Large banks to invest over ₹5 cr in preparation for DPDP compliance: Protiviti report

The report also showed how 37 per cent high-revenue organisations and 4 per cent of low revenue organisations across sectors allocated over ₹5 crore investments
| Photo Credit:
PRIYANSHU SINGH

Banks with a revenue over ₹1,000 crore plan to budget an investment over ₹5 crore for their privacy program in preparation for the Digital Personal Data Protection Act (DPDPA), 2023, said Protiviti in its ‘Navigating DPDPA in Banking’ report.

“We had done a survey which was sector agnostic, but highly represented by the banking sector. What we observed is that, of the larger setups, a fairly decent chunk seems to have budget of over ₹5 crore but when it comes to smaller setups, the budgeting inverses because a lot of technology-related investment is coming into play,” said Vaibhav Koul, Managing Director at Protiviti.

The report also showed how 37 per cent high-revenue organisations and 4 per cent low revenue organisations across sectors allocated over ₹5 crore investments, while 5 per cent of high-revenue and 26 per cent low-revenue organisations have no budget allocated. Koul estimated the banking sector to mirror these estimates as some companies are still working on their own internal technologies.

DPDP categories work in banks’ favour

In the banking environment, personal data is processed on a network of core banking solutions, fintech collaborations, outsourced partners and digital service providers. In this regard, the DPDP Act’s distinctions between data fiduciaries, data processors and consent managers becomes relevant.

The report noted how outsourced vendors for specialised services like digital banking platform, KYC verification, fraud detection, etc. are defined as Data Processor under the DPDPA, who process data on behalf of data fiduciaries (banks). While banks remain responsible for ensuring processors comply with privacy and security, the law puts additional responsibility on data processors.

“This accountability should be mandated through contractual agreements (such as Data Processing Agreements as part of Master Service Agreement), audits and continuous oversight of the processor’s activities,” said the report.

Further, a consent manager, a distinct role introduced under the DPDP Act that manages user consent as an independent entity, simplifies compliance for banks and their partners.

“The true measure of this operating model is how well these concepts and frameworks are executed in real world banking operations. From customer onboarding to third-party data sharing, there are many touchpoints for banks with which compliance and customer experience must harmonise,” said the report.

Children’s data a hurdle

From a consent standpoint, banks will require more clarity regarding processing of children’s data, said Koul.

“Right now, with this Act, information related to the child requires additional approval from the parent. From an account creation standpoint, it may not change anything but it creates an additional burden on banks to ensure this consent,” said Koul.

More Like This

Published on June 6, 2025