With India’s Digital Personal Data Protection (DPDP) Act entering phased implementation, banks, insurers, and fintech companies are moving quickly to strengthen their privacy frameworks. The shift signals a move toward deeper, system-wide changes in how customer data is managed and protected.
Several financial institutions are setting up dedicated privacy functions. Yes Bank has created a separate data privacy office and appointed a data privacy officer. “In line with the DPDPA, we are currently undertaking a gap assessment, evaluating consent tools, and rolling out multiple training initiatives to build staff awareness of the DPDP Act,” said Munesh Ahuja, the bank’s data privacy officer. Industry experts say such steps are becoming necessary as the 18-month phased rollout shortens the time available for compliance, with enforcement expected by May next year.
Ritika Loganey, tax partner at EY India, said the transition window offers structure but little flexibility. “Institutions must prioritise foundational compliance, data inventories, consent architecture and breach readiness early on to avoid disruption later,” she said. According to her, Phase 1 should focus on enterprise-wide data mapping, defining lawful purposes for data use, and aligning third-party partners. Later phases should test how well privacy controls are embedded, how automated user rights are managed, and whether systems are ready for audits.
One of the most important changes under the DPDP Act is the introduction of a dual-reporting system for data breaches. Financial institutions will now need to align privacy breach reporting with existing cyber incident rules set by banking and insurance regulators, as well as the Indian Computer Emergency Response Team (CERT-In).
“Timely, coordinated disclosures to both regulators and affected data principals will be critical,” Loganey said.
Experts believe the phased approach allows firms to plan better, but delays could increase compliance risk. As deadlines approach, privacy is moving from a policy topic to a core operational priority. The focus is no longer only on legal readiness but also on staff training, technology upgrades, and real-time response systems.
For banks and fintech firms, the DPDP Act is pushing a shift from surface-level controls to long-term privacy governance. How effectively these changes are implemented in the coming months will shape trust, regulatory outcomes, and business continuity.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
