What Is the DPDP Act and How It Impacts Indian Fintech Companies

What is the DPDP Act?

The DPDP Act, or Digital Personal Data Protection Act, is India’s primary law that governs how personal data should be collected, stored, processed, and protected in digital form. It was passed in August 2023 to give Indian citizens clear rights over their personal information and to set defined responsibilities for businesses, including fintech companies, digital lenders, payment apps, and financial institutions.

Before the DPDP Act, India did not have a dedicated, modern data protection law that applied to digital personal data. Companies collected and used user information with limited accountability. The DPDP Act fills this gap by establishing a national framework that ensures transparency, consent-based data usage, stronger security controls, and significant penalties for misuse or data breaches.

In simple terms, the DPDP Act tells companies what they can and cannot do with a person’s digital data. It helps customers understand their rights and creates a compliance framework businesses must follow to operate responsibly within India’s digital ecosystem.

How the DPDP Bill 2023 Became the DPDP Act

The DPDP Bill 2023 was the final draft of India’s data protection framework before it was passed in Parliament. It was built on earlier drafts released in 2018, 2019, and 2021 and was designed to create a simpler and more practical privacy law for India’s digital environment. Once the Bill was approved by both Houses of Parliament in August 2023, it became the Digital Personal Data Protection Act 2023.

While the Act was passed in 2023, the detailed compliance rules were later finalised through the Digital Personal Data Protection Rules, 2025, notified by the Ministry of Electronics and IT (MeitY) in the Official Gazette in November 2025. These Rules include requirements for notices and consent, breach reporting, cross-border data transfers, data retention timelines, and obligations for significant data fiduciaries.

Because of these updates, the DPDP Bill 2023 is considered the legal foundation, and the DPDP Act 2023, together with the DPDP Rules 2025, now determine how businesses must comply. This two-step approach allows India to create a strong privacy law while giving companies time to adapt.

Key Features of the DPDP Act

The DPDP Act translates its objectives into specific obligations and rights. Some of the most important features are listed below.

1. Consent Is the Core Requirement

Organisations must take clear and specific consent before collecting personal data. The consent request should be easy to understand and must explain the purpose of data collection. People should also be able to withdraw consent at any time without difficulty.

2. Purpose-Limited Data Use

Businesses can only use personal data for the purpose they shared at the time of collection. If the purpose changes, they need new consent. This ensures that companies do not use or repurpose customer information in unexpected ways.

3. Data Minimisation

Only the data necessary for providing a service should be collected. Fintech companies, for example, must collect only what is required for onboarding, KYC, risk checks, or transaction processing.

4. User Rights Over Personal Data

The DPDP Act gives individuals several rights, including the right to:

• Access their personal data
• Request corrections
• Request deletion when data is no longer needed
• File complaints if their data is misused

These rights empower users to control how their information is handled.

5. Obligations for Data Fiduciaries

A data fiduciary is any organisation that decides how personal data will be used. They must:

• Maintain transparent privacy notices
• Implement strong security safeguards
• Ensure accurate and updated records
• Delete data once it is no longer needed
• Review vendor practices to ensure compliant handling of shared data

Fintech companies fall under data fiduciaries due to the sensitive information they process.

6. Stricter Rules for Significant Data Fiduciaries

Some businesses may be classified as Significant Data Fiduciaries based on factors like data volume, sensitivity, or risk. They will have additional responsibilities such as:

• Appointing a Data Protection Officer
• Conducting regular data audits
• Carrying out risk assessments

Fintechs and large digital platforms often fall into this category.

7. Data Protection Board of India

The Act establishes the Data Protection Board of India, an authority that investigates complaints, adjudicates violations, and imposes penalties as the main enforcement body under the DPDP Act.

8. High Penalties for Violations

Serious violations can attract penalties of up to 250 crore per category of violation. Repeated or severe non-compliance can result in higher cumulative penalties. This makes data protection a critical focus for all digital businesses.

DPDP Rules 2025

The DPDP Rules 2025 complete the operational structure of the Digital Personal Data Protection Act 2023. These rules define how organisations in India must collect, store, process, transfer, and retain personal data. They formalise compliance expectations for all data fiduciaries and introduce clear timelines, sector-specific exemptions, and defined security standards. Together, the Act and the Rules mark a major shift in India’s digital regulatory ecosystem.

1. Phase-Wise Enforcement

The DPDP framework will be implemented in stages to give organisations sufficient time to adapt their processes and technology systems.

Phase I: Immediate Enforcement
Rules 1, 2, and 17 to 21 come into effect right away.
These rules cover the scope of the law, core definitions, and foundational procedural requirements.

