ARTICLE
15 January 2025

Operational Challenges With The New DPDP Rules For The Fintech Industry In India

AP
AK & Partners

Contributor

AK & Partners is a full-service law firm, whose expertise spans diverse practice areas, including Banking and Finance, Dispute Resolution, Transaction Advisory and Funds, Data Privacy, Tax, and regulatory compliance. Our services are offered across different legal forums and jurisdictions, including the USA, the UK, Singapore, Italy, Spain, Sri Lanka, etc.
The Ministry of Information and Technology has released the draft Digital Personal Data Protection Rules, building on the Digital Personal Data Protection (DPDP) Act passed by Parliament
India Technology

The Ministry of Information and Technology has released the draft Digital Personal Data Protection Rules, building on the Digital Personal Data Protection (DPDP) Act passed by Parliament in August 2023. These draft rules are now open for public consultation via the 'mygov' portal, with feedback due by February 18th, 2025.

The rules focus on digital personal data processing in India, covering both online and offline data collection, which is digitised. They aim to clarify legal responsibilities, stakeholder registrations, and the framework for establishing a Data Protection Board, along with details on employee roles and service conditions.

Navigating Business Challenges for Fintech Companies

Fintech companies must prepare for significant changes in their operational practices to comply with the new regulations. A key action will be conducting thorough Data Protection Impact Assessments (DPIAs), as required for significant data fiduciaries. This will help identify and mitigate risks in data processing activities, ensuring a robust compliance posture.

  • Ambiguity and Regulatory Overlap

A key challenge lies in the ambiguity of data localization requirements. While the DPDP Act does not mandate data localization, the Reserve Bank of India (RBI) guidelines require certain data to be stored within India. This creates a complex legal situation for fintech firms that must navigate potential conflicts between the two regulatory frameworks. Moreover, the DPDP Act's extraterritorial application means data collected within and outside India is subject to the same regulations.

Managing user consent is also at the heart of compliance. The rules require verifiable consent before processing data for children, persons with disabilities, and others. For example, a major update in the rules is the requirement for obtaining verifiable consent before processing data of children and persons with disabilities. Moreover, parental consent for children must be obtained before setting up a social media account. Organisations can not start using data before such consent is verified.

  • Increased Compliance Demands

Fintech businesses will need to invest in infrastructure to meet these new regulatory requirements. This includes enhancing data collection systems, implementing consent management protocols, establishing data lifecycle management practices, and ensuring these protocols are ingrained in daily operations.

Although the draft does not specify penalties for violations, it emphasizes accountability for data fiduciaries. For fintech companies utilizing AI for data processing, it is essential to ensure that algorithms do not infringe on user rights. The absence of explicit penalties may reduce immediate compliance pressures but places a stronger emphasis on self-regulation and upholding high data protection standards to foster consumer trust.

  • Digital-First Data Protection

The DPDP Act and its associated rules are designed with a digital-first approach, balancing innovation with regulation. This is particularly important for fintech firms in India's thriving economy and large start-up ecosystem. Data managers, both public and private, will face heightened scrutiny and responsibility regarding public data usage.

The DPDP Act enforces key principles such as user consent and data minimisation, which fintech companies must embed into their operations. While strict localization requirements may not apply, companies still need to maintain data protection practices to comply with the law.

Conclusion

The draft Digital Personal Data Protection Rules represent an important shift in how fintech businesses manage data in India. Companies must adapt to these evolving regulations by enhancing their data protection infrastructure and aligning their operations with both the DPDP Act and any overlapping industry-specific guidelines. By doing so, fintech firms can mitigate legal risks, enhance consumer trust, and stay ahead of regulatory challenges.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More