A change in the financial sector’s landscape will result from the 2023 passage of the Digital Personal Data Protection (DPDP) Act. In four crucial areas, this legislation is poised to recalibrate accepted conventions. The issue of consent architecture for financial institutions presents a substantial challenge. These institutions must now furnish customers with comprehensive notices, requesting consent for processing personal data.
These notices need to encompass data specifics, consumer rights under the Act, contact information, and the process for filing complaints with the Data Protection Board. It’s worth noting that these alerts must be provided in legally recognized Indian languages. Consequently, establishing the technological capacity to track notices, consents, and consumer responses becomes crucial.
Moreover, financial institutions are obligated to use personal data solely for the explicit purposes stated in the granted consent. The Act strongly emphasizes the avoidance of improper utilization of financial data collected for one purpose to bolster unrelated marketing endeavors. Additionally, the consent framework empowers consumers to revoke their consent for personal data processing at any time.
Another significant implication pertains to cross-border data sharing. In contrast to its initial version, the DPDP Act now adopts a more moderate stance. It restricts the export of personal data beyond India to nations designated by the government. Furthermore, the Act defers to other regulations that demand higher levels of protection, allowing for additional safety measures to be implemented.
The classification of banks and financial institutions as key data fiduciaries may depend on factors such as data volume, sensitivity, and potential risks tied to the data. This classification brings forth additional responsibilities, including appointing resident data protection officers, conducting frequent data protection impact assessments, and conducting regular audits. The industry is keenly anticipating how this authority will be exercised, given the somewhat arbitrary and broad certification standards.