The board dimension of DPDP
The Digital Personal Data Protection Act, 2023 is often framed as an IT or legal project. For BFSI it is a governance obligation. Financial institutions hold some of the largest and most sensitive personal-data estates in the country, and the Act's penalty regime — up to ₹250 crore per breach category — puts data protection squarely on the board and audit-committee agenda.
Significant Data Fiduciary duties
Large-scale processors — which most banks, NBFCs and insurers will be — are likely to be classified as Significant Data Fiduciaries, carrying additional obligations: appointing a Data Protection Officer answerable to the board, conducting Data Protection Impact Assessments, and undergoing periodic independent audits of data-protection compliance.
What directors are accountable for
- A board-approved data-protection policy and governance structure.
- A named, empowered DPO with a reporting line to the board/audit committee.
- Evidence that consent, notice, rights and grievance mechanisms operate — not just exist.
- DPIAs for high-risk processing and a tested breach-response procedure.
- Oversight of processors and vendors — accountability does not transfer downstream.
The overlap advantage
BFSI boards already oversee RBI cyber, IT and outsourcing frameworks. DPDP obligations overlap materially with those controls. Mapping shared requirements once — data inventory, access controls, breach response, vendor governance — lets the institution satisfy DPDP without a parallel programme, reducing both cost and audit fatigue.
The board's checklist
- Have we mapped our personal-data inventory and flows?
- Are we (likely) a Significant Data Fiduciary, and have we appointed a DPO?
- Do consent, rights and breach procedures demonstrably operate?
- Is DPDP integrated with our existing RBI/IT governance, not bolted on?
- Does the board receive regular, evidence-based data-protection reporting?
