Fintech firms rush to make tweaks as new data protection law looms
New Delhi, Sep 28, 2023
As they race against time to build systems compliant with the Digital Personal Data Protection (DPDP) Act of 2023, fintech founders are having their compliance teams scramble to implement strategy updates and align practices with the act, according to a report by The Economic Times (ET).
According to industry experts, fintech firms are already required to follow strict data guidelines from regulators, and the new data protection law will significantly add to their compliance burden.
Fintech companies, banks, and non-bank financial companies (NBFCs) must redraw their contracts with business partners who share customer data. Processes related to cross-selling financial services based on data sharing for payment aggregators must be reassessed.
Fintech founders and lawyers have told ET that many startups are engaging in discussions with legal experts and industry consultants to understand the new law's impact on their businesses.
Salman Waris, a partner at Techlegis Advocates and Solicitors, stated that the scale of responsibility for fintech companies is much higher because their business revolves around customer data.
Fintech firms will need to perform impact assessments to understand the sources of potential data leakage. Aparajita Srivastava, a partner at Ikigai Law, stated that the ultimate liability to comply with the DPDP lies with the data fiduciary, which, in this case, is the fintech firm controlling the data processing. Data fiduciaries could be NBFCs, customer-facing fintech startups, or banks, all of whom gather customer data.
What is the Digital Personal Data Protection Act?
Under the DPDP law, most companies dealing with data in a digital format have a legal obligation to ensure the safe collection, processing, and sharing of personal data received from their customers. The law mandates platforms to take "reasonable security safeguards" to prevent data breaches. An instance of a data breach could lead to penalties of up to Rs 250 crore and potential blocking of services in the event of repeated violations. Companies handling user data will be required to safeguard individuals' information, and instances of personal data breaches must be reported to the Data Protection Board (DPB).
[The Business Standard]