Written by Isha Chugh
student, Vivekananda Institute Of Professional Studies
July 2025
Introduction
In the digital economy of today, individual data is the pillar of financial services. The industry depends on this data to customize services and determine risk to offer personalized services. To facilitate responsible use of data, India enacted the DPDP Act, 2023 to provide transparent, accountable, and ethical treatment of sensitive data in finance.
Prior to the passage of the Digital Personal Data Protection (DPDP) Act, 2023[1], India’s data protection framework was piecemeal and restricted to the IT Act, 2000[2] and its rules of 2011.[3] The Puttaswamy judgment (2017),[4] which established privacy as a constitutional right, underscored the need for a standalone data law at the earliest. This prompted the Justice B.N. Srikrishna Committee’s 2018 report[5] and the Personal Data Protection Bills in 2019[6] and 2021, which did not become law. The DPDP Act is now India’s first such rights-based, comprehensive data protection law putting fiduciary duties on the entities especially financial institutions that process personal data.
This blog examines India’s Digital Personal Data Protection Act, 2023, which ushers in a revolution in privacy, consent, and data governance particularly in the high-trust finance industry. At the heart of this is the notion of the “data fiduciary,” which symbolizes new legal, ethical, and strategic obligations. The article deconstructs legislative and operational requirements for financial institutions and compares India’s approach with international examples such as the EU’s GDPR. It concludes that banks need to transform from mere compliance into proactive custodians of digital trust.
Understanding Fiduciary Duty in the Digital Age
Classically, a fiduciary is one that is placed in trust to act in the best interests of another. A notion frequently used within legal and financial contexts. The DPDP Act considers this traditional notion carefully in extending it into the cyber domain, specifically identifying those who process personal data as data fiduciaries. The DPDP Act re-imagines the financial institution into a fiduciary: a trustee who is charged to act in good faith with utmost loyalty toward transparency and ethics. Commonly, it is compared to the GDPR of EU; nevertheless, the Act takes into account the Indian socio-economic landscape, balancing innovation with privacy and digital inclusion with personal dignity. Such agencies collecting information may include fingerprint, driver’s license, credit histories, and financial information, inculcating the need for an enhanced fiduciary capacity within financial services. Used incorrectly, any kind of data collected might harm individual interests and generate instability in the system; therefore, very stringent compliance and ethical governance standards have to be upheld for public trust and financial integrity.
Having witnessed the onset of a new wave of digital transformation, India, with 128 banks and over 8,000 fintech, is currently deemed the third largest fintech hub in the world. More than 10.9 crore borrowers were sanctioned personal loans by fintech NBFCs to the tune of over ₹1.06 lakh crores in the FY 2024-25, while UPI transactions touched ₹200 trillion. Even credit bureaus store data on hundreds of millions of individuals and companies, thus giving an idea about the magnitude of data integration in finance. The growing public concerns about excessive data being collected and the lack of user control bring into focus the need for such fiduciary responsibilities to be enforced under the DPDP Act. These controls are necessary to foster accountability, transparency, and the very notion of digital trust across the financial industry.
What the DPDP Act Requires of Financial Data Fiduciaries
The Act sets out a comprehensive framework of obligations for data fiduciaries. For financial service providers, these mean critical operational, legal, and even design level changes. As per the DPDP Act, consent has to be free, informed, specific, and unambiguous. Financial institutions are now required to seek express permission prior to collecting or processing any personal data of data principal and most importantly, such consent has to be readily revocable by the individual or in other words we can say that data principal is to be provided with a consent withdrawal mechanism. This directly affects imperative processes such as digital onboarding of bank accounts, mobile wallets, and lending apps.
Financial institutions in India are now expected to be far more careful and transparent with personal data than ever before. They can only collect that data which is truly necessary for a specific and clearly explained purpose like asking for Aadhaar or PAN only when it’s justified and its use is disclosed properly. Customers should understand exactly what data is being collected, why, for how long, and what rights they have over it. This means reworking loan applications, KYC processes, and all customer communications into simple, clear, and multilingual formats. On top of that, banks and fintech must create easy-to-access systems for people to raise complaints if their data rights are violated. Things get even stricter when it comes to collection of children’s data and also when companies transfer information overseas, government rules will guide what’s allowed for such transfer. Big financial players will also face tighter controls, like mandatory audits and privacy impact assessments. At the heart of all this is a shift toward treating privacy not just as a legal duty, but as a deep responsibility grounded in trust.
