The financial services sector harbors a vast amount of sensitive personal data, including customer financial and behavioral information, employee details, and demographic data. This data is utilized by algorithms to make investment predictions, estimate returns, anticipate customer preferences, and mitigate risks and fraud. The Digital Personal Data Protection Act, 2023 will significantly impact the financial service sector particularly the extant and prospective regulatory changes, the presence of non-traditional actors, its digital transformation and how financial services entities, such as banks, NBFCs, fintech firms, and asset management companies manages personal data. While we await the robust and comprehensive rules, let’s navigate through key aspects related to financial sector and the critically acclaimed game-changer Act of 2023:
Reconceived Consent Architecture- The data lifecycle in financial services spans from collection to destruction, and hence beyond the legally required appointment of consent manager, entities may appoint a user interaction and consent collector to capture consent, a data manager for usage compliance, a context handler for new consent contexts, and a reconciliation manager for processing logs. A consent artifact, digitally signed and OTP authenticated by the customer, can be used to define data-sharing parameters while collecting consent from consumers. Data destruction occurs either upon withdrawal of consent or when the 'specified purpose is no longer being served,' as inferred under the Act. Entities must erase personal data in these cases, except for data retained under other laws, like the RBI KYC Directions of 2016. However, the Act does not mandate the erasure of personal data retained under other laws such as the RBI KYC Directions of 2016. Additionally, the process for customers to withdraw consent for data processing must be as straightforward as the process for providing consent.
Compliant Cross Border Data Transfer- For cross-border data transfers, sectoral regulators' requirements and protection standards override the Act. The RBI guidelines on the Storage of Payment System Data, along with subsequent clarifications, mandate that banks acting as payment system operators must store payment system data exclusively within India. Since the Act limits digital personal data transfers to specific jurisdictions, financial service entities must ensure their data processors and sub-agents comply. Entities with global offices can use content-aware protection modules for secure cross-border data sharing.
Data Fiduciary- In the case of the Financial Sector, all financial service providers will be classified as data fiduciaries (Significant Data Fiduciaries, in most cases), and such institutions will have to process data of customers where loans, account opening et al. are sought from such financial institutions. For such institutions, it becomes imperative that the same seek proper consent in from users/customers at the time the latter avail financial services from such institution, after issuing proper notice to the customer detailing the data the institution intends to process.
Significant Data Fiduciaries (“SDF”)- Given the direct threat that a prospective misuse of personal data possess to citizens and the Sovereignty, National Integrity and Security of the country, the SDFs are mandated to appoint a resident Data Protection Officer, conduct data protection impact assessment and data audits as per the provisions of the Act. Large banks and financial institutions are likely to be classified as SDFs, however, presently the scope of SDFs is rather broad, and in order to ascertain the true ambit of SDFs, the enforcement and subsequent judicial interpretation of the provisions of the Act is awaited.
Grievance Redressal- Data Fiduciaries and SDFs at the time of obtaining their consent for Data Processing are required to entail and define to Data Principals the procedure for filing a complaint with the Data Protection Board of India (“DPBI”) in case of any breach of data on part of the Data Fiduciary. The Act mandates that the Data Fiduciary, in case of breach of data, must report to the DPBI and inform the concerned Data Principals of such breach. Presently, the RBI has provided for recourse before the Ombudsman under the RBI Integrated Ombudsman Scheme. Effectively, customers of financial service institutions have two methods of grievance redressal, one before the DPBI and another before the Ombudsman as per the directives of the RBI.
Ancillary transformative effects- In addition to the above-mentioned areas of concerns, the DPDP Act is aimed to bring transformative effect to various functions within the financial services sector such as regulatory change, risk management, IT and cybersecurity, product management, customer lifecycle management, outsourcing practice with Fin-Tech and increased compliance for Fin-Techs.
Conclusion
Personal and Financial Data is the backbone of the financial sector, and the functioning of institutions is founded upon such data. With rapidly evolving technology, access to personal data of individuals has turned into a piece of cake, and therefore, it is imperative that stringent safeguards are put in place so as to protect the privacy of an individual, which can easily be abused by the titans of the industry. The Reserve Bank of India (“RBI”) has updated the Enabling Framework for regulatory Sandbox in a manner as to align with the provisions of the Digital Personal Data Protection Act, 2023, and through its Press Release dated 28th February, 2024, the RBI has highlighted that “the updated framework also requires sandbox entities to ensure compliance with provisions of the Digital Personal Data Protection Act, 2023.” , marking the importance of compliance with the Provisions of the DPDP Act, 2023 for financial institutions. The Digital Personal Data Protection Act, 2023, is a great step towards the protection of the privacy of individuals and simultaneously it serves as a great business opportunity to harvest a safe and digital-first vison of Viksit Bharat.
The above article is authored by Ms. Pranshu Singh (Senior Associate Designate), Mr. Upamanyu Ganguly (Associate) and Mr. Raghav Sachdev (Assessment Intern)
Comments