DPDP Compliance for Banks
RBI Overlap, Penalties & Obligations
Banks are India’s highest-risk data fiduciaries under the DPDP Act 2023. They process Aadhaar-linked KYC data, PAN verification records, CIBIL credit scores, income tax returns, property valuations, guarantor information, and biometric authentication data for hundreds of millions of Indians. Unified Chambers and Associates advises banks on the dual compliance challenge: meeting DPDP Act obligations while continuing to comply with RBI’s Master Directions on IT Governance, Data Localisation, and Cyber Security.
We already represent banks at all 39 Debt Recovery Tribunals. The loan data, borrower records, and NPA portfolios that we handle in DRT proceedings are the same personal data that DPDP now protects with penalties up to Rs 250 crore. One firm. Both regulatory risks. Senior Partner Advocate Subodh Bajpai, LLM, MBA (XLRI), leads every engagement.
Why Banks Are India’s Highest-Risk
Data Fiduciaries
No other sector in the Indian economy processes personal data at the scale, sensitivity, and regulatory complexity of banking. A single retail loan application generates a data footprint that touches Aadhaar (identity), PAN (tax), CIBIL/Equifax/Experian (credit history), income tax returns (income verification), property records (collateral valuation), employer details (employment verification), family member information (guarantor documentation), and bank statements (financial behaviour). Multiply this across millions of loan accounts, savings accounts, credit cards, and insurance products, and the data exposure is staggering.
The DPDP Act treats all of this as personal data of data principals (borrowers, account holders, guarantors, employees) processed by the bank as data fiduciary. Every processing activity — from the initial KYC verification to credit bureau pulls, loan disbursement, EMI collection, NPA classification, recovery agent assignment, and eventual ARC portfolio transfer — must now satisfy the consent, purpose limitation, and data minimisation requirements of the Act. A contravention at any point in this chain exposes the bank to penalties up to Rs 250 crore per contravention (Schedule Sl.1, security safeguard breach).
Furthermore, banks operate under concurrent regulatory jurisdiction. The Reserve Bank of India has its own data governance framework — Master Direction on IT Governance, Risk, Outsourcing and Cybersecurity (2023), Data Localisation Directive (2018), and CERT-In Cyber Security reporting requirements. DPDP does not replace these obligations. It adds to them. A bank must comply with both regimes simultaneously, and a failure under one may trigger scrutiny under the other.
Banks that are classified as Significant Data Fiduciaries under Section 10 — which will include most large scheduled commercial banks — face additional obligations: mandatory appointment of a Data Protection Officer based in India, appointment of an independent Data Auditor, periodic Data Protection Impact Assessments, and compliance with any further conditions prescribed by the Central Government. The compliance burden is substantial, and the penalty exposure for non-compliance is existential.
DPDP + RBI Compliance
Matrix
Banks must navigate overlapping obligations under the DPDP Act 2023 and multiple RBI Master Directions. The following matrix identifies the key intersection points where dual compliance is required — and the specific risk each creates.
| Obligation | RBI Requirement | DPDP Requirement | Compliance Risk |
|---|---|---|---|
| Data Breach Notification | Cyber incident reporting to CERT-In within 6 hours (CERT-In Directions 2022). RBI Cyber Security Framework requires reporting to RBI. | Notify DPBI and affected data principals "without delay" (Section 8(6)). Penalty: up to Rs 200 crore for failure (Schedule Sl.2). | Triple reporting obligation: CERT-In (6 hours), RBI, and DPBI — each with different formats and timelines. |
| Data Localisation | Payment system data must be stored exclusively in India (2018 RBI circular). No exceptions for mirror copies. | Cross-border transfer allowed except to countries on the restricted list (Section 16). Negative list approach. | Payment data must stay in India (RBI). Other personal data may be transferred (DPDP). Banks must classify data accurately. |
| Consent Management | KYC consent governed by PMLA + RBI KYC Master Direction. Account Aggregator framework requires explicit consent. | Purpose-specific consent with right to withdraw (Section 6). Notice must specify each purpose. Granular opt-in required. | KYC consent may not cover cross-selling, group company sharing, or ARC portfolio transfers. Gap analysis essential. |
| Data Retention | KYC records: 5 years after account closure (PMLA). Transaction records: 10 years (various RBI circulars). | Data must be erased when purpose is fulfilled and consent is withdrawn (Section 8(7)). Purpose limitation principle. | RBI mandates long retention. DPDP mandates deletion. Banks must document which retention period applies to which data set. |
| IT Governance | Master Direction on IT Governance, Risk, Outsourcing and Cybersecurity (2023). Board-level IT strategy committee required. | Significant Data Fiduciaries must appoint DPO and conduct DPIA (Section 10). Data Auditor appointment mandatory. | Two parallel governance frameworks. CTO/CISO reports to Board under RBI. DPO reports independently under DPDP. |
| Third-Party Data Sharing | Credit Information Companies regulated under CICRA 2005. Bureau pulls require specific consent. RBI-approved data sharing frameworks. | Data processor must process only on fiduciary's instructions (Section 8(2)). Sub-processing requires contractual controls. | Credit bureau pulls, ARC portfolio transfers, and outsourced collections each require separate DPDP compliance analysis. |
For a comprehensive analysis of RBI Master Directions, see our RBI NBFC Directions Library.