Implications Beyond Compliance: The Strategic Value of Trust
Being a DPDP fiduciary is an imperative for establishing lasting digital trust. In today’s competition, financial institutions are not fighting over market share on the basis of rates and services alone but increasingly over how securely and responsibly they manage consumer information. A strong privacy regime can quickly become a strong brand differentiator. When consumers feel that their financial service institution is serious about privacy as demonstrated by providing granular controls over consent, clear policies, and timely grievance redressal mechanisms they are much more likely to build loyalty and stick to that institution. In a world where data breaches can destroy reputations in an instant, trust is the ultimate currency.
Challenges on the Ground
Rolling out the DPDP Act over India’s intricate financial landscape will be not be an easy task at all. Traditional banks legacy systems frequently are not agile enough to track nuanced consents and data permissions, while smaller NBFCs and fintech startups may struggle with limited resources and technical expertise. At the same time, many consumers remain unaware of their digital rights, placing a substantial responsibility on institutions to educate and guide them thoughtfully. Add to this the evolving nature of enforcement, which depends on supplementary rules from the central government and it’s clear that uncertainty still looms.
However, the path is unmistakable, fiduciary responsibility in finance is getting tougher and more centralized than ever before. To surmount this challenge, institutions have to transcend legal boxes and adopt a cultural revolution. Privacy by Design needs to be infused in each step of product development, and staff from all departments need in-depth, immersive training in data safeguarding. Third party vendors such as credit bureaus and KYC providers must be held to the same gold standard. And communication must evolve consent forms and privacy notices should be clear, jargon-free, and available in regional languages to genuinely empower users. This isn’t just regulatory compliance it’s a commitment to digital dignity and trust.
Looking Ahead: From Compliance to Leadership
The DPDP Act is not just a regulatory requirement; it’s a strong call to leadership. Financial service firms are in a special and privileged position to influence the management of data throughout the nation. By fully embracing the expanded fiduciary function, these firms can take the lead in establishing a digital financial environment that is respectful of privacy as well as open to innovation. Instead of waiting idly for penalties to act as a spur, ahead of the curve institutions can take positive steps to invest in processes and systems that are inherently compatible with the spirit of the law. Not only this positive initiative will hugely lower legal and reputational risk but also vastly improve consumer trust a win-win situation in our digital-first economy.
Conclusion: A Fiduciary for the Digital Age
The fiduciary role in India’s DPDP Act is not just about compliance; it’s changing the culture of ethical data in all financial institutions in the digital age. In a country like India that has quickly transitioned to digital transactions, with deeply embedded personal data in financial activities, the consequences and risks of impactful data operations have never been much higher. Institutions are no longer merely data administrators they’re now entrusted custodians of confidential information and more so of public trust.
Being a data fiduciary today involves being committed to transparency, accountability, and dignity in a world where nearly everything is digital. It’s trusting in making trust the central element in all data practices from design to deployment and understanding that ethical responsibility is as important as legal compliance. Financial institutions that make this greater commitment won’t only avoid penalties they’ll be champions of consumer rights and guardians of digital trust in a more data-intensive Indian economy.
[1] Digital Personal Data Protection Act, No. 22 of 2023, Gazette of India, Aug. 11, 2023 (India), https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf.
[2] Information Technology Act, No. 21 of 2000, § 43A, Acts of Parliament, 2000 (India), https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf.
[3] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Gazette of India, G.S.R. 313(E), Apr. 13, 2011 (India), https://www.meity.gov.in/static/uploads/2024/02/Information-Technology-Intermediary-Guidelines-and-Digital-Media-Ethics-Code-Rules-2021-updated-06.04.2023-.pdf.
[4] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India), https://indiankanoon.org/doc/127517806/.
[5] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (MeitY, 2018), https://www.thehinducentre.com/resources/article24561547.ece/binary/Data_Protection_Committee_Report-comp.
[6] The Personal Data Protection Bill, 2019, Bill No. 373 of 2019, Lok Sabha Secretariat (India), https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf.
