TL;DR
India’s DPDP Rules 2025 bring major changes for financial services and fintech firms handling consumer data.
These rules have been notified as of November 13th, 2025
Firms must obtain clear, purpose-specific consent, provide easy data withdrawal, enforce mandatory security safeguards, notify breaches quickly, and comply with strict data retention and erasure rules.
For Fintech firms, this would demand dual compliance with both DPDP Act as well as RBI regulations
The impact of these rules are differential across the various
Quick View on the timelines
Fintechs need to add more regulatory compliance muscle all in an 18 month timeline
Three years after Parliament passed the DPDP Act in 2023, financial institutions and fintechs now face concrete compliance requirements that fundamentally alter how they collect, process, and manage retail consumer data.
The rules propose a phased enforcement schedule.
November 2025 : Governance provisions take effect immediately, with the set up of the Data Protection Board.
November 2026: Registeration deadline for Consent Managers.
May 2027: All businesses must fully comply with the critical operational obligations covering consent, security safeguards, breach notification, data retention, and grievance redressal
The DPDP framework layers on top of Reserve Bank of India mandates for payment data localization, KYC retention requirements under the Prevention of Money Laundering Act, and sector-specific outsourcing guidelines. This creates a unique complexity for financial services and fintech companies where institutions must navigate both general data protection principles and stringent financial sector regulations.
Operations after DPDP Implementation
Compliance Area | Before DPDP Rules | After DPDP Rules |
|---|---|---|
Consent Collection | Bundled terms and conditions with implied consent for multiple purposes | Each processing purpose requires separate, explicit consent in clear and plain language with itemized data description |
Consent Withdrawal | Limited withdrawal options buried in settings | Withdrawal mechanism must match the ease of giving consent, accessible through same channels |
Privacy Notices | Generic privacy policies covering all data types | Independent notices for each data category with specific purpose statements |
Consent Management | One-time consent at onboarding | Dynamic consent management with real-time logging and non-tamperable audit trails |
Data Security | General cybersecurity protocols based on IT Act and RBI guidelines | Mandatory encryption, obfuscation, masking, or tokenization of personal data with access controls and comprehensive logging |
Breach Disclosure | Voluntary breach disclosure with no fixed timelines | Immediate notification to affected customers plus 72-hour detailed report to Data Protection Board |
Breach Transparency | Internal incident response procedures | Public disclosure of breach nature, extent, timing, impact, mitigation measures, and contact information |
Security Logs | Discretionary retention of security logs | Minimum one-year retention of logs and transaction data for investigation purposes |
Data Retention | Indefinite data storage based on business needs | E-commerce platforms with 20 million+ users must erase data three years from last interaction |
Erasure Process | No systematic erasure processes | 48-hour notice required before erasure with automated deletion workflows |
Retention Override | Retention driven by internal policies | Legal mandates override erasure: PMLA requires 10-year KYC retention, RBI mandates indefinite payment data storage |
Customer Requests | Customer requests handled case-by-case | Structured grievance redressal with 90-day maximum response time for erasure and correction requests |
Cross-Border Transfers | RBI payment data localization (2018) but ambiguous rules for other data types | Generally permitted to non-restricted countries, with government retaining power to specify restrictions |
Cloud Storage | Cloud storage decisions based on cost and performance | Payment system and core banking data must remain in India only, with RBI audit access mandatory |
Significant Data Fiduciary | ||
Data Localization | Vendor selection driven by technical capabilities | Significant Data Fiduciaries (SDF) face additional localization for categories specified by government committee |
Privacy Assessments | No classification system for data handlers | SDFs face annual Data Protection Impact Assessments evaluating processing risks |
Compliance Audits | Voluntary privacy audits | Mandatory independent audits with reports submitted to Data Protection Board |
Algorithm Governance | Algorithm deployment based on business objectives | Due diligence required to verify AI-driven credit scoring, fraud detection, and profiling algorithms don't risk Data Principal rights |
Algorithmic Accountability | Minimal algorithmic transparency | Algorithmic accountability provisions create liability for discriminatory or rights-violating automated decisions |
Impact Assessment
Every sector has regulator specific nuances and exceptions as well
Impact Assessment by Fintech Segment
Digital Payments and Wallets: Estimated Impact 9/10
Payments platforms face the highest operational impact. Per-transaction consent requirements create potential friction in payment flows. In addition, the players also have to adhere to RBI's local-only storage mandate for payment system data. Breach notification timelines compress response windows, requiring automated incident detection systems. The scale factor matters; players crossing 20 million users trigger enhanced retention obligations under the Third Schedule.
Digital Lending and NBFCs: Estimated Impact 8/10
Lending platforms must redesign onboarding flows around itemized consent notices while reconciling DPDP erasure rights with PMLA's 10-year KYC retention mandate. The algorithmic accountability provision directly impacts AI-driven credit scoring models, requiring documentation that algorithms don't discriminate against Data Principals.The creditworthiness assessment exemption under Section 17 of the Act provides relief by permitting processing necessary for credit evaluation. Major players would also likely fall under the ambit of annual data protection impact assessment (DPIA) and Audit Obligations.
Wealth Management and Investments: Estimated Impact 7/10
Investment advisors and portfolio management are net beneficiaries as they have been leveraging the AA ecosystem effectively to show one portfolio view to their customers. They need to ensure that the three-year retention rule for platforms exceeding 20 million users requires careful legal basis mapping against SEBI's record-keeping requirements for securities transactions.
Insurtech: Estimated Impact 6/10
Insurance platforms face moderate impact. Policy underwriting benefits from legitimate use exceptions similar to credit assessment. Health data processing requires enhanced safeguards given sensitivity levels. Claims processing workflows need consent architecture allowing data sharing with hospitals, TPAs, and reinsurers while maintaining withdrawal mechanisms. The 90-day grievance resolution window aligns reasonably with existing IRDAI complaint handling timelines.
Neobanks and Banking-as-a-Service: Estimated Impact 8/10
BaaS platforms operating as Data Processors for partner banks face contractual obligations requiring explicit DPDP compliance clauses under Rule 6. The processor vs. fiduciary distinction creates shared responsibility, with both parties needing clear agreements on breach handling, consent records, and security measures. While RBI regulations on this matter are already quite strict, partners must layer DPDP requirements onto existing stack to cover any additional requirements.