DPDP Roles, explained simply

India's Digital Personal Data Protection Act. Who is who.

‹ Sector wise readiness

Sector wise readiness

Fintech and BFSI: triggered obligations versus day one duties

One misconception I keep seeing when fintech and lending startups read DPDP checklists: they assume every box applies from day one. It does not.

A lending app on its first 10,000 users is not expected to operate like HDFC Bank. A two founder neobanking startup does not need every compliance product a large NBFC buys. A sector map is a superset, not a launch checklist.

What applies from the start, whatever your size

What may not apply to you yet

Two things fintech founders consistently get wrong

The retention clocks contradict each other, and you must reconcile them on paper. DPDP says erase when the purpose ends. RBI, SEBI, IRDAI and PMLA say keep, for years. The lawful hook is the Rule 8(3) proviso, retention permitted where another law requires it, not an assumption. An auditor wants to see a documented reconciliation, not a guess.

The consent broker line trips people up. If you act as a consent broker, the Account Aggregator framework and DPDP Consent Manager registration are not the same thing. Clarify which hat you wear before you build the flow.

The better question

The better question is not "does fintech have this requirement?"

It is "have I actually triggered this requirement?"

Law creates obligations. Scale and risk influence implementation. Confusing the two is how fintech startups spend on tools they do not need while missing the basics.

Which fintech data assumption do you think will age worst? Drop it in the comments.

Next in this series: EdTech ›

#DPDP #DataProtection #Fintech #BFSI #Privacy #Compliance

Be DPDP ready before the deadline

We are preparing more than a dozen ready to use templates, including the Privacy Notice, Consent Notice, Data Retention and Erasure Policy, Security Safeguards Policy, Breach Response Procedure, Children's Data Policy, and the Data Processing Agreement. Drop your email and we will notify you when the assessment and templates go live.