The Banking, Financial Services, and Insurance (BFSI) sector processes some of the most sensitive categories of personal data, including identity documents, financial and transaction records, credit histories, medical information, and biometric identifiers. In India, safeguarding this data is no longer limited to internal risk management or IT policies. Data protection in BFSI is now a statutory obligation governed by multiple laws and regulatory authorities. Any lapse in data handling such as unauthorised access, excessive data collection, or delayed breach response can result in regulatory penalties, customer litigation, loss of trust, and serious operational disruption. As a result, data protection has become a critical compliance and risk management function for BFSI entities.
Privacy compliance in the BFSI sector follows a layered regulatory framework. The Digital Personal Data Protection Act, 2023 serves as the central legislation governing personal data processing, while sector-specific regulators such as the Reserve Bank of India, Securities and Exchange Board of India, and Insurance Regulatory and Development Authority of India impose additional data governance and security requirements. These are further reinforced by cyber incident reporting obligations and identity-specific laws. Collectively, these frameworks elevate data protection from an operational concern to a board-level governance responsibility, requiring strategic oversight, accountability, and continuous compliance monitoring.
In this article, CA Manish Mishra talks about Data Protection & Privacy Laws for BFSI.
Digital Personal Data Protection Act, 2023 (DPDP Act)
Applicability to BFSI Entities
The Digital Personal Data Protection Act, 2023 applies to all digital personal data processed within India, as well as to processing carried out outside India where such processing is connected with offering goods or services to individuals in India. Given the nature of their operations, BFSI institutions such as banks, NBFCs, fintech companies, insurers, asset managers, and payment service providers typically function as Data Fiduciaries under the Act. This is because they determine both the purpose and the means of processing personal data across activities such as account opening, KYC, lending, payments, claims processing, underwriting, and investment services. As Data Fiduciaries, BFSI entities bear primary legal responsibility for lawful and secure data handling.
Lawful Grounds for Processing
Under the DPDP Act, personal data can be processed only on lawful grounds. The most common ground in the BFSI sector is the valid consent of the individual, which must be free, specific, informed, and capable of being withdrawn. In certain situations, processing may also be carried out based on legitimate uses permitted by law, such as compliance with regulatory requirements, prevention of fraud, or fulfilment of statutory obligations. BFSI entities are required to clearly define and communicate the purpose of data collection and must avoid collecting or processing data that is excessive, unrelated, or unnecessary for the stated purpose.
Core Compliance Obligations
The DPDP Act imposes several core compliance obligations on BFSI entities. These include providing clear and accessible privacy notices to customers, ensuring that personal data is used strictly for stated and lawful purposes, and retaining data only for periods required by law or business necessity. BFSI institutions must also implement reasonable security safeguards to protect data against unauthorised access, breaches, or misuse. In the event of a data breach, they are required to notify the relevant authority and affected individuals in a timely manner. Collectively, these obligations demand strong governance, robust IT controls, and continuous compliance oversight within BFSI organisations.
Rights of Individuals and Fiduciary Accountability
Rights of Data Principals
The Digital Personal Data Protection Act, 2023 grants individuals, referred to as Data Principals, enforceable rights over their personal data. Customers have the right to seek information about the personal data held by a BFSI entity and how it is being processed. They may request correction or erasure of inaccurate or outdated data, withdraw consent where processing is consent-based, and raise grievances in case of misuse or non-compliance. BFSI entities are required to establish effective and accessible grievance redressal mechanisms to handle these requests in a timely and transparent manner. Failure to respond appropriately to data principal rights can expose institutions to regulatory action and reputational harm.
Significant Data Fiduciary (SDF) Considerations
Large BFSI institutions that process significant volumes of sensitive personal data or pose higher risks to individuals may be notified as Significant Data Fiduciaries. Such designation brings higher accountability standards, including enhanced governance structures, stronger risk management practices, and closer regulatory scrutiny. BFSI entities falling within this category must demonstrate robust internal controls, oversight, and compliance readiness to meet elevated regulatory expectations.
Penalty Exposure
Non-compliance with data protection obligations, especially failures related to reasonable security safeguards and timely breach reporting, can attract substantial monetary penalties. For BFSI entities, these penalties represent a material financial and operational risk, reinforcing the need to treat data protection as a critical compliance and governance priority.