The DRT-DPDP
Intersection
Here is the scenario that no pure data privacy law firm can handle, and no pure banking lawyer has anticipated: a borrower whose loan account has been classified as NPA files a complaint before the Data Protection Board alleging that the bank violated the DPDP Act in its recovery process. The bank is simultaneously prosecuting DRT proceedings to recover Rs 10 crore in outstanding principal and interest, while defending a DPBI complaint that could attract penalties of Rs 250 crore.
The DPDP complaints arising from NPA recovery will take multiple forms. A borrower may allege that the bank shared their personal data — loan account details, payment history, income documentation, guarantor information — with the Asset Reconstruction Company that purchased the NPA portfolio, without obtaining fresh consent for this new processing purpose. The bank may argue that the ARC assignment under the SARFAESI Act is a statutory transfer that does not require separate DPDP consent. This is a novel legal question that requires counsel who understand both SARFAESI Section 5 (acquisition of assets) and DPDP Section 6 (consent requirements).
Another common scenario: the borrower alleges that the bank’s recovery agents accessed personal data — home addresses, workplace details, family member contacts — beyond what was strictly necessary for the recovery process. The bank must demonstrate that its recovery agents operate under data processing agreements that limit the scope and purpose of data access, and that the bank has implemented technical controls (role-based access, audit logs) to enforce these limits. This is where DPDP compliance documentation becomes evidence in the DPBI proceeding.
A third scenario involves guarantors. When a bank processes the personal data of a personal guarantor — their income records, property documents, employment details — for the purpose of enforcing a guarantee under SARFAESI Section 13(4) or IBC Section 95, the guarantor may argue that their original consent was limited to the guarantee agreement and did not extend to the bank using their data in enforcement proceedings. The legal analysis requires understanding both the scope of the guarantee agreement (contract law) and the purpose limitation principle under DPDP Section 6.
Unified Chambers handles both sides of this intersection. We prosecute the DRT case for debt recovery and defend the DPBI complaint for data protection — for the same bank, in the same matter. This eliminates coordination overhead, ensures consistency of legal position, and prevents the borrower from exploiting contradictions between two different law firms representing the bank in related proceedings.
Consent Architecture for
Banking Data
The DPDP Act fundamentally changes how banks must think about consent. Under the traditional KYC regime, consent was a single, broad authorisation embedded in the account opening form. DPDP requires purpose-specific, informed, unambiguous consent with the right to withdraw at any time. Banks must redesign their consent architecture across the entire customer lifecycle.
For NBFC-specific consent requirements, including microfinance and housing finance considerations, see DPDP for NBFCs.
RBI-DPDP Retention Conflict
When Erasure Meets Mandatory Retention
Banks must retain KYC data for at least 5 years after the customer relationship ends under anti-money laundering compliance. Transaction records often require even longer retention under various RBI circulars. But DPDP Section 8(7) requires erasure of personal data once the purpose for which it was collected is served and consent is withdrawn. This creates a direct tension between two binding legal obligations.
While the DPDP Act does allow continued retention where required for compliance with any law in force, this exception is not a blanket safe harbour. The data fiduciary must maintain a complex retention matrix that documents exactly which specific law justifies holding each particular data point, for how long, and under what conditions it must ultimately be erased. A bank holding a closed account’s Aadhaar number, PAN, income records, and family member details needs a distinct legal basis for retaining each data element — not a single “regulatory compliance” justification.
This compliance gap between RBI’s retention mandates and DPDP’s erasure obligation requires expert legal navigation. Unified Chambers helps banks build defensible data retention matrices that satisfy both RBI inspection requirements and DPDP erasure demands — ensuring that the Data Protection Board cannot challenge retention practices while RBI auditors cannot fault premature deletion.
DPDP for Banks — Key Questions Answered
Are banks classified as data fiduciaries under the DPDP Act?
Yes. Every bank operating in India — scheduled commercial banks, cooperative banks, regional rural banks, and foreign bank branches — is a data fiduciary under the DPDP Act 2023 because they determine the purpose and means of processing personal data. Banks process some of the most sensitive personal data in the Indian economy: Aadhaar numbers linked to accounts, PAN for KYC, income tax returns for credit assessment, CIBIL scores, property valuations, family member details for guarantor documentation, and biometric data for authentication. The volume and sensitivity of this data makes banks among the highest-risk data fiduciaries under the Act.