Phase II: Effective After One Year
Rule 4, which defines notice and consent obligations, becomes enforceable after one year.
This gives companies enough time to redesign consent flows, update privacy notices, and create user-friendly consent withdrawal mechanisms.

Phase III: Effective After Eighteen Months
Rules 3, 5 to 16, 22, and 23 become effective in eighteen months.
These rules form the core of the compliance framework and include requirements related to lawful processing, user rights, retention, cross-border transfers, grievance redressal, and the responsibilities of Significant Data Fiduciaries.

The extended timeline allows organisations to complete technical upgrades and strengthen data governance.

Narrow Exemptions for Specific Institutions

The Fourth Schedule introduces limited exemptions for certain data fiduciaries when processing children’s data. These exemptions apply only for essential purposes and do not allow unrestricted use.

1. Healthcare Institutions

Clinical establishments and healthcare professionals may process children’s data only for essential health services or treatment support.

2. Educational Institutions and Childcare Organisations

Schools and childcare bodies may process personal data strictly for academic activities, administrative needs, or the safety and welfare of enrolled children. Any activity outside these essential purposes remains fully regulated.

3. Cross-Border Data Transfers

Personal data may be transferred outside India, subject to any restrictions or conditions that the Central Government may notify for specific countries or territories. Organisations must review whether their cloud providers, SaaS tools, analytics platforms, or cross-border partners are affected by these government notifications. Companies relying on international infrastructure must reassess their data storage and processing arrangements to ensure compliance.

4. Three-Year Retention Cap for Large Digital Platforms

Certain large platforms have a three-year retention limit from the user’s last interaction (or Rules commencement, whichever is later). This includes: e-commerce entities with not less than 2 crore registered users, social media intermediaries with not less than 2 crore registered users, and online gaming intermediaries with not less than 50 lakh registered users.

Even after older data is deleted, users must continue to have access to their accounts, stored value, and virtual tokens. This prevents long-term data storage while maintaining service continuity.

5. Additional Responsibilities for Significant Data Fiduciaries

Significant Data Fiduciaries, identified based on data volume, risk, or sensitivity, have stronger compliance obligations. They must complete an annual Data Protection Impact Assessment and an annual independent audit. These reviews ensure deeper oversight of entities that process high-risk or large-scale data.

6. Mandatory Security Controls

The Rules require all organisations to implement essential technical and organisational safeguards. These include encryption or pseudonymisation of data, strict role-based access controls, continuous monitoring and logging of system activity, prompt detection of unauthorised access, and reliable backup mechanisms. These safeguards establish a baseline for secure data handling.

7. Defined Responsibilities for Consent Managers

Consent Managers must operate transparently and with accountability. They are required to maintain a primary app or website for users to manage consent, avoid subcontracting their core functions, operate as a data fiduciary themselves, implement strong security controls, and ensure that their leadership structure avoids conflicts of interest. This framework ensures reliable consent management across platforms.

Difference Between the DPDP Act and GDPR

The DPDP Act and the GDPR both aim to protect personal data, but they differ in scope, operational requirements, compliance burden, and enforcement approaches. The table below highlights the key differences.

Parameter	DPDP Act (India)	GDPR (European Union)
Purpose	Protects digital personal data while supporting India’s digital growth	Comprehensive data protection covering digital and non-digital data
Scope of Data	Applies only to digital personal data	Applies to both digital and manually processed personal data
Consent Requirement	Consent must be clear, specific, and easy to withdraw	Consent must be explicit, informed, and documented for most processing
Legal Grounds for Processing	Primarily, consent and legitimate uses are defined in the Act	Multiple legal bases, including consent, contract, vital interests, legitimate interests, and public task
Data Fiduciary vs Data Controller	Uses the terms “Data Fiduciary” and “Data Processor.”	Uses “Data Controller” and “Processor”
Children’s Data	Strict restrictions with age set at 18 for consent	Age varies between 13 and 16 across EU countries
Cross-Border Data Transfers	Allowed only to countries approved by the Central Government (whitelist model)	Transfers allowed with adequacy decisions, SCCs, or appropriate safeguards
User Rights	Access, correction, deletion, grievance redressal	Access, rectification, erasure, restriction, portability, objection
Data Retention	Must be deleted when the purpose is fulfilled; specific retention timelines for certain platforms	Must not be retained longer than necessary; retention is assessed case by case
Penalties	Up to INR 250 crore per violation category	Up to 4 percent of global annual turnover or EUR 20 million
Enforcement Authority	Data Protection Board of India	Data Protection Authorities in each EU member state
Compliance Burden	Designed to be simpler for Indian businesses and startups	More detailed and complex requirements for full compliance
Significant Entities	Significant Data Fiduciaries face additional obligations	Controllers processing high-risk data must conduct DPIAs
Non-Compliance Impact	High monetary penalties and service restrictions	Heavy fines, transfer bans, and operational compliance checks

Who Must Follow the DPDP Act?

