DPDP Act for Indian Banks: The Board-Level Compliance Gaps RBI Alone Won't Fix
RBI compliance has never meant data protection compliance. Indian banks operate under one of the most heavily regulated data environments in the world, with overlapping mandates from RBI, SEBI, CERT-In, IRDAI, and now the Data Protection Board of India under the Digital Personal Data Protection Act, 2023. Most bank boards assume their existing regulatory posture covers the new law. It doesn't. The DPDP Act creates obligations that directly conflict with longstanding RBI requirements, and resolving those conflicts is a board-level governance problem, not an IT project.
Why Banks Face a Unique DPDP Compliance Challenge
Every Indian bank is a Data Fiduciary under the DPDP Act. That much is obvious. What's less obvious is that the DPDP Act doesn't simply add another layer on top of existing RBI compliance. It introduces requirements that sit in direct tension with rules banks have followed for years.
India reported over 16 lakh cybersecurity incidents in 2023 alone, per CERT-In's Annual Report. A significant portion of those targeted financial services. The RBI Financial Stability Report (December 2024) has repeatedly flagged cyber risk as a systemic concern for the banking sector. But until now, the regulatory response has been framed entirely through the lens of operational resilience and information security. The DPDP Act reframes data risk through a different lens entirely: individual privacy rights, consent, and the power of individuals to control how their data is used.
This creates three specific conflicts that no amount of RBI compliance can resolve:
KYC retention versus erasure rights. RBI's Master Direction on KYC (updated 2023) requires banks to maintain customer identification records for at least five years after the business relationship ends. The Prevention of Money Laundering Act (PMLA) extends certain retention obligations further. But Section 8(7) of the DPDP Act requires Data Fiduciaries to erase personal data when the purpose of processing is fulfilled or consent is withdrawn. A customer who closes their account and requests data deletion under DPDP creates an immediate legal conflict: comply with the customer's DPDP right, or comply with RBI's retention mandate?
The answer isn't ambiguous in law (legal obligations constitute "legitimate use" under Section 7 of the DPDP Act), but it's ambiguous in practice. Which specific data fields are covered by the RBI retention mandate? The account number, certainly. The customer's browsing behaviour on the mobile banking app? Almost certainly not. Between those extremes sits a vast grey zone that every bank must map, field by field, and document.
Breach notification timelines. CERT-In Directions of April 28, 2022 require reporting of cybersecurity incidents within six hours. The DPDP Rules require notification to the DPBI and affected Data Principals of personal data breaches. RBI's Cyber Security Framework for Banks (2016) has its own incident reporting expectations. A single data breach at a large bank could require three separate notifications to three different regulators, each with different formats, thresholds, and definitions of what constitutes a reportable event.
We've seen this play out in practice. A mid-size PSU bank discovers unauthorized access to a customer database on a Monday morning. The CISO's instinct is to invoke the CERT-In playbook: classify, contain, report within six hours. But the compliance head wants to assess whether personal data was actually exfiltrated before notifying the DPBI. The legal team wants to understand whether the breach is material enough to warrant customer notification. Meanwhile, three regulatory clocks are ticking at different speeds. Without a pre-built unified response protocol, the bank fumbles all three.
Consent for cross-selling. Banks routinely share customer data with group companies for insurance, mutual fund, and credit card offerings. Under existing RBI norms, much of this sharing happens under broad account-opening consent. Section 6 of the DPDP Act requires consent that is free, specific, informed, and unconditional. Bundled consent that covers both account services and marketing is almost certainly non-compliant. Every cross-selling arrangement needs a separate, granular consent mechanism.
This isn't just a legal technicality. Cross-selling revenue is material for large Indian banks. When the consent architecture changes, the economics of bancassurance and wealth management distribution change with it. Boards that don't understand this will be surprised by the P&L impact.
