India’s data protection law isn’t coming. It’s here.
The Digital Personal Data Protection Act was passed in 2023. The Data Protection Board is operational. Full enforcement, including penalty powers, is anticipated around May 2027. For a fintech processing financial data on millions of Indian users — most platforms haven’t started.
It’s a practical map: what DPDPA actually requires, what’s genuinely new versus what overlaps with obligations you already have, and how to build toward compliance without treating it as a separate project.
Why fintechs specifically are in focus
DPDPA classifies data into two tiers. General personal data gets baseline protections. Sensitive personal data, which explicitly includes financial data, gets stricter treatment.
If your platform handles any of the following, you’re processing sensitive personal data:
Credit card numbers
Income / salary information
Transaction histories
Loan or credit records
Financial condition data
That’s most of what a fintech does. Your entire core dataset is sensitive personal data. Higher security standards, more rigorous consent requirements, larger potential penalties.
The five obligations that require infrastructure, not just policy
The act requires ‘reasonable security safeguards to prevent personal data breach.’ For a fintech handling financial data, reasonable means: active application protection, endpoint security on devices accessing customer data, continuous monitoring, strong access controls, and documented incident response. If you’re already doing this for RBI compliance, DPDPA’s security requirement is largely covered.
You must notify both the Data Protection Board and affected users of a personal data breach. Expected timeline: 72 hours for the board notification. The clock may start from when you reasonably should have known, not when you confirmed the breach. Without automated detection, real-time alerting, and a pre-built notification workflow, 72 hours is nearly impossible to meet.
Personal data can only be processed with explicit consent or specific exemptions. The transaction exemption is broad — you can process the bank account number to execute the payment. What isn’t covered: using customer transaction data to train credit scoring models without disclosure, selling aggregated data to third parties for marketing, or using financial behaviour data for insurance underwriting without specific consent.
Your users will have the right to access their data on request, correct inaccurate data, and have their data erased when it’s no longer necessary. Erasure rights interact with RBI record-keeping obligations — you likely have legally mandated retention periods for transaction records. DPDPA provides exemptions for legally required retention, but you still need a workflow that distinguishes between data you must keep and data you can delete.
Will be restricted to approved countries once implementing rules are published. If you use US-based fraud detection vendors, data enrichment services, or any infrastructure that your customer data flows through, map those data flows now, before the rules land.
The penalty structure is not symbolic
| Violation | Max Penalty |
|---|---|
| Failure to implement security safeguards resulting in a data breach | ₹250 crore |
| Failure to notify the Data Protection Board | ₹200 crore |
| Failure to notify affected users | ₹200 crore |
What DPDPA adds on top of RBI obligations
Protecting your systems and reporting incidents to the regulator. Security infrastructure, incident response, VAPT.
Obligations to notify users whose data was compromised, and consent and data subject rights infrastructure — entirely new for Indian fintechs.
The security infrastructure overlap is significant. One comprehensive programme satisfies both. The consent and data rights infrastructure is genuinely new work. If you don’t have it, RBI compliance doesn’t help you here.
The 13-month roadmap
The May 2027 deadline feels distant until it doesn’t. Companies that start now can build toward compliance steadily. Companies that start in late 2026 will be running a sprint, and sprints in regulated environments miss things.
The security infrastructure layer of DPDPA — WAF, endpoint protection, continuous monitoring, VAPT, incident response — is what Osto deploys and runs for Indian fintech teams, so months 4–8 of this roadmap don’t have to be the hard part.