The DPDP Act applies broadly and covers any organisation that collects, stores, processes, or handles digital personal data related to individuals in India. This includes businesses of all sizes, government bodies, digital platforms, and foreign companies that offer services to Indian users. The scope is intentionally wide to ensure consistent data protection across India’s digital ecosystem.

1. All Indian Businesses Handling Personal Data

Any company operating in India that collects customer information must comply. This includes:

• fintech companies
• NBFCs and lenders
• e-commerce platforms
• SaaS and digital service providers
• telecom operators
• educational institutions
• healthcare organisations

Whether the business is large or small, compliance is required if it processes digital personal data.

2. Startups and MSMEs

Startups and MSMEs are also covered under the Act. While they must follow the same basic principles of consent, security, deletion, and grievance handling, the compliance burden may vary based on:

• Volume of data collected
• Sensitivity of data
• Risk associated with processing

This ensures that even smaller businesses handle personal data responsibly.

3. Government Departments and Public Sector Entities

Government bodies that collect digital personal data must follow the DPDP Act unless specific exemptions apply. The principles of transparency, lawful use, and secure storage apply to public sector organisations as well.

4. Foreign Companies Serving Indian Users

The Act applies to companies outside India if they:

• offer goods or services to individuals in India
• process personal data of Indian users

Global fintech apps, international SaaS platforms, gaming companies, cloud providers, and social media platforms must comply when handling data of Indian residents.

5. Significant Data Fiduciaries

Certain organisations may be classified as Significant Data Fiduciaries based on:

• volume and sensitivity of data
• risk to individuals
• impact on national interests

These entities have additional obligations, which are detailed under the DPDP Rules.

Impact of the DPDP Act on Fintech Companies

Fintech companies manage some of the most sensitive personal and financial data in India, which puts them at the center of DPDP compliance. The Act raises the expectations for how fintechs handle customer information and introduces obligations that directly influence product design, operations, partnerships, and long-term growth.

1. Higher Expectations for Data Governance

Fintechs must shift from broad, open-ended data collection to clearly defined, purpose-driven data handling. This requires structured internal policies, better documentation, and stronger oversight of how personal data flows through systems.

2. More Transparent User Journeys

Onboarding, KYC, lending journeys, and payment flows must now include simple, visible consent interactions. Clear notices and easy withdrawal options will become central to user experience and trust-building.

3. Stronger Security and Operational Discipline

Since fintechs process bank details, identity information, and transaction history, the Act demands stronger technical and operational safeguards. Robust monitoring, faster detection of unauthorised access, and well-defined internal controls become essential to avoid penalties and reputational damage.

4. Stricter Vendor and Partner Accountability

Fintech ecosystems rely heavily on third parties such as banking partners, KYC providers, cloud platforms, and analytics tools. The Act makes fintech companies responsible for how these partners handle shared data. Vendor contracts, audits, and due diligence processes must be tightened accordingly.

5. New Responsibilities for Large and High-Risk Fintechs

Fintechs that process large volumes of sensitive data may be classified as Significant Data Fiduciaries. These organisations must follow heightened compliance expectations, including annual audits, risk assessments, and stronger governance oversight.

6. Increased Financial and Reputational Risk

Penalties up to 250 crore per violation category make non-compliance a serious operational threat. A privacy incident can also weaken partnerships with banks, payment networks, and regulators, affecting product approvals and market expansion.

7. Stronger Market Advantage for Compliant Fintechs

Fintechs that adopt DPDP-aligned practices early can use privacy as a competitive differentiator. Transparent data handling improves customer trust, strengthens relationships with banks and enterprises, and supports global expansion where privacy standards matter.

Compliance Checklist for Fintechs and Businesses

Fintech companies and digital businesses must follow a structured approach to meet the requirements of the DPDP Act and DPDP Rules 2025. This checklist outlines the essential actions needed to build a compliant, secure, and transparent data-handling environment.

1. Map All Personal Data Flows

Document every point where personal data is captured, generated, stored, or shared. This includes:

• mobile apps
• onboarding flows
• APIs
• third-party integrations
• customer support systems
• internal databases

A complete data inventory is the foundation for identifying compliance gaps.