The banks that will struggle most with DPDP aren't the ones with weak security. They're the ones with strong RBI compliance programs that have never been stress-tested against a parallel privacy regime. We sit in board meetings where the first reaction is "we're already one of the most regulated industries in India, what more could they want?" That assumption is the biggest risk factor. — Sunil Kumar Gupta, Chairman, SARC
The Dual Compliance Matrix: Where DPDP and RBI Diverge
The table below maps the specific areas where DPDP obligations differ from, or directly conflict with, existing RBI requirements. Each row represents a real operational decision that bank compliance teams must resolve.
| Domain | RBI Requirement | DPDP Act Requirement | Conflict / Gap |
|---|---|---|---|
| Data Retention | KYC records: 5 years post-relationship (PMLA/KYC MD). Transaction records per RBI archival norms | Erase when purpose fulfilled or consent withdrawn (Section 8) | Must document legal basis for retention field-by-field; cannot ignore erasure requests without recorded justification |
| Breach Reporting | Report to RBI per Cyber Security Framework. Report to CERT-In within 6 hours | Report to DPBI and affected Data Principals per DPDP Rules | Three parallel notifications with different triggers, formats, and timelines |
| Consent | Broad account-opening consent sufficient for most processing | Free, specific, informed, unconditional consent per purpose (Section 6) | Cross-selling, analytics, and third-party sharing need separate granular consent |
| Data Localization | Payment system data must be stored in India (RBI circular, April 2018) | Cross-border transfers allowed unless government restricts specific countries (Section 16) | Payment data is stricter under RBI; non-payment customer data follows DPDP's more permissive regime |
| Third-Party Sharing | Governed by outsourcing guidelines and bilateral agreements | Data Processor must act only on Fiduciary instructions; contractual DPDP clauses mandatory | Existing vendor contracts need DPDP-specific amendments covering security, breach notification, erasure |
| Individual Rights | Limited rights under existing banking regulations | Access, correction, erasure, grievance redressal, nomination (Sections 11-14) | Banks need new infrastructure to process Data Principal rights requests within prescribed timelines |
The critical insight is that these conflicts don't resolve themselves. A bank cannot simply "comply with both" without making explicit policy decisions about which obligation applies in each scenario and documenting the rationale for each. That documentation will be the first thing the DPBI asks for during any inquiry.
Significant Data Fiduciary Designation: What Banks Must Prepare For
The Central Government has not yet published the list of Significant Data Fiduciaries. But the designation criteria under Section 10 of the DPDP Act make it virtually certain that large banks will be classified as SDFs. The criteria include volume of personal data processed, sensitivity of data, risk to Data Principal rights, and potential impact on sovereignty and integrity of India. A bank processing millions of customer accounts with financial, biometric (Aadhaar-linked), and transaction data satisfies every criterion.
Industry observers expect SDF designations to be announced in mid-2027, but the January 2026 MeitY stakeholder consultation discussed accelerating the timeline. Banks that wait for the notification before preparing will be operationally non-compliant from day one.
SDF designation triggers four additional obligations:
Data Protection Officer (DPO). SDFs must appoint a DPO based in India who reports to the board or senior management. This cannot be the CISO wearing a second hat. We see this conversation happen at every bank we advise: "Can't Sharma handle this? He already does security." The answer is no. The DPO role requires independence from business functions, which means the individual cannot be responsible for marketing, sales, or revenue-generating activities. The CISO's priorities (threat response, infrastructure hardening, vendor risk) differ from the DPO's priorities (privacy rights, consent management, data minimization). Banks should identify and appoint the DPO before designation, not after, because finding a qualified individual with both legal and technical credibility takes time.
Data Protection Impact Assessment (DPIA). SDFs must conduct DPIAs for new processing activities and significant changes to existing processing. For banks, this means every new digital product launch, every AI-driven credit scoring model, every fintech partnership needs a formal privacy impact assessment before going live. The banks that build DPIA into their existing product approval committee process will absorb this smoothly. Those that create a separate DPIA workflow will generate bottlenecks and resentment from product teams who already deal with four committee approvals before launching anything.