Will major banks be classified as Significant Data Fiduciaries?
Almost certainly. Section 10 of the DPDP Act empowers the Central Government to notify certain data fiduciaries as Significant Data Fiduciaries (SDFs) based on volume of personal data processed, sensitivity of data, risk to data principal rights, potential impact on sovereignty and security, and risk to electoral democracy. Large scheduled commercial banks — SBI, HDFC Bank, ICICI Bank, Axis Bank, PNB, Bank of Baroda — process personal data of hundreds of millions of Indians. They will face additional obligations: mandatory DPO appointment, independent Data Auditor, periodic DPIAs, and algorithmic transparency requirements for automated credit decisions.
How do RBI data localisation rules interact with DPDP cross-border transfer provisions?
Banks face a dual compliance requirement. RBI's 2018 circular on Storage of Payment System Data requires that all payment transaction data be stored exclusively in India — this is an absolute localisation mandate with no exceptions. The DPDP Act takes a different approach: Section 16 allows transfer of personal data to countries not on the Government's restricted list (negative list). The practical effect is that banks must store payment data in India under RBI rules AND ensure that any cross-border transfer of other personal data (employee data, correspondent banking data) complies with DPDP Section 16. The two regimes operate concurrently, and a transfer that satisfies DPDP may still violate RBI localisation requirements.
What happens when a borrower files a DPDP complaint about data used in NPA recovery?
This is the DRT-DPDP intersection that makes Unified Chambers uniquely positioned. A borrower classified as NPA may file a complaint with the Data Protection Board alleging that the bank shared their personal data with an ARC without fresh consent, or that the bank's recovery agents accessed personal data beyond what was necessary for debt collection, or that guarantor data was processed without a lawful basis. The bank must then defend both the DRT proceedings (seeking recovery of the outstanding debt) and the DPBI complaint (defending its data processing practices) simultaneously. A single law firm handling both matters ensures consistency of position — the legal arguments in the DRT case must not contradict the data processing justifications in the DPBI response.
Does DPDP require fresh consent for existing KYC data?
The DPDP Act requires that personal data be processed only for the purpose for which consent was given. If a bank collected KYC data under the Prevention of Money Laundering Act and RBI KYC Master Direction for the purpose of account opening and transaction monitoring, using that same data for cross-selling insurance products, sharing with group companies for marketing, or transferring to an ARC during NPA resolution may require fresh or expanded consent under DPDP. Banks must conduct a purpose-mapping exercise for all existing data sets: was the consent originally given broad enough to cover the current use? If not, re-consent campaigns — targeted communications to customers explaining the extended use and obtaining affirmative consent — become necessary.
What is the penalty risk for a data breach at a bank?
The penalty exposure for a bank experiencing a data breach is potentially catastrophic under the DPDP Act. If the bank failed to implement reasonable security safeguards: up to Rs 250 crore (Schedule Sl.1, Section 8(5)). If the bank fails to notify the DPBI and affected customers of the breach: up to Rs 200 crore (Sl.2, Section 8(6)). If the breach involves children's data (minors' savings accounts): up to Rs 200 crore (Sl.3, Section 9). If the bank is classified as a Significant Data Fiduciary and fails its additional obligations: up to Rs 150 crore (Sl.4, Section 10). These penalties are per contravention and cumulative — a single breach incident could trigger multiple penalty tiers simultaneously. Additionally, CERT-In requires reporting of cyber incidents within 6 hours, and RBI has its own cyber incident reporting framework. A bank must navigate DPDP, CERT-In, and RBI reporting obligations concurrently.
Why should a bank engage its DRT panel counsel for DPDP matters?
Because the personal data that DPDP protects is the same data that drives the debt recovery process. Loan applications, KYC records, credit bureau reports, guarantor undertakings, income verification documents, property valuations, and NPA portfolio databases — these are the core data assets of any bank, and they are simultaneously the subject of DRT proceedings and DPDP compliance. Engaging a separate privacy firm that does not understand banking operations, DRT procedures, or SARFAESI enforcement creates coordination overhead and risks contradictory legal positions. Unified Chambers already handles the DRT, SARFAESI, and IBC matters for the same institutions and understands their data flows at an operational level. Minimum engagement: Rs 50 lakhs.
Your DRT Counsel Already Knows
Your Data Flows
WhatsApp Advocate Subodh Bajpai directly. Describe your bank’s data processing landscape, DPDP compliance gaps, and whether you face any pending or anticipated DPBI complaints. Senior Partner response within one business day. Minimum engagement: Rs 50 lakhs.