India’s Digital Personal Data Protection Rules, 2025, mark a decisive shift in how personal data must be handled across the economy. Check the rules here.

The DPDP Act, 2023, talked about principles and rights, but the rules convert them into actionable points that impact systems, processes, contracts, and customer interactions.

Before getting to them, let’s first understand some basics of the DPDP Act, 2023, which will help us understand these rules better.

Applicability

The law applies broadly to four main stakeholders:

1. Data Principals
   Individuals to whom the personal data pertains. For example, a bank customer is a data principal.

2. Data Fiduciaries
   Entities processing personal data. For example, banks, NBFCs, telecom companies, social media platforms, and businesses of all sizes. The burden of proving compliance lies on Data Fiduciaries.

3. Consent Manager
   A registered entity that provides a digital platform enabling individuals to give, manage, review, and withdraw consent for data processing. It does not access the data itself.

   Examples:

   • A hospital using a consent manager to share diagnostic reports with a specialist

   • A bank customer authorising Bank A to share bank statements with Bank B

   Consent managers do not replace KYC/AML requirements, as accountability remains with financial institutions.

4. Data Processors
   Entities that process personal data on behalf of a Data Fiduciary and follow its instructions. Examples include cloud providers, payroll processors, and third-party KYC vendors.

Since this is a financial sector context, the focus remains on banks and NBFCs.

The 2025 rules do not change what documents must be collected, but change how data must be explained, obtained, retained, used, and deleted.

Broadly, the rules reshape four key areas of KYC and customer data:

• Transparency

• Security

• Retention

• Enforcement

Better Transparency

The most visible shift is in how institutions communicate data usage to customers.

Privacy-related clauses can no longer be hidden inside account-opening forms or bundled with general terms. They must be standalone, readable, and specific.

Financial institutions must clearly explain:

● What categories of personal data are collected during onboarding and thereafter
● The exact purposes of data collection
● Who the data may be shared with
● How customers can exercise rights or raise complaints

KYC requirements remain mandatory, but institutions must distinguish between compliance data and other uses like marketing or analytics.

Customers must be allowed to opt out of non-essential uses, requiring clear separation between essential and optional data usage.

Consent verification has also become stricter for:

• Children

• Persons with disabilities

• Guardian-managed accounts

• Video-KYC processes

Demonstrable Security

Financial institutions must implement auditable security controls such as:

● Encryption or tokenisation of sensitive data
● Strict access controls
● Continuous monitoring
● Detailed access logging

Institutions must be able to demonstrate:

● Who accessed customer data
● When access occurred
● Why it was accessed
● Whether access was authorised

All third-party vendors (Data Processors) must follow the same standards and are accountable for lapses.

Example:
If a bank uses a cloud provider to store KYC data, the provider becomes a Data Processor. The bank must ensure proper safeguards and retention of data and access logs for at least one year, unless longer retention is required under banking or AML laws.

Retention, Deletion & Ending “Store Forever” Systems

The core principle is simple: personal data must be deleted once its purpose is complete, unless retention is legally required.

In financial institutions governed by KYC and PMLA rules, this typically means retention for 3 or 8 years as applicable.

However:

• Non-essential data cannot be retained indefinitely

• Data not required by law must be identified and deleted

• If retained, reasons must be documented

In some cases, customers must be informed before deletion.

The rules also require minimum retention of logs and metadata for fraud prevention, security, and compliance.

Data Breach Mechanism

In case of a data breach, financial institutions must:

● Notify affected customers promptly
● Explain what happened and what data was involved
● Describe possible consequences
● Provide mitigation steps and safety guidance
● Share contact details for support

Additionally, institutions must report the breach to:

• Data Protection Board

• RBI

• CERT-In

A detailed follow-up report is also required.

A New Governance Landscape

The Data Protection Board becomes a key enforcement authority under DPDP, alongside regulators such as:

• RBI

• SEBI

• IRDAI

• FIU-IND

Customer complaints can be filed directly with the Board.

Data protection is therefore integrated into governance, risk management, and compliance—not just a back-office function.

Implementation Timeline

Most provisions under the DPDP Rules (including transparency, security, breach notification, retention, and rights) will be enforceable 18 months after notification in November 2025, i.e., May 2027.

• Institutional setup and definitions apply immediately

• Consent manager provisions will take effect later

This phased rollout gives financial institutions time to update KYC systems, revise notices, and modify vendor contracts.

Follow me on LinkedIn for more information and subscribe for updates on compliance, NBFCs, BFSI, etc.