Clipped from: https://www.thehindubusinessline.com/opinion/data-protection-by-banks/article70350456.ece
The DPDP Act requires them to strengthen systems
Banks should establish a cross-functional internal data protection team to oversee compliance, investigate breaches, and ensure corrective actions are taken | Photo Credit: naum
With the recent implementation of the Digital Personal Data Protection Rules 2025 (DPR25), the DPDP Act 2023 (DPA23) has now come into force. Despite a 12-18-month transition period, banks acting as data fiduciaries (DFs) will need to align their data management systems to protect their extensive customer data. Otherwise, the significant penalties outlined in the punitive measures could heighten operational risks and potentially breach public trust.
With over 300 crore deposit accounts and 32 crore loan accounts, banks, as DFs, are the repositories of huge digital personal data. They also handle a large volume of highly sensitive customer data — such as KYC details, AML checks, account activity, credit reports, borrower ratings, transaction and credit histories, and more — while managing multiple data storage centres and processing activities.
Though banks are accustomed to protecting data as part of their fiduciary responsibility to maintain confidentiality, the added responsibilities and data sensitivities under DPR25 call for strengthening and revamping data management practices. As a result, internal systemic controls must be strengthened to ensure compliance at every stage.
The strategies
Banks should establish a cross-functional internal data protection team to oversee compliance, investigate breaches, and ensure corrective actions are taken. This team should serve as the primary contact for policy-making and developing the resources necessary for data management within the bank to uphold the rights granted under the DPA23 and maintain trust in the system.
Strong data protection guarantees should be included in service-level agreements with vendors, and stricter penalties should be enforced for violations. The privacy of contracts between banks and data processors must be robust to manage the risks of data leakage better.
Banks should therefore develop not only policies and procedures but also establish clear standard operating procedures (SOPs) to create a robust system for protecting personal data in a rapidly growing digital environment.
Banks should should enforce consent and transparency, security safeguards, and accountability. Compliance with DPR25 involves multiple departments, is complex, and depends on a timeline. Therefore, the core implementation team should ensure that the essential infrastructure, trained personnel, systems, and processes are integrated with the data management systems.
The effectiveness of systemic controls should be evaluated through simulated scenarios to identify weaknesses and gaps observed during testing. The monitoring and control systems need to be connected to data hubs to deliver prompt alerts to relevant authorities, enabling them to respond, guide, and resolve issues.
The track record over the past five years reveals several significant data leaks or incidents of data theft or breach, even in major banks with stronger internal controls. RBI imposed penalties and, in some cases, non-monetary restrictions to prevent onboarding new customers. DFs should consider the significant financial penalties for non-compliance. The maximum penalty of up to ₹250 crore applies if a DF fails to implement reasonable security measures. Since banks hold accounts for minors, there is a risk of minors’ data being misused.
Any other breach of the Act or Rules by a DF may lead to penalties of up to ₹50 crore. Better coordination with the Data Protection Board will be necessary to seek guidance to address risks. Training and sensitisation of staff across the organisations on DPR25 and its implications should be conducted regularly. Customer education on data protection will be equally important, given the increasing number of digitally driven self-service kiosks and apps in use.
The writer is Adjunct Professor, Institute of Insurance and Risk Management, Hyderabad. Views are personal
Published on December 3, 2025
aniltikotekar4sme.com 