Page 55 - Banking Finance February 2025
P. 55

ARTICLE

         consent is available before processing or conducting any  between DPDPA and sector specific laws /regulations.  Sev-
         analytics on the personal data submitted by data principals.  eral aspects codified by the present DPDPA have already
         Formal Framework for Data Protection Risk - Bank needs  been mandated upon by existing banking sector specific
         to have a formal data privacy risk framework for manage-  regulations. Other areas will be identified in due course as
                                                              and when the follow up rules of DPDPA, 2023 are notified
         ment of risks associated with digitized data. Standard oper-
                                                              by the government.
         ating procedures need to be established for periodic moni-
         toring, tracking, and reporting of deviations identified from
                                                              The overlaps will be more pronounced once the complete
         a data protection perspective. Banks also need to develop
                                                              sets of rules are defined. It is to be noted that DPDPA, 2023
         Key Risk Indicators (KRIs) to ensure that any potential de-
         viations from requirements of the DPDPA is highlighted and  will co-exist with ITA, 2000 and other sectoral regulations
         escalated at periodic intervals to consequently avoid any  or any of their amended version. Overlapping regulations
         breach resulting in reputational loss and financial penalties.  can create confusions. In real life business scenario, regula-
                                                              tory overlap can inflict real costs on businesses through re-
                                                              petitive data collection and duplicity in compliance efforts.
         (D) Managing Outsourced Entities                     The overlaps areas need to be addressed in the subsequent
         There are a lot of instances wherein outsourced entities are  rules to be brought in by the government.
         engaged for maintenance of day-to-day activities of a bank.
         On many occasion, customer or employee personal data are  While framing the follow up rules, the authorities should keep
         shared with some of these entities like vendor, CSPs, soft-  in mind that the data protection regulations, primarily
         ware providers etc. for completion of the mandated tasks.  aimed at protecting consumer information, should not place
         As such they become Data Processors in DPDPA parlance.  disproportionate bindings on businesses. This may hinder
         DPDPA mandates that such engagement of Data Processor  their growth and stifle innovation.  Meanwhile, bank will
         has to be done basis a valid contract and the liability regard-  need to align its compliance efforts to address the overlap-
         ing the use of Data Processor lies with the Data Fiduciary.  ping areas and new obligations imposed by the DPDPA.
         Hence, banks need to relook the following areas:
             Conducting thorough due diligence on third-party ser-  ("Views and Opinions expressed in the article are of the
             vice providers handling personal data with respect to  author and not of the Bank'').
             the data security norms.
             Ensuring relevant data protection clauses in contracts References:
             with third parties.                                 The Digital Personal Data Protection Act, 2023 (No.22
             Implementing effective  monitoring  and  oversight  of 2023),11th August 2023 published by Ministry of Law
             mechanisms for third-party activities related to personal  and Justice, Government of India.
             data processing like Requirements of periodic compli-  Book: Practical Guide to Digital Personal Data Protec-
             ance certificates, evidence of controls established etc.  tion Act, 2023 Law & Compliances by Puneet Bhasin.
         Sharing customer data with third-party service providers will  Book: Guardians of Privacy: A comprehensive handbook
         require robust contractual arrangements and data protec-  on DPDPA 2023 and DGPSI by Vijayshankar Na (NAAVI).
         tion safeguards
                                                                 FIG Paper No. 30, Data Law Series 4: Implications of Digi-
                                                                 tal Personal Data Protection Act, 2023 for Foreign Banks
         Conclusion:                                             in India Corporate Law (cyrilamarchandblogs.com).
         The banking sector by virtue of being one of the most regu-
                                                                 Implications of the DPDP Act 2023 on India's Financial
         lated industries in India is already privy to a lot of guidelines  Services Sector- Grant Thornton
         regarding data privacy, information security, cyber risk
                                                                 Need for Syncing Sectoral Regulations with Data Pro-
         management, outsourcing etc. But the point to note here
                                                                 tection Law , (cyrilamarchandblogs.com) By Arjun
         is that DPDPA introduces a comprehensive framework for
         personal data protection. In contrast, existing laws like the  Goswami & Aayushi Bindal ,May 29, 2024.
         Information Technology Act, RBI Acthave their own specific  RBI Master Direction - Know Your Customer (KYC) Di-
         focus areas. It is obvious that there will be areas of overlap  rection, 2016 (Updated as on January 04, 2024).

            BANKING FINANCE |                                                            FEBRUARY | 2025 | 49
   50   51   52   53   54   55   56   57   58   59   60