Independent Data Audit. SDFs must undergo periodic audits by DPBI-registered auditors. This is distinct from the statutory audit, the IS audit, and the RBI compliance audit. It's a privacy-specific audit covering consent practices, data processing activities, security safeguards, and breach preparedness. Banks should expect this to become annual. The auditor must be independent of the bank's existing audit firms to avoid conflicts.
Algorithmic Accountability. The DPDP Rules require SDFs to verify that their technical measures, including algorithmic software, do not pose a risk to Data Principal rights. For banks using AI in credit decisioning, fraud detection, or customer segmentation, this means documenting model fairness, explainability, and bias testing. The RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices already touches model risk management, but the DPDP Act extends the obligation from operational risk to individual rights. A credit scoring model that works well statistically but disproportionately disadvantages a specific demographic group now carries privacy risk in addition to business risk.
The Three Gaps Most Indian Banks Haven't Addressed
Gap 1: No unified breach response across regulators
Most banks have incident response plans aligned to CERT-In's six-hour reporting requirement. Few have integrated DPBI notification into the same playbook. Fewer still have mapped which incidents trigger which notifications.
Consider a concrete scenario. An NBFC discovers that a third-party vendor's poorly secured API exposed 200,000 customer loan records, including names, PANs, and loan amounts. Is this reportable to CERT-In? Yes, unauthorized access to a computer system is a listed incident type. To the DPBI? Yes, personal data of identifiable individuals has been potentially compromised. To RBI? Depends on whether the NBFC classifies this as a material cybersecurity incident under its own internal thresholds.
Three regulators, three definitions of "reportable," three notification formats, three sets of follow-up expectations. Banks need a single incident response matrix that maps every breach type to every applicable notification requirement, with pre-drafted templates for each.
Gap 2: Consent architecture doesn't exist for legacy systems
Core banking systems were not designed for granular consent management. Customer onboarding flows collect broad consent through paper forms or single digital checkpoints. Retrofitting purpose-specific, withdrawable consent into a core banking system deployed in 2010 is not a configuration change. It requires middleware, consent management platforms, and integration with customer-facing channels.
The real friction is internal politics. The IT team says, "We can't touch the CBS without a 6-month change request cycle." The product team says, "Don't add steps to onboarding, we'll lose customers." The compliance team says, "We need this by November 2026." These competing priorities don't resolve without executive sponsorship and a clear board mandate. Banks that haven't started this work are already behind; the November 2026 Consent Manager framework deadline will force the issue.
Gap 3: Fintech processor agreements lack DPDP clauses
Indian banks now partner with dozens of fintech companies for everything from payment processing to customer engagement to credit underwriting. Under the DPDP Act, these fintechs are Data Processors acting on the bank's instructions. The bank, as Data Fiduciary, remains primarily liable for any processing failures by its fintechs.
Most existing fintech agreements were drafted before the DPDP Act. They don't include DPDP-specific obligations around security safeguards, breach notification to the bank within defined timescales, Data Principal rights fulfilment, or data erasure upon contract termination. We've reviewed fintech agreements for several banking clients where the data processing addendum is either absent, copied from a GDPR template (which doesn't align with DPDP's consent and legitimate use structure), or limited to a single paragraph of vague assurances. Every fintech contract needs review and amendment, and the bank should maintain a register of which fintechs process what categories of personal data.
What Bank Boards Should Be Asking Right Now
This isn't a compliance department problem. The DPDP Act's penalty structure, with fines up to ₹250 crore for security safeguard failures (Schedule, item 1) and ₹200 crore for breach notification failures (Schedule, item 2), makes data protection a board-level financial risk. Combined with RBI's own penalty powers, a single data breach at a large Indian bank could trigger cumulative regulatory exposure across multiple regulators.
The conversation at the board table needs to shift from "is IT handling this?" to five specific questions:
Where most boards get stuck is question one: do we have a documented position on every DPDP-RBI conflict? Where the two requirements diverge, the compliance team needs a written rationale for which obligation applies in each scenario. The DPBI will ask for this documentation during any inquiry, and "we follow RBI" isn't an answer the DPBI will accept.
