Introduction

India’s information technology landscape is evolving, particularly with the intersection of data privacy and financial services. Non-Banking Financial Companies (NBFCs) and fintech firms are at the forefront of these changes, especially with the proposed Draft Digital Personal Data Protection (DPDP) Rules, 2025.
These rules aim to strengthen the protection of personal data and ensure greater accountability for entities handling sensitive financial information and the implementation of these new rules will require NBFCs to make significant operational adjustments that includes investing in data protection technologies, training staff on compliance requirements, and updating their policies to align with the new regulations.

Here are the key aspects of the Digital Personal Data Protection rules that could impact NBFCs:
• Personal data- Any data that can identify an individual, such as their name, location, identification number, or mental, economic, cultural, social, and physical identity.
• Sensitive personal data- Any identifiable data that can be considered sensitive to a person, such as their racial or ethnic origin, sexual orientation, biometric data, or health related data.

Why Financial Institutions Need to Pay Attention?

The DPDP Act, 2023 requires that organizations like NBFCs and other financial institutions, classified as data fiduciaries, ensure customer data privacy and security and the draft rules are a step forward in achieving these goals, laying out specific obligations for financial institutions. For NBFCs, compliance with these new regulations will be crucial not only to avoid penalties but also to build trust with customers in an increasingly privacy-conscious world.

Key Provisions of the DPDP Draft Rules 2025 Compliance with Data:

1. Fiduciary Obligations

NBFCs are classified as data fiduciaries, responsible for securing customer data. The draft rules mandate the use of encryption, data masking, and strict access control systems to protect financial data and ensure that financial information remains safe in the digital era, mitigating the risks associated with cyber threats and data breaches.

2. The Role of Consent Management

A key feature of the new rules is the consent management framework, which mandates explicit, informed, and freely given consent from data principals (individuals) for collecting their personal data, therefore financial institutions must establish platforms that allow customers to provide, modify, or withdraw consent. This shift places greater control in the hands of the customers, ensuring transparency and privacy.

To facilitate this, the draft rules require to onboard consent manager that will be a person registered with the Board, who will act as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

3. Significant Data Fiduciaries: Greater Responsibilities

Larger NBFCs that handle large volumes of sensitive data may be classified as Significant Data Fiduciaries, which means they will have additional obligations, such as conducting data protection impact assessments, audits, and ensuring transparency in data processing methods. The results of these assessments and audits must be reported to the Board, which needs to contain key findings related to their adherence to data protection requirements.

4. Cross-Border Data Transfers

The draft rules impose strict controls on cross-border data transfers, requiring financial institutions to ensure that any data transferred outside India complies with Indian data protection laws. This provision is crucial for NBFCs that deal with international data processing, ensuring the security and privacy of personal information across borders.

5. Data Retention and Deletion Requirements

NBFCs are required to delete customer data when it is no longer needed for its original purpose unless legally mandated to retain it. Financial institutions must notify customers at least 48 hours before data deletion, giving them the opportunity to review or reclaim their data, aligning with principles of data minimization and enhancing customer control over their information.

6. Notification of Data Breaches

If a data breach occurs, NBFCs must notify both the affected customers and the Data Protection Board of India within 72 hours. This requirement ensures that data breaches are addressed quickly and transparently, minimizing harm to customers and reinforcing accountability in financial institutions.

Why NBFCs Should Embrace These Changes?

While the new rules may present operational challenges, they also offer a unique opportunity for NBFCs to differentiate themselves in the market. By demonstrating compliance and a commitment to data privacy, NBFCs can foster stronger customer trust and in a competitive landscape where consumers are increasingly concerned about how their data is handled, adhering to these regulations could serve as a key competitive advantage.

Conclusion: Looking Ahead

The Government of India has opened a public consultation period for the DPDP Draft Rules, 2025, until 18 February 2025. NBFCs and other stakeholders are encouraged to provide feedback. Once finalized, these rules will establish a new data protection framework for the financial sector, requiring NBFCs to enhance their data privacy measures and comply with stricter regulations.
For NBFCs, these new rules present both challenges and opportunities. While compliance will require significant investment in systems and processes, it also provides a chance to strengthen customer relationships and build trust. By taking proactive steps to align with these new regulations, NBFCs can not only safeguard customer data but also position themselves as leaders in privacy and security within the financial services industry.