2. Apply Data Minimisation Across All Processes

Ensure each data field collected has a clear, justified purpose. Remove any non-essential fields from:

• onboarding forms
• payment journeys
• KYC processes
• marketing workflows

Minimising data reduces risk and simplifies compliance.

3. Redesign Consent and Privacy Notices

Create consent flows that are:

• simple
• purpose-specific
• easy to withdraw

Update privacy notices to match the DPDP Rules 2025 requirements and ensure users understand why their data is collected and how it will be used.

4. Implement Mandatory Security Controls

Adopt the technical and organisational safeguards required under the Rules, including:

• encryption or pseudonymisation
• strict access controls
• continuous logging and monitoring
• breach detection mechanisms
• regular security reviews
• dependable backup systems

These protections reduce the risk of unauthorised access or data exposure.

5. Establish Data Retention and Deletion Frameworks

Define clear retention timelines for each category of personal data. Ensure that:

• Data is deleted when no longer required
• Deletion workflows are automated where possible
• Three-year caps for large digital platforms are followed

This prevents unnecessary accumulation of sensitive information.

6. Set Up a Structured Breach Response Plan

Create a documented plan that outlines:

• How incidents are detected
• Who responds internally
• How and when to notify affected users
• How to report to the Data Protection Board

A clear process ensures timely action and reduces regulatory penalties.

7. Review and Strengthen Vendor Management

Audit all third-party partners involved in:

• KYC
• payments
• cloud hosting
• analytics
• customer engagement

Update contracts to reflect DPDP obligations and ensure vendors meet required security and privacy standards. Businesses remain accountable for data processed by partners.

8. Build Processes for User Rights Requests

Set up internal systems that allow users to:

• access their data
• request corrections
• request deletion
• submit grievances

Response timelines should be documented and monitored to ensure consistency.

9. Assess Whether You Qualify as a Significant Data Fiduciary

Determine if your organisation meets the criteria for SDF classification based on:

• volume of data processed
• sensitivity of data
• risk to individuals or national interests

If classified as an SDF, implement the required measures such as:

• annual independent audits
• Data Protection Impact Assessments
• appointment of a Data Protection Officer

10. Train Employees on Data Protection Practices

Conduct regular training for teams handling personal data. Cover:

• secure data-handling methods
• consent and privacy requirements
• incident escalation procedures
• responsible data-sharing practices

Human awareness is essential for preventing operational risks.

Conclusion

India’s Digital Personal Data Protection Act marks a fundamental shift in how personal data must be collected, processed, and protected across the digital ecosystem. For fintech companies, payment apps, digital lenders, SaaS providers, and every business handling customer information, the DPDP Act and DPDP Rules 2025 establish a clear framework for privacy, accountability, and security.

The law is not designed to slow innovation. Instead, it encourages responsible digital growth by giving users more control over their information and ensuring companies follow transparent and secure data practices. Businesses that adapt early will have a strong advantage—greater customer trust, smoother regulatory relationships, and improved readiness for global markets where privacy is now a baseline expectation.

The DPDP Act is more than a compliance requirement. It is a long-term opportunity for digital businesses to strengthen trust, reduce risk, and build resilient systems that support sustainable growth in India’s fast-evolving fintech and digital economy.

FAQs

1. What is the full form of DPDP?
DPDP stands for Digital Personal Data Protection Act, 2023 (DPDP Act). It refers to India’s primary law that governs how digital personal data should be collected, processed, stored, and protected.

2. What is the DPDP Act 2023?
The DPDP Act 2023 is India’s data protection law that gives individuals rights over their personal information and sets defined obligations for businesses handling that data. It covers consent, data minimisation, user rights, security requirements, and penalties for violations.

3. What are DPDP Rules 2025?
The DPDP Rules 2025 outline the operational and procedural requirements needed to implement the Act. They include timelines for enforcement, rules for consent, retention, cross-border data transfers, breach reporting, and obligations for Significant Data Fiduciaries.

4. Who has to comply with the DPDP Act?
All businesses, government bodies, digital platforms, startups, MSMEs, and foreign companies offering services to individuals in India must comply with the DPDP Act if they process digital personal data.

5. What are Significant Data Fiduciaries?
Significant Data Fiduciaries are organisations that process large volumes of sensitive or high-risk data. They have additional obligations such as annual audits, risk assessments, and appointing a Data Protection Officer.

6. What happens if a company does not comply with the DPDP Act?
Non-compliance can lead to penalties of up to 250 crore per violation category, along with reputational damage and operational restrictions.