DPDP Act 2023: What Fintechs and SaaS Companies Must Do Now

What Is the DPDP Act?

The Digital Personal Data Protection Act 2023 is India's comprehensive data protection legislation. It was enacted by Parliament and received Presidential assent in August 2023. The Act establishes the rights of individuals (Data Principals) regarding their personal data and the obligations of organisations that collect and process it (Data Fiduciaries and Data Processors). The Act applies to processing of digital personal data within India, and also to processing outside India where the personal data of Indian residents is involved.

Data Fiduciary vs Data Processor: What Are You?

This distinction is critical and often confused:

• Data Fiduciary: Any entity that alone or in conjunction with others determines the purpose and means of processing personal data. If you decide what data to collect, why to collect it, and what to do with it — you are a Data Fiduciary. Most fintechs with direct customer relationships are Data Fiduciaries.
• Data Processor: An entity that processes personal data on behalf of a Data Fiduciary. SaaS companies that process data for their clients (the Data Fiduciaries) are typically Data Processors. Data Processors have fewer direct obligations under the Act but must operate under a contract with the Data Fiduciary that protects the data.
• Significant Data Fiduciary (SDF): DPDP Act introduces SDFs — fiduciaries that process large volumes of sensitive data or data with national security implications. SDFs face enhanced obligations including mandatory Data Protection Officers and data protection impact assessments.

Consent Management Requirements

The DPDP Act is built around informed, freely given, specific, and unambiguous consent. For fintechs, this is operationally significant:

• Consent must be obtained before processing personal data (except for certain specified legitimate uses)
• Consent must be granular — bundled consents for unrelated purposes are not compliant
• Data Principals must be able to withdraw consent as easily as they gave it
• A consent artefact must be maintained showing what consent was given, when, and for what purpose
• If consent is withdrawn, the Data Fiduciary must stop processing and delete the data (unless another legal basis exists)

Purpose Limitation and Data Minimisation

Two core DPDP principles that fintechs frequently underestimate:

• Purpose limitation: Data collected for one purpose cannot be used for another without fresh consent. If you collect KYC data for loan applications, you cannot use it for marketing a new insurance product without a separate consent.
• Data minimisation: Collect only the data that is necessary for the stated purpose. Broad data collection "just in case it's useful later" is not compliant.

Children's Data Rules for Fintechs

The DPDP Act has strict provisions for processing data of children (under 18). Before processing a child's data, a Data Fiduciary must obtain verifiable parental consent. Fintechs with consumer-facing apps must implement age verification. Behavioural monitoring and targeted advertising to children is prohibited. This is a practical challenge for fintechs — particularly those with general consumer apps that minors might access.

Cross-Border Data Transfer Restrictions

The DPDP Act allows the central government to specify countries or territories to which personal data transfer is restricted. Until such restrictions are notified, transfers to most jurisdictions remain possible — but Data Fiduciaries should ensure their data transfer agreements are DPDP-compliant and that any contractual arrangements with overseas processors are updated.

Security Safeguards Required

The DPDP Act requires Data Fiduciaries to implement reasonable security safeguards to prevent personal data breaches. While the Act does not prescribe specific controls, aligning with ISO 27001 is widely accepted as demonstrating reasonable safeguards. Practically, this means:

• Encryption of personal data at rest and in transit
• Access controls limiting who can access personal data
• Regular security testing (VAPT)
• Incident response procedures for data breaches
• Data retention and deletion policies with enforcement mechanisms

Data Breach Notification Timeline

In the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board and affected Data Principals. The notification timeline will be specified in the rules — early indications from the draft rules suggest a 72-hour notification window to the Board (similar to GDPR), with affected individual notification following. This means having a breach response SOP in place before a breach occurs is essential.

Penalties: What Is at Stake?

The DPDP Act prescribes significant financial penalties for non-compliance, enforced by the Data Protection Board:

• Up to ₹250 crore for failure to implement adequate security safeguards resulting in a data breach
• Up to ₹200 crore for failure to notify the Board or Data Principals of a breach
• Up to ₹200 crore for processing children's data in violation of the Act
• Up to ₹50 crore for failure to maintain the accuracy of data
• Additional penalties for repeat violations or non-cooperation with the Board

The DPDP Act is not the GDPR. It is India's own framework, designed for Indian realities. Importing GDPR compliance frameworks wholesale may leave significant gaps — particularly around consent architecture, data localisation, and the role of the Data Protection Board.

Infosek Team

What Fintechs Must Do Now

• Consent framework: Audit all consent collection touchpoints — app sign-up, KYC, marketing — and redesign them for DPDP compliance
• Privacy notice: Update your privacy policy to meet DPDP requirements (clear, simple, accessible)
• Data inventory: Map all personal data you collect, process, store, and share. You cannot protect what you have not inventoried.
• Vendor agreements: Update all data processing agreements with third parties (payment processors, cloud providers, LSPs) to include DPDP-compliant clauses
• Breach SOP: Build and test a personal data breach response procedure, including notification to the Data Protection Board
• Children's data: If your platform might be accessed by under-18s, implement age verification and parental consent mechanisms
• Data minimisation audit: Review current data collection practices and eliminate fields that cannot be justified by a specific processing purpose