Indian financial services operate under one of the world's most layered data and security regulatory environments.
On top of DPDP for personal data, banks and lenders deal with RBI's Master Directions and the IT Outsourcing framework. Insurers deal with IRDAI's Information and Cybersecurity Guidelines and customer-protection rules. Capital market intermediaries deal with SEBI's Cybersecurity and Cyber Resilience Framework. Everyone deals with CERT-In's incident reporting requirements.
Read separately, these requirements appear contradictory. Read together, they form a coherent, if demanding, picture. The compliance leaders who succeed in Indian BFSI are the ones who run one unified programme covering all overlays, not four parallel programmes each handled by a different team.
Layer 1: DPDP Act baseline
DPDP applies to all personal data processing by Indian Data Fiduciaries. For BFSI, this means customer data, prospect data, employee data, and partner data, anywhere personal information lives, DPDP applies. Consent, purpose limitation, Data Principal rights, breach notification, accountability, all standard.
Layer 2: RBI overlays for banks, NBFCs, and payment system providers
RBI's existing regulatory architecture predates DPDP by years. Master Direction on Information Technology Governance, Master Direction on IT Outsourcing, Master Direction on Cyber Resilience and Digital Payment Security, and sector-specific circulars on AI, data localisation, and customer data handling all interact with DPDP.
Key intersections
RBI's data localisation requirements for payment system data require certain personal data to be stored only in India, which goes beyond DPDP's more permissive cross-border rules. RBI's IT outsourcing framework requires specific contractual provisions with third-party processors, which augment DPDP's general data processing agreement requirements. RBI's customer complaint timelines interact with DPDP's grievance redressal timelines, generally, the stricter of the two applies.
Practical implementation
Banks and NBFCs need a unified customer data governance that satisfies RBI's specific requirements (localisation, outsourcing, IT governance) and DPDP's general requirements (consent, purpose, rights) in the same architecture, not as separate compliance streams.
Layer 3: IRDAI overlays for insurance
Insurance customer data has been regulated by IRDAI for years under the Information and Cybersecurity Guidelines and the policyholder protection framework. DPDP adds explicit consent requirements at policy initiation, transparency on automated decisions (claim approvals, underwriting), and the right to challenge AI-driven adverse decisions.
Key intersections
IRDAI requires retention of policyholder data for defined minimum periods, which interacts with DPDP's storage limitation principle. The reconciliation, the retention periods established by IRDAI represent the 'specified period' under DPDP for that processing purpose, so the two are not contradictory but must be documented as such. Insurance distribution involves multiple parties (insurer, broker, web aggregator, corporate agent), each is a Data Fiduciary or Data Processor under DPDP, and contractual relationships need to reflect this.
Practical implementation
Insurers using AI for underwriting or claims need consent at policy initiation specifically for AI processing, explainability infrastructure for adverse decisions, and a grievance pathway that handles both IRDAI policyholder grievances and DPDP Data Principal grievances coherently.
Layer 4: SEBI overlays for capital markets
SEBI's Cybersecurity and Cyber Resilience Framework intersects DPDP primarily at the incident response and reporting layer. SEBI's framework requires reporting of cyber incidents to SEBI within defined timelines. DPDP requires reporting of personal data breaches to the Data Protection Board and to affected Data Principals. CERT-In requires reporting of certain cyber incidents to CERT-In.
Key intersections
An incident may simultaneously trigger SEBI reporting, DPDP breach notification, and CERT-In incident reporting. Each has different timelines, different recipients, different content requirements. Capital market intermediaries need a unified incident response process that classifies incidents quickly and triggers the right notifications in parallel.
Practical implementation
SEBI-regulated entities need an incident response runbook that maps incident types to required notifications (SEBI, DPDP, CERT-In, exchange, depository), with clear ownership and tested timelines. Tabletop exercises validate the runbook annually.
Layer 5: CERT-In incident reporting
CERT-In's incident reporting directions apply across sectors, including BFSI, and require reporting of certain cyber incidents within tight timelines, in some cases six hours. CERT-In and DPDP breach notification are not the same thing, an incident may require CERT-In reporting without being a DPDP-reportable personal data breach, or vice versa, or both.
Practical implementation
Incident classification must distinguish between CERT-In-reportable cyber incidents, DPDP-reportable personal data breaches, and sector-regulator-reportable incidents. The classification must happen quickly because all timelines run from incident detection or awareness, not from classification completion.
The unified programme model
BFSI compliance leaders running this well operate one unified programme with the following structure:
● One data governance function covering DPDP + sector-specific data handling rules
● One incident response function covering DPDP breach notification + sector-specific reporting + CERT-In reporting
● One DPO/CISO collaboration model with clear ownership boundaries and joint accountability for overlapping areas
● One vendor management function reflecting both DPDP Data Processor obligations and sector outsourcing rules
● One Data Principal/customer grievance pathway with unified SLAs satisfying the strictest applicable timeline
● One annual audit cycle covering DPDP DPIAs, RBI/IRDAI/SEBI cyber audits, and CERT-In compliance
The shift to make
Stop running DPDP, RBI/IRDAI/SEBI compliance, and CERT-In compliance as separate streams.
Start running one unified programme that satisfies all four overlays simultaneously. The architecture is more efficient, one data inventory, one consent infrastructure, one incident runbook, one DPIA process. The risk posture is stronger, overlaps are managed deliberately rather than falling through gaps. The cost is lower over time, because the duplication of effort that comes from siloed compliance teams is eliminated.
Indian BFSI organisations that build this unified posture earn a structural advantage. They move faster on AI initiatives because the governance is already in place. They navigate regulatory scrutiny better because their evidence base is unified. And they earn customer trust because their consent and data handling story is coherent, not fragmented.
