Contact us

      Compliance is not only a regulatory requirement but also a strategic opportunity to differentiate on trust, resilience, and customer empowerment in a highly competitive banking services landscape.

      The Digital Personal Data Protection (DPDP) Act, 2023, operationalised through the 2025 Rules, introduces a transformative framework for handling personal data in India. For banks and financial institutions, custodians of highly sensitive customer data such as KYC details, financial transactions, credit histories, and payment information, the implications are particularly significant.

      Banking operations rely heavily on digital onboarding, payments, credit appraisal, investments, profiling, and personalised financial services, fraud detection, etc. All of these products and services are directly impacted by DPDP’s mandates on data minimisation, consent management, lawful processing, cross‑border transfers, and breach response obligations.

      Key highlights of the report

      • Transparent consent and privacy notices

        Banks must redesign digital onboarding (account opening, loans, credit cards, mobile banking) to capture explicit, unbundled consent with clear multilingual privacy notices, ensuring customers understand how their data will be used

      • Lawful processing of financial data

        Every use of personal data like offers, underwriting, fraud detection, etc. must be tied to a lawful ground of processing. Shadow or silent data processing is prohibited, requiring stricter governance in analytics

      • Data minimisation and retention discipline

        Banks must collect only the minimum necessary data, rationalise fields, and delete records once the purpose or statutory retention period ends

      • Customer rights and grievance redressal

        Customers gain enforceable rights to access, correct, erase, and withdraw consent. Banks must provide structured, time‑bound mechanisms across branches, mobile apps or apps, and CRM systems, with seamless updates across interconnected platforms

      • Breach notification and third‑party accountability

        Breaches must be reported to the Data Protection Board and affected customers within 72 hours. Banks remain accountable for breaches by outsourced processors (fintech partners, payment gateways, cloud providers), making vendor risk management critical

      Sneak-peek into banking sector through DPDPA lens

      Compliance evolves into a strategic edge, building trust, resilience, and customer empowerment in banking

      Download

      How can KPMG in India help

      Use cyber security to protect your future
      Read more

      New challenges and opportunities are quickly reshaping financial services
      Read more

      Transformation driven by data, enabled by digital technology, and led by business initiatives
      Read more

      Key Contacts

      Akhilesh Tuteja
      Akhilesh Tuteja

      Partner & National Leader, Clients and Markets

      KPMG in India

      Atul Gupta
      Atul Gupta

      Partner and Head - Digital Trust and Cyber

      KPMG in India

      Sanjay Doshi
      Sanjay Doshi

      Partner and Head, Transaction Services and Financial Services Advisory

      KPMG in India

      Nitin Shah
      Nitin Shah

      Partner – Digital Trust, Head – Cyber Security, Resilience and Privacy Strategy & Governance

      KPMG in India

      Shikha Kamboj
      Shikha Kamboj

      Partner, Digital Trust, National Leader, Data Privacy and Ethics

      KPMG in India

      Access our latest insights on Apple or Android devices

      kpmg-insights-edge-qr