Digital Personal Data Protection Rules, 2025
Purpose of the Rules
The Digital Personal Data Protection Rules, 2025 have been introduced to operationalise the provisions of the Digital Personal Data Protection Act, 2023 and provide clarity on its practical implementation. The Rules lay down detailed procedures for managing consent, including how consent is obtained, recorded, and withdrawn by individuals. They also prescribe the format and content of privacy notices to ensure transparency, specify mechanisms for grievance redressal, and outline requirements for data retention and deletion. For BFSI entities, these procedural standards are critical in translating legal principles into actionable compliance measures.
BFSI Compliance Impact
The DPDP Rules, 2025 have a direct and significant impact on BFSI compliance frameworks. BFSI institutions must align their internal policies, digital platforms, customer onboarding journeys, and data processing systems with the requirements of these Rules. Vendor and outsourcing contracts must also be updated to reflect DPDP obligations, ensuring that third parties handling personal data follow the same standards. Without such alignment, DPDP compliance remains theoretical, exposing BFSI entities to regulatory risk and enforcement action.
Continued Relevance of IT Act and SPDI Rules
Legacy Compliance Framework
Before the enactment of the Digital Personal Data Protection Act, 2023, data protection in the BFSI sector was primarily governed by the Information Technology Act, 2000 and the Sensitive Personal Data or Information (SPDI) Rules, 2011. These rules regulated the collection, storage, processing, and disclosure of sensitive personal data, including financial information, medical and health records, and biometric data. BFSI entities were required to maintain privacy policies, obtain consent for data collection, implement reasonable security practices, and appoint grievance officers. For many institutions, these frameworks formed the foundation of their data protection and information security programs.
Transition to DPDP
Although the DPDP Act has now become the primary legislation for personal data protection in India, the controls and practices developed under the IT Act and SPDI Rules continue to hold practical relevance. Many SPDI-based measures, such as security safeguards, access controls, and grievance mechanisms, align closely with DPDP principles and are being integrated into updated privacy frameworks. BFSI entities must therefore transition carefully, ensuring continuity of compliance while upgrading existing systems and policies to fully meet DPDP requirements.
Cyber Incident Reporting and CERT-In Compliance
Incident Reporting Obligations
In the BFSI sector, data breaches and system intrusions are often classified as cyber incidents requiring mandatory reporting. Cyber incident reporting obligations impose strict timelines for notifying the designated authority once an incident is detected or brought to the entity’s notice. This makes breach response a time-sensitive and high-risk compliance activity. Delayed or incomplete reporting can lead to regulatory action and increased scrutiny. BFSI institutions must therefore maintain well-defined incident response frameworks that enable rapid identification, assessment, and escalation of cyber incidents alongside internal legal and compliance review.
Log Retention and Forensics
BFSI entities are also required to maintain detailed system and security logs for a prescribed period and produce them upon request by regulatory or investigative authorities. These logs form the backbone of forensic analysis and help establish the sequence of events during a cyber incident. Proper log retention reinforces audit readiness, supports regulatory investigations, and enables BFSI institutions to demonstrate compliance with security and reporting obligations.
RBI Regulations Affecting BFSI Privacy
Data Localisation in Payments
RBI regulations require that payment system data relating to domestic transactions be stored within India. This requirement has a significant impact on how BFSI entities design their technology architecture and manage data flows. Payment service providers must structure cloud infrastructure to ensure local data storage, carefully manage any cross-border data processing, and exercise heightened control over vendors and outsourcing partners. Non-compliance with data localisation norms can attract regulatory action and disrupt payment operations, making localisation a key privacy and compliance consideration.
KYC and Identity Data Governance
RBI’s KYC framework mandates the collection, verification, and retention of customer identity information to prevent money laundering and terrorist financing. While these obligations are legally mandatory, BFSI entities must still adhere to privacy principles such as data minimisation and purpose limitation. This requires collecting only necessary information, securing identity data, restricting access, and retaining records strictly for prescribed periods. Balancing regulatory compliance with privacy protection is a critical challenge in KYC data governance.
IT Governance and Cyber Security
RBI places strong emphasis on IT governance and cyber security for regulated entities. Institutions are expected to maintain robust internal controls, strict access restrictions, effective audit mechanisms, and regular board-level oversight of technology and data risks. These governance requirements directly support privacy compliance by ensuring accountability, preventing unauthorised access, and maintaining data integrity across BFSI operations.
