal data being processed, ask for correction, completion, updating, or erasure, and nominate another individual to exercise those rights in the event of death or incapacity. These rights must work at scale and speed, with auditable trails to show timely fulfillment.
- Breach readiness and reporting.
Under the Rules, breach response has to be immediate, specific, and defensible. Affected customers must be informed without delay in concise, clear language, and the Data Protection Board must also be notified without delay, followed by updated and detailed information within 72 hours unless the Board allows more time. This demands end to end detection, classification of data at risk, and templated, bilingual notifications ready to go.
- Governance and accountability.
Governance gets materially tougher for Significant Data Fiduciaries, which are notified by the government based on factors such as volume, sensitivity, and risk. These entities must appoint a Data Protection Officer based in India, conduct periodic Data Protection Impact Assessments and audits, and apply stronger diligence to technical measures.
Timelines that compress execution
The runway is now finite. India notified the DPDP Rules on 14 November 2025, with a phased commencement built into the law: the Consent Manager framework comes into force after one year, while the main operating obligations, including notices, consent, rights handling, and breach reporting, come into force after eighteen months, taking the principal compliance deadline to 14 May 2027.
Penalty exposure is significant. The Act reserves the top-end ₹250 crore penalty for failure to maintain reasonable security safeguards; breach-notification failures can attract penalties of up to ₹200 crore; failures tied to additional Significant Data Fiduciary obligations can attract up to ₹150 crore; and other violations of the Act or Rules can attract penalties of up to ₹50 crore.
The ecosystem reality: accountability doesn’t stop at your firewall
Modern banking runs on a mesh of core platforms, fintech integrations, analytics partners, and cloud providers. DPDP holds the bank ultimately accountable for the entire ecosystem. If a partner leaks data or a cloud misconfiguration exposes PII, the bank cannot deflect liability. Vendor risk management must therefore extend from contracting and onboarding to continuous controls testing, telemetry, and termination protocols.
Historically, cyber incidents have cost institutions from the hundreds of thousands to tens of millions of dollars depending on severity. DPDP overlays a formal breach playbook and penalty regime on top. The net effect is that cyber and privacy are now inseparable board level risks.
Future course of action
Based on my reading of DPDP’s Act and Rules, here is a practical blueprint (not statutory checkboxes) to help banks deliver:
- Consent orchestration engine
Build a centralized, API-first consent service that issues verifiable consent tokens, supports purpose- and data-level granularity, and honors revocation in real time across web, mobile, ATM, branch, and assisted channels. Local-language notices should be parameterized content (not hardcoded text) so they can be versioned, tested, and audited.
- Golden customer and consent ledger
Combine master customer data with an immutable consent ledger. Every access to personal data should be policy-checked: is there valid consent, for this purpose, for this attribute, at this moment? Deny by default and log every decision to support rights requests and regulatory reviews.
- Rights fulfilment workbench
Create a case-managed console for access, correction, erasure, and nominee-led requests, with SLA timers, identity verification, and data lineage so changes flow across systems. Give customers status visibility to build confidence.
- Breach response pipeline
Pre-integrate data classification, incident detection, impact assessment, and templated notifications that meet DPDP requirements. The process should quickly generate regulator-ready breach details and trigger customer communication in preferred languages. Test it like DR/BCP: regulators will expect readiness, not paperwork.
- Third-party controls and cloud guardrails
Continuously assess partner risk, restrict data egress by purpose, and enforce encryption, tokenization, and key-management controls. Accountability extends across the ecosystem, so trust by design must be both a contractual and technical standard.
- DPO and board-ready governance
Track policy coverage, consent gaps by journey, rights SLAs, DPIA status, vendor exceptions, and breach drills through board-ready dashboards. Evidence should be easy to export for audits and supervisory reviews.
- Legacy migration with consent revalidation
During system upgrades or consolidation, do not assume historic consent is valid or traceable. Revalidate consent during migration cutovers, with assisted-channel support for less digitally active customers.
The leadership mindset shift
For banks, the journey to execution is demanding. It spans product, channels, operations, security, risk, legal, and education, especially for customers who are less tech savvy and therefore more exposed to scams and misuse. But Indian banking has repeatedly shown it can execute at population scale - from instant payments to ubiquitous mobile banking. DPDP is the next national scale capability to master.
Every major regulatory shift creates two kinds of institutions: those that treat it as a burden to absorb, and those that use it to build a stronger business. DPDP gives banks that choice. They can respond tactically and chase compliance milestones, or they can use this inflection point to create a more disciplined, transparent, and trusted model of growth. The banks that choose the latter will not just stay within the rules, they will help define what responsible digital banking looks like in India.
Let’s Discuss
Fill out the form below and we will get back to you shortly. Alternately, you can also contact our regional offices
