After years of deliberations and negotiations, India’s Digital Personal Data Protection Act 2023 was passed on 11 August 2023. The Bill cleared both Houses within just over a week.
The DPDPA, modelled after the European Union’s General Data Protection Regulation (GDPR), creates a comprehensive framework for digital personal data protection and covers all entities that process personal data in India. It mandates robust security measures to prevent breaches.
For Banking, Financial Services and Insurance (BFSI) organisations, the compliance bar remains high because RBI, SEBI and IRDAI sector rules continue to apply. The DPDP Act aims to strengthen digital trust and operational resilience in a data-driven economy.
Why DPDPA matters and Who must comply
India’s financial rails now run at a population scale. UPI processed 628 million transactions daily in July 2025, which shows the sheer volume of personal data moving through financial institutions each month. This scale increases the risk of exposure to financial fraud and operational lapses.
Moreover, if privacy is not built into journeys and a breach happens, BFSI faces heavy fines. IBM reports the average cost of a data breach in India reached INR 220 million (~ USD 2.5 million) in 2025. Boards and regulators, therefore, expect stronger controls and faster response. In today’s world, DPDPA matters because it creates standard rules for consent, accountability and breach handling so BFSI firms can protect customers, reduce loss and maintain trust at scale.
Key Participants and Definitions under DPDPA
It is crucial to note that an entity’s role can be fluid. A bank is a Data Fiduciary for its customers. Still, it may act as a Data Processor when handling data for another institution. Under the DPDPA, third-party service providers are classified as Data Processors. They must adhere to the security and processing standards set by the Data Fiduciary.
What solution architecture enables DPDPA readiness
For DPDPA readiness, organisations need a simple yet effective system that combines privacy and security into daily operations. The goal is to manage personal data at every step, from collection and processing to deletion, with explicit consent, strong protections, and constant oversight. The system architecture should fit smoothly with core BFSI platforms so teams can pass audits and keep growing without interruption.
- Real time consent management tools that support clear multilingual notices, let people opt in or out for each purpose, and store tamper-proof logs.
- Automated data discovery and classification that spots sensitive data across core banking, lending, deposit, payment, and storage systems.
- Encryption and masking to protect data at rest and in transit, while also having dynamic masking to safeguard analytics and test environments without disrupting reports. Make sure to align cryptographic controls with ISO 27001 and NIST standards.
- Data activity monitoring that tracks access and usage in real time, enforces “need-to-know” access, and flags policy breaches early.
- Continuous compliance monitoring that maintains audit evidence, flags deviations, and simplifies ongoing reporting to boards and regulators
- Rights fulfilment workflows that verify identity, pull records across systems, and close access, correction or deletion requests within agreed timeframes.
- Third party governance that incorporates data-deletion assistant, subcontractor visibility, and cross-border controls into every processor contract, as required by the DPDPA.
- Comprehensive audit trails aligned with RBI and SEBI formats, ready for board reviews and Data Protection Impact Assessments.
The Act uses a ‘transfer list’ model, so cross-border data flows continue unless the government notifies a restriction. Since sector rules continue to apply, stricter obligations such as breach reporting to CERT-Inwithin six hours remain binding under the CERT-In Directions of 28 April 2022.
DPDPA Compliance Roadmap
DPDPA readiness for BFSI rests on five strategic pillars;
First, establish governance by approving enterprise-wide privacy and security policies that define how personal data is collected, used, shared and retained.
Second, adopt data classification and minimisation, tagging every record by sensitivity, recording its purpose, and collecting only what is needed at each customer touch-point.
Third, implement end-to-end tracking by mapping personal data from onboarding through servicing, analytics, and archiving so nothing falls through the cracks.
Fourth, prepare for Significant Data Fiduciary status by appointing an Indian-based DPO, maintaining processing records, performing DPIAs on new products, and commissioning independent audits.
Finally, ensure operational resilience by maintaining tested backups, rehearsed breach-response playbooks and reports that meet RBI, SEBI and IRDAI standards
DPDPA Compliance Action Plan
Apart from this, an ongoing activity should be to monitor MeitY notifications for the commencement of any updates regarding DPDPA. Also, align retention and disclosure with RBI, SEBI and IRDAI circulars where obligations are stricter than the DPDPA.
Achieve DPDPA Compliance with Landmark Systems and Solutions
Landmark Systems and Solutions helps BFSI institutions become DPDPA ready through a structured assessment, gap remediation and audit support. We map data flows, validate consent and rights processes, and align controls with sector regulations and CERT-In duties.
Our dKYC platform enables DPDPA compliant onboarding with secure identity verification and complete audit trails, ensuring purpose limitation, data minimisation, and fast responses to access, correction, and deletion requests. (landmark does consulting where it helps setting up the flow of compliance for
We serve over 80 customers, including Axis Bank, ICICI Bank, HDFC Securities, Kotak, Paytm, and Standard Chartered, among others, and support more than 2.5 million daily transactions. Our system features strong controls that scale with growth, ensuring data protection and security. To begin a readiness assessment, connect with us today.
Official references
- Gazette of India for the Digital Personal Data Protection Act 2023
https://egazette.gov.in/WriteReadData/2023/247847.pdf - e-Gazette homepage for all statutory notifications and rules
https://egazette.gov.in - PRS India for bill timeline and highlights
https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