Digital Lending and Fintech Data Restrictions
Consent and Data Access Controls
Digital lending platforms and fintech companies operate in highly data-driven environments, making strict data access controls essential. Regulators require such platforms to collect only data that is necessary for the specific purpose of lending or financial service delivery. Explicit and meaningful consent must be obtained from customers before accessing or processing their personal data, with clear disclosure of how the data will be used. Digital lenders are also prohibited from accessing excessive device or behavioural data, such as contact lists, media files, or unrelated app information, as such practices violate privacy principles and regulatory expectations.
Third-Party and App Governance
Fintech ecosystems often rely on third-party service providers and technology partners. Data sharing with lending service providers must therefore be carefully controlled and fully transparent. BFSI entities are required to regulate such data flows through clear contractual arrangements that define permissible data usage, security standards, and accountability. Effective third-party governance ensures that customer data remains protected throughout the digital lending value chain and reduces the risk of misuse or regulatory breaches.
SEBI’s Cyber and Privacy Expectations
Securities Market Data Risks
SEBI-regulated entities such as stock brokers, asset management companies, depositories, registrars, and market intermediaries handle highly sensitive investor data, including KYC records, trading activity, portfolio information, and financial disclosures. Any compromise of this data can undermine market integrity, investor confidence, and regulatory trust. As a result, SEBI places strong emphasis on maintaining confidentiality, integrity, and availability of securities market data across all regulated entities.
Cyber Resilience and Governance
To address these risks, SEBI mandates a comprehensive cyber resilience and governance framework. Regulated entities are expected to implement continuous system monitoring to detect threats in real time, maintain incident response mechanisms to manage cyber events effectively, and enforce secure access controls to prevent unauthorised data usage. Regular audits, vulnerability assessments, and strong governance oversight are also required to ensure ongoing compliance and accountability. These measures collectively strengthen data protection and privacy across the securities market ecosystem.
IRDAI Guidelines for Insurance Data Protection
Sensitivity of Insurance Data
Insurance companies handle some of the most sensitive categories of personal data within the BFSI sector. This includes medical and health records of policyholders, detailed claims information, beneficiary and nominee details, and risk profiling data used for underwriting and pricing. Misuse or unauthorised disclosure of such data can cause significant harm to individuals and expose insurers to legal, regulatory, and reputational risks. Consequently, insurance data requires a higher level of protection compared to routine financial information.
Governance and Security Expectations
IRDAI mandates insurers to implement strong governance and security frameworks to safeguard policyholder data. These requirements include the adoption of enterprise-wide information security policies, periodic risk assessments to identify vulnerabilities, and well-defined incident response frameworks to manage data breaches or cyber incidents. IRDAI also emphasises board-level oversight of information security and data protection, ensuring accountability at the highest level of management and reinforcing privacy as a core governance responsibility.
Aadhaar and Identity Data Restrictions
Special Legal Protection
Aadhaar-based authentication and electronic Know Your Customer (e-KYC) processes are governed by a distinct legal framework that imposes strict statutory restrictions on the collection, storage, use, and sharing of Aadhaar data. This framework places heightened protection on identity information, particularly biometric data, and permits its use only for specifically authorised purposes and through prescribed methods. Any deviation from these statutory conditions can result in serious regulatory consequences.
Compliance Implications for BFSI
For BFSI entities, Aadhaar handling represents a high-risk compliance area. Even where a customer provides valid consent under general privacy law, such consent does not override Aadhaar-specific legal prohibitions. Institutions must therefore ensure that Aadhaar data is accessed, processed, and stored strictly within permitted limits, with robust controls over vendor access and system usage. Failure to adhere to Aadhaar-specific restrictions can lead to enforcement action, penalties, and loss of regulatory trust.
Building a BFSI-Grade Data Protection Framework
Governance Layer
A strong data protection framework in the BFSI sector begins with robust governance. Board oversight and accountability are essential to ensure that privacy and data protection risks are recognised as strategic risks rather than purely operational issues. BFSI entities must clearly define leadership roles for privacy and information security, ensuring coordination between legal, compliance, IT, and risk functions. Regular risk assessments should be conducted to identify emerging threats, regulatory gaps, and control weaknesses, enabling timely corrective action and continuous improvement.
Technology Layer
Technology controls form the backbone of data protection in BFSI organisations. Encryption and strict access controls help prevent unauthorised use of personal data, while continuous monitoring and logging support early detection of suspicious activity. Data loss prevention tools reduce the risk of accidental or malicious data leakage, and secure system design ensures that privacy and security are embedded into applications and platforms from the outset. These measures collectively strengthen resilience against cyber threats and data breaches.
