DPDP Act Compliance Programme for an NBFC
End-to-end DPDP Act 2023 compliance programme for a systemically important NBFC — covering data inventory, consent framework redesign, vendor contract revision, incident response protocol, and DPO appointment.
Practice Areas Involved
The Challenge
A systemically important NBFC with 1.2 million borrower accounts approached us immediately following the enactment of the Digital Personal Data Protection Act 2023. The company processed personal data across 14 categories — from KYC data to credit bureau reports to location data from mobile applications. Its existing privacy notice was GDPR-influenced and inconsistent with the DPDP Act's specific consent and notice format requirements. Over 200 vendor agreements needed review for data processor obligations. The company's internal compliance team had no prior data protection expertise and required both legal advisory and knowledge transfer.
Our Approach
The programme was structured in four phases over six months. Phase one involved a data inventory — mapping all personal data categories, processing purposes, storage locations, and third-party sharing arrangements. We identified 14 data categories across 23 processing systems with 47 vendor relationships involving personal data transfer.
Phase two redesigned the consent and notice architecture — drafting a DPDP-compliant consent notice in plain language across English, Hindi, and four regional languages, restructuring the consent capture process in the mobile application to meet the free, specific, informed, and unambiguous standard, and creating a legitimate use mapping for processing that did not require individual consent.
Phase three addressed vendor contracts — reviewing all 47 vendor agreements and drafting standard data processing addenda incorporating DPDP Act processor obligations, security standards, breach notification requirements, and audit rights.
Phase four established the operational compliance infrastructure: the grievance redressal mechanism (required to be established under the Act), the data breach response protocol aligning DPDP Act obligations with CERT-In 6-hour notification requirements, and the DPO appointment with terms of reference.
The Result
The full compliance programme was delivered within the six-month timeline. The company's DPDP Act compliance posture was independently assessed by a Big Four firm as 'substantially compliant' with the enacted provisions. The DPO was appointed from an internal senior compliance officer retrained through the programme.
The knowledge transfer component enabled the in-house compliance team to manage ongoing DPDP Act compliance without external legal advisory for routine matters — a specific objective of the engagement.
Key Lessons
- ◆DPDP Act compliance programmes for financial services companies must address the intersection of DPDP obligations with existing RBI KYC and data security directives — alignment, not replacement.
- ◆Multilingual consent notices are not optional for consumer-facing financial services companies — the DPDP Act's plain language requirement has real practical implications.
- ◆Data inventory must precede consent framework redesign — consent architecture built on an inaccurate data map creates compliance gaps from day one.
- ◆Knowledge transfer to in-house teams is the single highest-ROI element of a compliance programme — external legal advisory should progressively reduce, not increase, over the programme lifecycle.
Facing a similar challenge?
Our Data Privacy & DPDP team has extensive experience with matters like this. Every consultation is with a senior partner.