By Dr. Sivaramakrishnan R Guruvayur, a renowned AI researcher & certified data privacy professional. He is a founder of Aaquarians.ai & Research Lead at Center for Responsible AI (CeRAI), IITM:
The recently enacted Digital Personal Data Protection Act, 2023, of India, has cast itself as a game-changing framework for addressing the privacy and data protection needs of a rapidly digitizing nation. It draws inspiration from global standards like the European Union’s General Data Protection Regulation while trying to balance India’s unique socio-economic and technological context with the promotion of innovation.
Both GDPR and DPDP Act have their similarities but diverge significantly in structure, scope, and operationalization, considering that the banking, finance, and fintech sectors are those where immense volumes of sensitive personal data are indeed processed. Here is a detailed comparative analysis between GDPR and DPDP in terms of its implications for the BFSI sector.
Scope & Applicability
GDPR is relevant to banking, finance, and fintech entities are data-intensive and process personal and sensitive personal data, such as financial records, payment information, and credit history. It applies to both organizations based in the EU and non-EU organizations offering goods/services to EU residents or monitoring their behavior.
It also requires compliance for cross-border services like international remittances, global banking systems, and EU citizen financial transactions. Global banking and fintech organizations must align local processing systems with GDPR’s high compliance standards and perform data audits for EU customers.
The DPDP Act applies to digital personal data processed within India or concerning the offering of goods/services in India. Indian banks, NBFCs, and fintech companies are ‘data fiduciaries,’ and major ones will be treated as Significant Data Fiduciaries (SDFs). The Act is domestic-centric with some extraterritorial applicability for businesses whose target is an Indian resident.
Data Categories & Sensitivity
GDPR imposes high-level security for sensitive data to avoid data breaches, including credit card fraud and identity theft. PIA for processing operations, for example, a system for automated approval of loans or profiling credit risk.
DPDP has no classification as sensitive data. Unlike GDPR, the DPDP Act does not make a distinction between personal data and sensitive data. However, for banking and fintech, children’s data and specific types of financial data may indirectly be subject to higher standards.
Indian regulators, such as RBI, will most likely grant sector-specific guidelines to fill the lacuna in data categorization, such as Payment Data Storage rules, 2018.
Grounds for Data Processing
GDPR allows data processing based on any one of 6 lawful bases, including: (i) Consent (explicit and revocable) (ii) Performance of a contract (e.g., loan applications) (iii) Legal obligation (e.g., tax compliance) (iv) Vital interest (e.g., fraud prevention) (v) Public interest (e.g., AML compliance) (vi) Legitimate interest (e.g., customer profiling, marketing). DPDP relies heavily on explicit consent as the primary basis for data processing, except in certain legitimate uses, such as Aadhar-based subsidies, legal compliances – such as KYC verification, emergency situations to check frauds or a cyber-attack, etc. Indian fintech organizations will need an efficient consent management system for collecting, monitoring, & managing consent for digital lending services offered through applications.
Data Subject Rights
GDPR provides wide rights, significant for banking/finance customers, including
- Right to access: Customers can view loan history, payment records, or credit reports.
- Right to rectification: Incorrect banking details or credit history must be corrected.
- Right to erasure (right to be forgotten): Customers can request deletion of transaction data (except where legally required).
- Right to data portability: Customers can switch financial service providers while retaining their data.
- Right to object: Users can object to profiling for automated loan approvals or targeted financial ads.
DPDP offers limited rights:
- Right to access and information: Customers can view personal data collected and its purpose.
- Right to correction and erasure: Similar to GDPR but narrower in scope.
- Right to grievance redressal: Customers can approach the Data Protection Board of India (DPBI) in case of disputes.
While GDPR’s portability rights enable easy switching between financial institutions, DPDP lacks such provisions, potentially limiting customer autonomy. Indian companies need to establish effective grievance mechanisms to address redressal needs.
Cross-Border Transfers
GDPR allows cross-border transfers in countries offering adequate protection or under mechanisms such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). Multinational banks and fintechs, such as PayPal and Visa, have a high compliance burden to transfer EU customer data to their offshore processing centers.
DPDP introduces a whitelisting mechanism whereby data transfers are permitted only to countries notified by the government. There is no data localization requirement; however, data localization in respect of specific segments of activities, for instance, payment systems, is required by RBI regulations. Indian banks and fintechs who operate on cross-border data processing will remain in ambiguity till the whitelist of countries is declared. This may lead to increased operational cost due to requirements of local data storage.
Non-Compliance Penalties
GDPR imposes fines up to Rs20 million or 4% of global annual turnover, whichever is higher. For banking/finance, the result of non-compliance includes reputational loss and operational crippling. DPDP imposes fines up to Rs250 crores (~Rs30 million) for selected non-compliances like data breach or non-compliance with consent requirements. Sectoral regulators (like RBI) may issue further penalties. Indian banks and fintechs may be liable for concurrent penalties under DPDP as well as RBI for non-compliance.
Laxer penalties than under GDPR may reduce the urgency for compliance.
Opportunities
1. Smooth Data Governance: A proper regulatory framework is provided for the handling of personal data by financial institutions and fintech firms to ensure better compliance and governance.
2. Customer Trust and Global Alignment: DPDP compliance increases customer trust, a crucial factor in banking and finance. This will further align Indian organizations with international standards like GDPR, thus making cross-border financial transactions and partnerships quite easy.
3. Support for AI and Fintech Innovation: Implied consent under the Act, for instance, allows flexibility, hence the development of AI-driven solutions in credit scoring, fraud detection, and personalized financial services.
Challenges
1. Cost of Compliance: Banking and fintech companies will have to make huge investments in compliance mechanisms such as technology upgrade, audits, and employee training, mainly for startups.
2. Ambiguity in Guidelines: Unlike GDPR, the DPDP does not have an explicit set of operational guidelines, which might make it cumbersome for highly regulated sectors like finance to understand and adhere to the norms properly.
3. Risk of Penalties: The penalties, which are as heavy as Rs2.5 billion, demand that financial institutions take stringent measures for data protection in order to avoid severe financial and reputational loss.
Priorities for BFSI
1. Perform data mapping and audits to identify and secure sensitive customer information, including KYC data, transaction history, and credit scores.
2. Consent management systems should be implemented in order to fulfill the requirements under the Act regarding obtaining & managing consent of customers.
3. Enhancing data security with advanced encryption, pseudonymization, and periodic security audits.
4. Train employees on data protection best practices, with a special emphasis on handling sensitive financial information.
5. Developing vendor management procedures that guarantee third-party compliance with DPDP requirements, especially when outsourcing financial services.
Conclusion
The DPDP Act is less stringent than GDPR in several respects, offering Indian companies a comparatively business-friendly regulatory framework. However, the Act introduces much-needed governance over personal data processing, aligning India with global trends in data privacy. This Act provides a good opportunity for banks, financial, and fintech organizations to engender consumer trust, adopt global best practices, and foster responsible innovation.
However, this will require careful implementation and alignment with evolving global standards. DPDP, if the issues concerning privacy are handled effectively, will thus position India’s financial sector in the vanguard of AI-driven and data-driven innovation globally.
Read more:
BAGIC: Omni-channel now; Aiming for omni-presence
Quantum Computing for Risk and Compliance in Banking Industry