Documentation Layer
Effective documentation is critical for demonstrating compliance. BFSI entities must maintain clear privacy notices and accurate consent records to evidence lawful data processing. Vendor and outsourcing agreements should clearly define data protection responsibilities and security standards. In addition, well-documented breach response and escalation plans, along with audit-ready compliance records, enable organisations to respond confidently to regulatory reviews, audits, and investigations.
Conclusion
Data protection in the BFSI sector has evolved into a converged regulatory framework shaped by privacy law, cyber security obligations, and continuous supervision by sectoral regulators. Compliance is no longer achieved merely through policy documentation or contractual clauses. Instead, regulators now expect BFSI institutions to demonstrate active governance, strong internal controls, and technological resilience in the way personal and financial data is collected, processed, stored, and shared. Privacy risks are closely linked with operational, reputational, and financial risks, making data protection a critical component of enterprise-wide risk management rather than a standalone legal function.
To meet these expectations, BFSI institutions must embed privacy into their operational and governance DNA. This includes board-level oversight, accountability of senior management, secure system design, disciplined vendor governance, and audit-ready compliance records. Institutions that proactively integrate privacy principles into daily operations are better positioned to manage regulatory risk, prevent data breaches, and respond effectively to supervisory scrutiny. More importantly, such institutions build long-term customer trust and resilience, enabling sustainable growth in India’s rapidly expanding digital financial ecosystem.
Frequently Asked Questions (FAQs)
Q1. Why are data protection laws especially important for the BFSI sector?
Ans. The BFSI sector handles highly sensitive personal and financial data such as identity documents, transaction details, credit information, and health records. Any misuse or breach of this data can cause financial loss, identity theft, and reputational damage, making strict data protection legally and operationally critical.
Q2. Which is the primary data protection law applicable to BFSI in India?
Ans. The Digital Personal Data Protection Act, 2023 is the primary law governing digital personal data in India. BFSI entities are generally classified as Data Fiduciaries under this Act and must comply with its consent, security, and accountability requirements.
Q3. Are BFSI entities required to take customer consent for data processing?
Ans. Yes. In most cases, BFSI entities must obtain free, informed, and specific consent from customers before processing personal data. However, certain processing may be permitted without consent where required by law, such as for regulatory compliance or fraud prevention.
Q4. What rights do customers have under data protection laws?
Ans. Customers have the right to access their personal data, request correction or erasure of inaccurate data, withdraw consent, and raise grievances. BFSI entities must have functional mechanisms to respond to these rights promptly.
Q5. What is a Significant Data Fiduciary (SDF) and how does it affect BFSI institutions?
Ans. Large BFSI institutions processing high volumes of sensitive personal data may be designated as Significant Data Fiduciaries. Such entities face higher compliance expectations, enhanced governance requirements, and increased regulatory scrutiny.
Q6. How do RBI regulations impact data privacy in BFSI?
Ans. RBI regulations affect privacy through requirements such as payment data localisation, strict KYC data governance, IT and cyber security controls, and board-level oversight. These regulations reinforce privacy-by-design and accountability in regulated entities.
Q7. Are fintech and digital lending platforms subject to stricter data rules?
Ans. Yes. Digital lending and fintech platforms must collect only necessary data, obtain explicit consent, and avoid accessing excessive device or behavioural data. Data sharing with third parties must be transparent and contractually regulated.
Q8. What are the data protection obligations for insurers under IRDAI guidelines?
Ans. Insurers must protect highly sensitive data such as medical records and claims information by implementing enterprise-wide security policies, conducting risk assessments, maintaining incident response frameworks, and ensuring board-level oversight.
Q9. Is Aadhaar data treated differently under privacy laws?
Ans. Yes. Aadhaar data is subject to special statutory restrictions. Even valid consent under general privacy law does not override Aadhaar-specific prohibitions, making Aadhaar handling a high-risk compliance area for BFSI entities.
Q10. What happens if a BFSI entity fails to comply with data protection laws?
Ans. Non-compliance can result in heavy monetary penalties, regulatory action, audits, customer litigation, reputational damage, and operational restrictions. This makes data protection a material financial and governance risk for BFSI institutions.
CA Manish Mishra