Contact us

      Compliance is not only a regulatory requirement but also a strategic opportunity to differentiate on trust, resilience, and customer empowerment in a highly competitive banking services landscape.

      The Digital Personal Data Protection (DPDP) Act, 2023, operationalised through the 2025 Rules, introduces a transformative framework for handling personal data in India. For banks and financial institutions, custodians of highly sensitive customer data such as KYC details, financial transactions, credit histories, and payment information, the implications are particularly significant.

      Banking operations rely heavily on digital onboarding, payments, credit appraisal, investments, profiling, and personalised financial services, fraud detection, etc. All of these products and services are directly impacted by DPDP’s mandates on data minimisation, consent management, lawful processing, cross‑border transfers, and breach response obligations.

      Key highlights of the report

      • Transparent consent and privacy notices

        Banks must redesign digital onboarding (account opening, loans, credit cards, mobile banking) to capture explicit, unbundled consent with clear multilingual privacy notices, ensuring customers understand how their data will be used

      • Lawful processing of financial data

        Every use of personal data like offers, underwriting, fraud detection, etc. must be tied to a lawful ground of processing. Shadow or silent data processing is prohibited, requiring stricter governance in analytics

      • Data minimisation and retention discipline

        Banks must collect only the minimum necessary data, rationalise fields, and delete records once the purpose or statutory retention period ends

      • Customer rights and grievance redressal

        Customers gain enforceable rights to access, correct, erase, and withdraw consent. Banks must provide structured, time‑bound mechanisms across branches, mobile apps or apps, and CRM systems, with seamless updates across interconnected platforms

      • Breach notification and third‑party accountability

        Breaches must be reported to the Data Protection Board and affected customers within 72 hours. Banks remain accountable for breaches by outsourced processors (fintech partners, payment gateways, cloud providers), making vendor risk management critical

      Sneak-peek into banking sector through DPDPA lens

      Compliance evolves into a strategic edge, building trust, resilience, and customer empowerment in banking

      Download

      Key Contacts

      Akhilesh Tuteja
      Akhilesh Tuteja

      Partner & National Leader, Clients and Markets

      KPMG in India

      Atul Gupta
      Atul Gupta

      Partner and Head - Digital Trust and Cyber

      KPMG in India

      Sanjay Doshi
      Sanjay Doshi

      Partner and Head, Transaction Services and Financial Services Advisory

      KPMG in India

      Nitin Shah
      Nitin Shah

      Partner – Digital Trust, Head – Cyber Security, Resilience and Privacy Strategy & Governance

      KPMG in India

      Shikha Kamboj
      Shikha Kamboj

      Partner, Digital Trust, National Leader, Data Privacy and Ethics

      KPMG in India

      DPDP Act and rules : Implications across sectors

      DPDP

      DPDPA demands strong vendor oversight, data minimisation, clear consent, rapid breach response and protection across IoT and smart rooms
      Read more

      DPDP

      DPDP Act, 2023, with the 2025 Rules, set a strict framework for personal data governance for e-commerce and consumer enterprises
      Read more

      DPDP

      DPDP Act 2023, through the 2025 Rules, defines a techno‑legal, enforceable framework for GCCs to safeguard digital personal data
      Read more

      DPDP

      DPDP Act 2023 with the 2025 Rules set a strong privacy regime for India’s healthcare and life sciences sector handling highly sensitive health data
      Read more

      DPDP

      DPDPA 2023 reshapes Media & OTT compliance, driving trust, safety, and strategic advantage in a competitive landscape
      Read more

      DPDP

      DPDPA aims to strengthen the techno-legal framework for protection of digital personal data by providing necessary details and an actionable framework
      Read more

      DPDP

      The DPDP Rules 2025 serves as a crucial extension to the DPDP Act 2023, providing operational clarity for entities processing digital personal data
      Read more

      How can KPMG in India help

      Use cyber security to protect your future
      Read more

      New challenges and opportunities are quickly reshaping financial services
      Read more

      Transformation driven by data, enabled by digital technology, and led by business initiatives
      Read more

      Access our latest insights on Apple or Android devices

      kpmg-insights-edge-qr