For many BFSI organisations, India’s Digital Personal Data Protection (DPDP) Act has triggered a familiar compliance reflex: draft a policy, get board sign-off, and tick the regulatory box. But according to Dipanjan Dey, Data Protection Officer at HDB Financial Services, that is precisely where the real risks begin.
“The policy is only a paper document,” Dey says. “The real challenge starts when organisations cannot answer the most basic questions a data principal may ask—what data do you hold about me, why do you hold it, who has access to it, and how long will you retain it?”
DPDP’s real shift: From intent to execution
While DPDP draws inspiration from global privacy frameworks such as GDPR, Dey points out that it is fundamentally different in scope and intent. Unlike GDPR, which covers both digital and non-digital personal data, DPDP focuses exclusively on digital personal data and places the full burden of compliance on the data fiduciary.
At its core, the law is not about documentation, but about building an operational framework for responsible data use—one that embeds consent, purpose limitation, access control, disclosure governance, and finite retention into everyday business processes.
“The first cracks appear when organisations don’t know what data they actually hold,” Dey explains. “Without visibility into data lineage—how data flows across systems, teams, vendors, and time—it becomes nearly impossible to comply.”
As the 2027 compliance deadline approaches, organisations that have not invested in comprehensive data discovery and mapping are likely to struggle the most.
Where day-to-day workflows quietly break privacy principles
Privacy failures, Dey argues, rarely stem from malicious intent. More often, they emerge from routine operational decisions that overlook DPDP principles such as data minimisation and consent.
He cites a common HR scenario: sharing employee data with a third-party vendor offering lifestyle or travel benefits. While the intent may be benign, the execution often isn’t.
“Providing employee benefits is not always part of the ‘course of employment’ under DPDP,” Dey explains. “That means you cannot automatically rely on employment consent to share personal data with a third party.”
The compliant alternative? Let employees self-register with the vendor using a company-issued coupon code, instead of pushing identifiable employee data outside the organisation. The result is reduced data exposure, stronger consent integrity, and tighter control—without compromising employee experience.
The DPO as a ‘mini-regulator’
One of DPDP’s most significant implications for BFSI firms is the expanded role of the Data Protection Officer. Unlike CIOs, CISOs, or CROs—roles that evolved from business necessity—the DPO role is mandated directly by law.
“The DPO acts as a bridge between data principals, the organisation, and the regulator,” Dey says. “In many ways, the DPO functions as a mini-regulator within the enterprise.”
This requires a rare blend of legal understanding, technological fluency, risk assessment capability, and programme management. From overseeing data protection impact assessments and records of processing activities to interrogating business use cases and flagging non-compliant practices, the DPO’s remit is both broad and deeply operational.
Crucially, Dey emphasises that privacy cannot be fully outsourced—neither to legal advisors nor to technology platforms. Tools can enable compliance, but accountability must remain internal.
Privacy by design: A trust accelerator, not a brake
A persistent fear among businesses is that DPDP will slow innovation. Dey strongly disagrees.
“Privacy does not kill business,” he says. “In many markets, privacy has become a product differentiator.”
In BFSI, where trust is the foundation of customer relationships, privacy by design can actually accelerate adoption. Clear consent mechanisms, transparent data use disclosures, and easy-to-use preference centres reduce friction and confusion for customers.
“When customers know exactly what data they are sharing and how easily they can revoke consent, trust is built by default,” Dey notes. “That trust makes interactions faster, not slower.”
Vendor risk: The weakest link in DPDP compliance
For NBFCs and other BFSI players reliant on fintech partners, IT providers, and collection agencies, third-party risk remains one of the most under-addressed DPDP challenges.
Unlike GDPR, DPDP places almost all liability on the data fiduciary, even when a breach originates at the processor level. This makes traditional confidentiality clauses woefully insufficient.
“Contracts must clearly define who is the fiduciary, who is the processor, and what each party’s obligations are,” Dey warns. “You need clarity on breach response timelines, data retention, sub-processing, and support for data principal rights.”
Without contractual precision and end-to-end visibility into vendor and sub-vendor data flows, organisations risk losing control of personal data the moment it leaves their systems.
From compliance to trust-led growth
Indian BFSI firms are not starting from zero. Many banks already operate under GDPR and CCPA frameworks due to their global presence, while domestic regulators such as RBI, SEBI, and IRDAI have long emphasised consent and customer transparency.
The visible signs are already there—cookie preference centres, structured privacy notices, and consent disclosures embedded into digital journeys.
“These may seem like small steps, but they signal a shift towards transparency that customers notice,” says Dey.
The goal, he argues, is not to market privacy aggressively, but to ensure that every individual who interacts with a BFSI platform—customer or not—has their personal data protected by default.
The practitioner’s lesson: Culture over checklists
Reflecting on over seven years in data protection, Dey’s biggest learning is that DPDP compliance cannot be achieved through one-off projects or consultant-led exercises.
“This law is about building privacy governance,” he concludes. “You need a culture that operates every day, not just during audits.”
With DPDP introducing uniquely Indian constructs—such as consent managers and penalties for data principals—the learning curve will continue. Organisations that invest early in governance, visibility, and accountability will not just comply with the law—they will earn trust in a data-driven economy where trust is the ultimate currency.
