Skip to content
by Rakesh Waghela

2.12 Data privacy — DPDP Act 2023

Rule summary

Section titled “Rule summary”

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s first comprehensive personal data protection law. It establishes principles, rights, obligations, and enforcement around the processing of personal data of any individual whose data is processed in India.

For lenders, DPDP applies in addition to (and on top of) the RBI’s data-specific directions (Digital Lending Guidelines on data, AA Master Direction on consent, KYC Master Direction on identity data).

Source citation

Section titled “Source citation”
  • Digital Personal Data Protection Act, 2023, available at meity.gov.in and india.gov.in.
  • Draft DPDP Rules (under finalisation at the time of writing — check meity.gov.in for the version in force).

Key definitions

Section titled “Key definitions”
  • Data Principal — the individual whose data is being processed (your borrower, proprietor, director, guarantor).
  • Data Fiduciary — the entity processing personal data and determining its purpose and means (your NBFC).
  • Data Processor — entity processing on behalf of the Data Fiduciary (your vendors — KYC vendor, BSA vendor, AA TSP, etc.).
  • Significant Data Fiduciary (SDF) — designated by Central Government based on scale / sensitivity; higher obligations.

Principles

Section titled “Principles”

The Act codifies these principles, with which every processing activity must comply:

  1. Lawful purpose — process for a lawful purpose for which the Data Principal has given consent or for legitimate use.
  2. Purpose limitation — process only for the specified purpose.
  3. Data minimisation — collect only what is necessary.
  4. Accuracy — keep data accurate and updated.
  5. Storage limitation — retain only as long as necessary.
  6. Security safeguards — reasonable security safeguards.
  7. Accountability — the Data Fiduciary is accountable for compliance.

Lawful bases for processing

Section titled “Lawful bases for processing”
  • Consent — explicit, informed, specific, capable of being withdrawn.
  • Legitimate use — specific narrow purposes including (a) voluntary provision by Data Principal for a specified purpose, (b) compliance with law, (c) performance of any judicial function, (d) employment, (e) medical emergency, (f) compliance with court order, (g) public interest, (h) state functions.

For lending, the primary basis is consent (collected at borrower onboarding) plus compliance with law (for regulatory reporting, KYC, AML).

Notice requirements

Section titled “Notice requirements”

At the time of collection, the Data Principal must be informed of:

  • The personal data being collected and the purpose.
  • The rights available to the Data Principal.
  • The grievance redressal mechanism.
  • How to withdraw consent.

In a vernacular language understood by the Data Principal.

Section titled “Consent requirements”
  • Free, specific, informed, unconditional, unambiguous, with clear affirmative action.
  • Bundling prohibited for unrelated purposes.
  • Withdrawal as easy as giving.
  • For children (under 18), processing requires verifiable parental consent.

Data Principal rights

Section titled “Data Principal rights”
  • Right to access — what data is processed, with whom shared.
  • Right to correction and erasure.
  • Right to nominate — a person to exercise rights in case of death / incapacity.
  • Right to grievance redressal.

Data Fiduciary obligations

Section titled “Data Fiduciary obligations”
  • Purpose limitation and minimisation in practice.
  • Reasonable security safeguards (technical and organisational measures).
  • Data breach notification — to the Data Protection Board of India and to affected Data Principals, in the prescribed manner and time.
  • Erasure when purpose is no longer served or consent withdrawn (subject to legal retention).
  • Processor due diligence and contracts — Data Fiduciary must contract with Data Processors with appropriate safeguards.
  • Grievance redressal mechanism.
  • Significant Data Fiduciary additional obligations — DPO, audits, impact assessment.

Cross-border transfer

Section titled “Cross-border transfer”
  • Personal data may be transferred outside India to countries the Central Government does not restrict.
  • Default position is permissive; specific country restrictions can be notified.

Penalties

Section titled “Penalties”
  • Up to ₹250 crore per breach for specified violations.
  • Determined by the Data Protection Board of India.

Applicability to lending

Section titled “Applicability to lending”
  • All borrower KYC, identity, financial, contact, behavioural data is personal data.
  • AA-fetched data is personal data and the consent for it doubles as DPDP consent (with care).
  • Bureau-fetched data is personal data of borrower; bureau is a Data Processor of sorts (a regulated one).
  • Vendor processors (KYC vendor, BSA vendor) are Data Processors; you must contract with them appropriately.
  • Marketing / pre-approved offers based on prior data — needs explicit consent.

Product implications

Section titled “Product implications”
  • Consent UI at every collection — purpose-specific, informed, with withdrawal option.
  • Withdrawal UI in borrower portal — withdraw any consent, view consequences.
  • Notice in vernacular — every borrower-facing notice translated.
  • Data deletion flow — borrower can request and receive deletion (subject to regulatory retention).

System implications

Section titled “System implications”
  • Consent service — every consent timestamped, scoped, versioned, with audit trail.
  • Purpose taxonomy — every data field tagged with permitted purposes.
  • Purpose check at every read — system blocks read for non-permitted purpose.
  • Retention scheduler — data lifecycle managed automatically; expired data purged or anonymised.
  • Vendor (processor) contract metadata — every external vendor cataloged with DPA, purpose, retention.
  • Breach detection and response — incident management process integrated with security operations.
  • Data Principal request portal — access, correction, erasure, nomination.
  • DPO appointment and contact (for SDF, also for best practice).

Documents that must be generated

Section titled “Documents that must be generated”
  • Privacy notice (multi-language) on website / app.
  • Consent artefacts (per Data Principal per purpose).
  • Withdrawal acknowledgements.
  • Erasure confirmations.
  • Breach notification reports.
  • DPA / contracts with vendors / processors.

Workflow that must exist

Section titled “Workflow that must exist”
  • Consent at every data collection.
  • Withdrawal handling within prescribed time.
  • Erasure request handling.
  • Breach incident response.
  • Vendor onboarding with DPA.
  • Periodic data audits.

Reports that must be produced

Section titled “Reports that must be produced”
  • DPDP compliance dashboard (internal monthly).
  • Breach incident log.
  • Erasure / access request log.

Audit evidence required

Section titled “Audit evidence required”
  • Consent records.
  • Withdrawal / erasure records.
  • Vendor DPAs.
  • Breach incident files.

Sources

Section titled “Sources”
  • Digital Personal Data Protection Act, 2023, available at meity.gov.in.
  • Draft DPDP Rules — check meity.gov.in for the latest version.