Page 53 - Banking Finance February 2025
P. 53
ARTICLE
maximum relevance/ impact on the Customer Data Employee Data Vendor/Third Pary Data
banking industry and the likely process
tweaks that will be required in key Customer Demogr- Employee Demogr- Vendor or partner
functional areas of banking such as cus- aphic Data (Name, aphic Data (Name, Demographic Data
tomer onboarding, credit assessment & Age (DOB) Religion, Age (DOB) Religion, Vendor/partner
risk management process. As any other etc. etc. financial details
risks faced by banks, level of data pro- KYC Data (OVDs etc) Educational Details. Details of credentials
Credentials Data Previous employ- of vendors/third party
tection risk also needs to be measured,
(Log in ID, Authenti- ment details. Communication
estimated and mitigated to the extent
cation, password, Background records
possible. Hence, certain aspects re-
garding management of data asset in- etc.). Verification details.
ventories of banks are also discussed. Financial Details Financial details
(Asset Liability data) (Salary, Asset
Transaction data Liability)
Understanding "Personal Communication
Data". records such as
In common parlance we can think of service requests,
personal data as a set of attributes email communica-
(such as Name, an identification num- tions, mobile, banking,
ber, location data, etc.) which together cookies etc.
can identify a natural person with a
degree of certainty. The DPDPA-2023 Rights of Individuals (Data Principal) granted by
defines personal data as follows: "Per- DPDPA.
sonal Data means any data about an
individual who is identifiable by or in Data Principals get the right to (i) Get information about their Personal data (ii)
relation to such data. DPDPA act is Doing modifications in personal data i.e. they can carry out correction, updation
as well as ensure completion. Apart from this, they have the right to erasure of
applicable to only "Digital Personal
personal data (iii) grievance redressal in respect of any deficiency on the part of
Data" i.e. DPDPA is applicable to per-
the Data Principal. Another unique right provided is the (iv) Right for nomina-
sonal data collected in digital form or
data collected physically but converted tion of personal Data (giving it a status of virtual asset).
to digital form.
Data Minimization and Purpose Limitation
An indicative list of Personal Data com- As per Section 4 of DPDPA, a data fiduciary is allowed to process personal data
monly observed in the banking Space. for a lawful purpose (any purpose which is not expressly forbidden by law) for
which he has received consent from Data Principal or for purposes which are
declared as "Legitimate Uses". Hence, banks need to be cautious during the data
collection process. Only the bare minimum data is to be collected and the same
to be used only for specified purposes, aligning with their core banking activi-
ties. This will require banks to carry out data audits and refinement of data col-
lection practices.
DPDPA- Impact Areas
(A) Managing Data Asset Inventories
The Data asset of a bank is located across multiple locations in multiple systems
operated by multiple employees of the bank. Besides, some data may be with
contractual parties in their premises. Further, some data may be in a virtual
environment. Hence, a logical first step to protect the data would be to identify
BANKING FINANCE | FEBRUARY | 2025 | 47
