DPDP Act 2023: Safeguarding Financial Data
In our modern, highly interconnected world, the convergence of data protection and financial services has attained unprecedented significance. As financial transactions increasingly migrate to digital platforms and electronic wallets, safeguarding personal and financial information has surged to paramount importance. The DPDP Act of 2023 plays a pivotal role in this landscape, acting as a critical intermediary that balances the profit-driven goals of the financial industry with the imperative to protect individuals’ sensitive data.
Implications
Banks entrusted with sensitive customer data face severe consequences in the event of a breach, rendering the banking sector highly susceptible to data privacy risks. The DPDP act carries several significant implications:
◉ Data Principals: Fintech firms handle the personal information of individuals often referred to as “digital citizens” or data subjects. Under the recent data protection legislation, data subjects are entitled to receive a clear notice outlining the specifics of the personal data to be collected and the purpose behind its collection
◉ Consent and Compliance: Organizations managing personal data must prioritize fortifying their privacy efforts through practices like privacy-by-design and adherence to the Act’s privacy directives. This entails issuing transparent privacy notices and establishing a robust consent mechanism. To secure precise and informed consent from Data Principals, clear and unambiguous data collection notifications in multiple languages are essential. The Act emphasizes obtaining consent through clear and affirmative actions when handling customer privacy. Moreover, customers now possess the newfound ability to withdraw their consent for the handling of their personal data at any time, thanks to this consent framework.
◉ Rigorous Organizational Measures: Entities within the financial sector acting as custodians must scrutinize their internal procedures and systems concerning the disclosure or sharing of personal data, both with other fiduciaries and with third-party entities authorized to process data on their behalf (known as ‘Processors’). Any such data processing must strictly adhere to a legally binding contract.
◉ Classification as Significant Data Fiduciaries: Entities handling personal data may be designated as Significant Data Fiduciaries based on factors such as data volume and their impact on public order. This classification carries substantial obligations, including conducting data protection impact assessments, regular data audits, and compliance with government-mandated requirements. This may encompass many prominent fintech firms, subjecting them to additional compliance measures like data protection assessments and the appointment of Data Protection Officers.
◉ Utilizing Necessary Exemptions: The Act provides exemptions for entities, including startups, in situations such as legal compliance, enforcing legal rights, mergers, debt recovery, and processing data of foreign nationals by Indian outsourcing firms. These exemptions may relieve them of specific obligations such as providing notice, ensuring accuracy, adhering to data retention limits, and handling information access requests. Financial and Fin-Tech organizations should conduct readiness assessments to ensure that their data processing frameworks, including notice and consent procedures, align with future requirements and anticipated rule-making guidance.
Challenges
◉ Determining the Data Fiduciary (DF): The DPDP Act poses a significant challenge in defining the Data Fiduciary. Clause 2(j) defines a DF as an individual or collaborator responsible for specifying how personal data is processed. However, it remains unclear whether only the bank or the fintech firm should be labeled as DF, given the dual-party structure prevalent in the fintech industry. This ambiguity necessitates clear definitions and delineation of responsibilities between these parties before handling personal data.
◉ Distinction Between DFs and SDFs: Fintech companies confront a notable challenge under the DPDP due to the distinction between Data Fiduciaries (DFs) and Significant Data Fiduciaries (SDFs). The government may classify some DFs as SDFs based on criteria like data volume, sensitivity, risks to data subject rights, and public security. Given the technology-driven nature of fintech and their substantial data handling, many may fall into the SDF category, necessitating them to fulfill additional obligations such as appointing a Data Protection Officer, Independent Data Auditor, and conducting impact assessments and compliance audits.
◉ Ambiguity in Obligations: The DPDP Act contains a provision for prior notice. However, existing regulations like the SPDI Rules and Digital Lending Guidelines require a “privacy policy.” It remains uncertain whether these two obligations, prior notice and privacy policy, pertain to the same document or have distinct requirements. This ambiguity requires clarification to enable fintech companies, bound by sectoral laws, to prepare the necessary documents for handling user personal data effectively.
Penalties
Penalties for non-compliance vary from INR 10,000 to INR 2.5 billion, contingent on the severity of the violation. In cases of severe breaches identified after an inquiry, the Data Protection Board of India can impose monetary fines under the DPDP Act after providing an opportunity for defense. The fine amount is determined by considering factors such as breach severity, duration, likelihood, affected personal data, financial gains or losses, mitigation efforts, fairness, expected impact, and effectiveness. Significant Data Fiduciaries failing to meet the new DPDP Act obligations may face fines of up to INR 1.5 billion.
Closing Thoughts
Personal and financial data form the foundation upon which financial institutions have built their offerings. Technological advancements have amplified its value. Protecting this data is imperative for both customers and the financial sector, preventing misconduct and promoting industry best practices. However, fintechs are urged to enhance transparency in their utilization of customer data by conducting comprehensive data audits to identify all collected personal information. They must assess data practices for compliance with the DPDP Act, implement appropriate safeguards, update privacy policies, and consent procedures accordingly, and provide staff training on the DPDP Act’s implications for their roles.
Disclaimer : No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.