The Digital Personal Data Protection Act 2023 (DPDPA) has become a central topic in global technology and regulatory discussions. Organizations across sectors, especially Banking, Financial Services, and Insurance (BFSI)are actively discussing compliance strategies, frameworks, and implementation roadmaps.
While several consulting firms claim that the BFSI sector is progressing toward full compliance, a deeper analysis of real-world practices suggests otherwise. As the enforcement timeline approaches, implementation challenges, operational gaps, and accountability concerns are becoming increasingly evident. This document presents a practical use case highlighting systemic non-compliance with DPDPA 2023 principles in the BFSI ecosystem.
Regulatory Context – Accountability Under DPDPA 2023
Under DPDPA 2023:
The Data Fiduciary (Controller) holds primary accountability for protecting personal data.
Data Processors act on behalf of fiduciaries but remain operationally critical.
The Act emphasizes:
Explicit consent
Purpose limitation
Data minimization
Transparency and notice
Protection of Data Principal rights
However, in practice, processor accountability is often diluted, leading to compliance blind spots.
Use Case – BFSI Customer Journey and Data Privacy Violations
Scenario: Car Purchase with Loan and Insurance
A Data Principal (customer) purchases a car and opts for financing and insurance through a dealership.
Step-by-Step Data Flow and Compliance Gaps
1. Data Collection by Car Dealership
The dealership collects personal and financial information.
Data is shared with partner banks and insurers.
Compliance Gap:
Lack of clear, informed, and specific consent for multi-party data sharing.
2. Bank Acting as Parallel Data Fiduciary
The bank independently processes customer data for loan approval.
Compliance Gap:
No transparent notice defining roles (independent fiduciary vs processor).
Ambiguity in purpose limitation.
3. Physical Documentation and Fine Print Consent
The customer signs multiple physical forms with dense legal language.
Compliance Gap: Consent is:
Not freely given
Not informed
Not unambiguous
4. Unauthorized Data Sharing for Cross-Marketing
Sensitive personal data is shared with:
DSAs (Direct Selling Agents)
Hospitality partners
Third-party marketers
Compliance Gap: Violation of:
Purpose limitation
Data minimization
Consent requirements
5. Mass Data Upload to Outbound Dialers
DSAs upload thousands of customer records into dialer systems.
Compliance Gap: No
Prior notification
Consent for telemarketing
Audit trail of data processing
6. Unsolicited Calls Without Disclosure
Customers receive calls without:
Disclosure of data source
Consent validation
Opt-out mechanisms
Compliance Gap Breach of:
Transparency obligations
Data Principal rights
Fair processing principles
Key Observations – Why This is Blunt Non-Compliance
This use case clearly demonstrates that:
Data Fiduciaries are failing in accountability obligations
Consent mechanisms are superficial and non-compliant
Third-party processors operate without governance
Customer dignity and privacy are compromised
Despite claims of readiness, ground-level practices reflect systemic violations of DPDPA 2023.
Strategic Risks for BFSI Sector
If these practices continue, BFSI organizations face:
Regulatory penalties and enforcement actions
Reputational damage
Loss of customer trust
Operational disruptions during audits
Conclusion – Compliance vs Reality
The DPDPA 2023 framework places Data Principal dignity at the center of data governance. However, the current BFSI ecosystem reflects a significant disconnect between policy and execution. Claiming compliance without transforming data practices is a regulatory illusion.
Organizations must move beyond documentation and adopt:
