The country is in the midst of a digital revolution that has led to a boost in the technology sector. Digitisation has impacted everything from manufacturing to services while at the same time it has led to the growth of many new-age sectors especially fintech. With increasing penetration of smartphones and adoption of technology, India is rapidly transforming into a digital powerhouse. Mobile payments have become the norm especially after the launch of UPI or Unified Payments Interface.
In this regard, there was a need for a law that protects the digital assets of the citizens, ensuring that their privacy is safeguarded. The much awaited Digital Personal Data Protection Act, 2023 (DPDP) has finally seen the light of the day. It applies to processing of digital personal data within as well as outside of India if it is for offering goods and services within India. This law is crucial as it defines the roles of stakeholders for collection and using personal data.
What it means for fintech:
While the fine print in the form of rules is still not out, it is believed that the Data Protection Act will have a significant impact on the fintech sector. The Act identifies a data principal as an individual whose data is being collected and a data fiduciary who determines the purpose and means of processing digital personal data. Fintech companies that regularly collect and process personal data will probably fall under the data fiduciary category but their roles are activity specific. While fintech companies are regulated by the rules of Reserve Bank of India for storage and processing of data, the DPDP Act will add further compliance on them as fiduciaries.
DPDP gives more power to the data principals or consumers. The law clearly states that personal data can only be processed after receiving consent of the individual. A data principal has the right to ask for information about processing, seek correction or deletion of her personal data as well grievance redressal. In case there is any breach of data, the data fiduciary is obligated to inform both the individual concerned as well as the Data Protection Board of India which will be an independent body under the Act. In fact, while a data fiduciary can use a third party for processing of data, any breach of the data is their responsibility.
The data fiduciary is responsible for putting in place security measures to protect the personal data and also erase it once it solves the purpose it was collected for. In case of non-compliance by a data fiduciary including lack of reasonable security safeguards for data protection or not informing the Data Protection Board Board and the affected data principal of the security breach, the Board is authorised to impose a penalty of up to Rs 250 Cr.
Strengthens digital economy
With the new Data Protection Act in place, the government is looking to strengthen the digital economy. Personal data forms the basis of a large number of services being offered to individuals from healthcare to financial services. Any large collection of data will now be accountable under the new law with consent forming the main pivot of the Act. Once the rules are finalised by the government, it will add further clarity for everyone. Digital Personal Data Protection Act, 2023 was the need of the hour and it aims to encourage principled data processing while also establishing a procedure for protecting the rights of individuals.