The second question that separates prepared banks from unprepared ones: are we building for SDF designation or waiting for the notification? DPO appointment, DPIA processes, and audit readiness take months to build. Starting after designation means operating non-compliantly from day one, which is precisely the wrong posture when a new regulator is establishing its enforcement priorities.
Third: have we reviewed every fintech and vendor agreement for DPDP clauses? The bank is liable for processor failures. Verbal assurances don't satisfy the Act.
Fourth: can we fulfil a Data Principal rights request within prescribed timelines? A customer requesting access to all personal data held by the bank, or requesting deletion of non-mandatory data, needs a response within DPDP Rules timelines. Can the bank's current systems deliver this across core banking, CRM, analytics, and partner systems?
Fifth: is our breach response playbook unified across CERT-In, DPBI, and RBI? A fragmented response to a major breach compounds the regulatory fallout and destroys whatever goodwill the bank might have had with each regulator.
Board members don't need to understand every section of the DPDP Act. But they need to understand one thing: RBI compliance and DPDP compliance are parallel obligations with different regulators, different penalties, and different expectations. The bank that treats DPDP as a subset of RBI compliance will be the case study that everyone else learns from. — SARC Cybersecurity & Data Protection Practice
Frequently Asked Questions
Does RBI compliance automatically satisfy DPDP requirements? No. RBI governs how banks secure and manage financial data within the banking regulatory framework. The DPDP Act governs how banks collect, process, and delete personal data with specific consent, individual rights, and breach notification obligations that go beyond anything RBI mandates. The two frameworks overlap on security safeguards but diverge significantly on consent architecture, individual rights infrastructure, and data erasure. Treating DPDP as a subset of RBI compliance is the most common and most expensive mistake we see.
Will all banks be designated as Significant Data Fiduciaries? The SDF list hasn't been published yet. But the designation criteria under Section 10, particularly volume and sensitivity of data, make it highly likely that all scheduled commercial banks, major NBFCs, and large insurance companies will receive SDF designation. Cooperative banks and smaller NBFCs may fall outside the threshold, but this remains uncertain until the notification. Banks should prepare for designation rather than hope for exemption.
How do we handle customer deletion requests when RBI requires data retention? Document the legal basis, field by field. When a customer requests erasure but the bank must retain certain records under PMLA or RBI KYC norms: inform the customer of the specific legal basis for continued retention, delete any data not covered by the legal mandate (browsing behaviour, marketing preferences, app usage analytics), and maintain an auditable record of the decision. The DPDP Act recognizes processing required by law as "legitimate use" under Section 7, but the burden of proving which specific data fields fall under which legal mandate rests with the bank.
Should our CISO also serve as DPO? We advise against it. The DPDP Act requires the DPO to be independent of business functions. While there's no explicit prohibition, the practical conflict is significant. The CISO defends the perimeter and manages threats; the DPO ensures the bank respects individual privacy rights, even when doing so creates friction with business objectives. These priorities conflict regularly, and one person cannot effectively advocate for both. Banks with the scale to justify SDF designation should treat the DPO as a distinct senior role.
What's the realistic timeline for building DPDP compliance in a bank? This depends on current privacy maturity. Banks with modern core banking systems and existing data governance can build compliant infrastructure in 9 to 12 months. Banks running legacy platforms with paper-based consent should plan for 14 to 18 months, which means starting immediately given the May 2027 deadline. The November 2026 Consent Manager deadline creates an even earlier pressure point for consent infrastructure.
SARC's BFSI Data Protection Practice combines 40+ years of banking regulatory expertise with deep DPDP Act knowledge. From dual-compliance gap assessments to SDF readiness programs, consent architecture design, and board-level risk briefings, we help banks turn regulatory complexity into operational clarity. Contact SARC's Risk & Compliance team to schedule a DPDP readiness assessment for your institution.
Our advisory team is ready to help.
