DPDPAFebruary 2026 · 10 min read

DPDPA 2023 — What Every NBFC Needs to Do Before the Rules Are Notified

The Digital Personal Data Protection Act 2023 is now law. The Rules are expected shortly. NBFCs that wait for the Rules before acting will not have enough time to build a compliant data processing framework.

The DPDPA Is Already Law

The Digital Personal Data Protection Act 2023 received Presidential assent on 11 August 2023. Unlike many Indian laws that take years to become operative, the enforcement mechanism and the Data Protection Board are being operationalised rapidly. The Rules under Section 40 of the Act are expected to be notified in 2026.

For NBFCs, the compliance challenge is significant. As financial institutions, you are one of the largest processors of personal data — loan applications, KYC documents, credit bureau enquiries, transaction data, and more. Every step of your customer lifecycle involves personal data processing, and the DPDPA's notice and consent requirements apply to virtually all of it.

What NBFCs Must Do Now

The first step is a comprehensive data processing inventory — mapping every category of personal data you collect, where it comes from, how it is used, with whom it is shared, and for how long it is retained. This is not a one-page form; it is a structured exercise that typically takes 4-6 weeks for a mid-sized NBFC.

The second step is a consent framework. The DPDPA requires that consent be free, specific, informed, unconditional, and unambiguous. Most NBFCs currently collect consent through a one-line tick-box buried in a loan application form. This will not meet the DPDPA standard.

The DPO Mandate

The Act provides for a Data Protection Officer. While the exact categories of organisations required to appoint a DPO will be specified in the Rules, it is expected that significant data fiduciaries — which will include larger NBFCs — will be required to appoint a DPO with board-level access and regulatory interface responsibility.

The Penalty Exposure Is Not Theoretical

Failure to implement adequate security safeguards carries a penalty of up to ₹250 Crore. Failure to notify a data breach carries up to ₹200 Crore. These are per-incident penalties, not annual caps. For an NBFC with thousands of customer records, a single breach event can create exposure that threatens the institution's capital adequacy.

Related Articles
DPDPA
DPDPA Rules 2025 — What Banks and NBFCs Must Complete Before November 2026
 DPDPA
DPDPA Consent Management for Digital Lending

Ready to assess your DPDPA readiness?

A 30-minute discovery call will identify your highest-priority DPDPA gaps.

Book a Discovery Call