Blog

Author: CS Sachin Kotian
Published in: Taxmann

The Digital Personal Data Protection Act, 2023 transforms NBFCs from traditional lenders into accountable data fiduciaries. It mandates explicit consent, purpose limitation, and data minimisation, replacing earlier broad and implicit practices. Customers gain enforceable rights such as access, correction, and grievance redressal, requiring NBFCs to build strong digital and governance frameworks. Significant Data Fiduciaries face additional obligations like appointing a Data Protection Officer and conducting audits. While RBI and PMLA record-keeping rules override deletion requests, DPDP compliance begins once statutory periods end. With penalties up to ₹250 crore, the Act elevates data privacy from compliance to a critical boardroom and reputational risk.