BlogArrowIndustry Use CaseArrow
dpdp-act-lenders

What does DPDP Act mean for Lenders?

Avisha Khatri

Product Content Strategist
September 23, 2025

Summary

  • RBI's Digital Lending Directions are already in force, making compliance an immediate priority for lenders.
  • Lenders must secure explicit, purpose-specific consent for every use of a borrower's data and provide a clear, simple way for them to manage or withdraw it.
  • Only collect and store data that is absolutely necessary. Put strong security measures in place to protect it, and be ready to erase it when it is no longer needed.
  • Lenders are liable for the compliance of any partners processing borrower’s data.
  • Non-compliance can result in severe fines of up to â‚č250 crore per violation and even a threat to business continuity from regulatory bodies.

The DPDP Act has made personal data protection a key regulatory obligation for all businesses in India. What obligations does the DPDP Act impose on lenders?

For starters - what do we mean by “lender”?

A “lender” for the purposes of this article can be one of two types of entities:

  1. Regulated Entity (RE) - Entities that are authorized by RBI to lend from their own books. REs are essentially either banks or NBFCs.
  2. LSP/Fintech - Front-end applications where customers can browse loan offers and apply for loans. LSPs/Fintechs cannot lend from their own books - they can only source customers for REs. 

In this article, we’ll talk only about direct transactions where the borrower borrows directly from the REs- no fintech or BC involved. 

Does the DPDP Act impose any specific obligations on lenders?

The DPDP Act imposes obligations on any person who decides the purpose of processing personal data. Such persons are called Data Fiduciaries. So while there are no “lender-specific” clauses in the DPDP Act, these requirements do apply to all lenders. 

Here are the responsibilities of a lender (Data Fiduciary) under the DPDP Act:

  1. Consent first: Collect and process personal data only with consent; take fresh consent for any new purpose.
  2. Keep consent notices simple: Short, clear, and available in all 22 Indian languages
  3. Give customers control: Let customers review, correct, or withdraw consent easily. Provide a simple way to raise complaints and resolve them quickly.
  4. Maintain verifiable logs: Record when and how consent was collected.
  5. Manage third-parties: Update contracts and ensure partners/vendors are handling customer data in line with DPDP rules.
  6. Collect only what’s needed: Don’t hoard data. Gather only what’s necessary for the stated purpose and keep it accurate and up to date.
  7. Protect customer data: Put technical and organizational safeguards in place to prevent leaks or misuse.
  8. Respond to breaches fast: Notify the Data Protection Board and affected customers without delay - within stipulated timelines.
  9. Erase data when it’s no longer needed: Delete customer data when consent is withdrawn, the purpose is served or retention period has expired.
  10. Handle children’s data with care: Get verifiable parental consent and don’t use children’s data for tracking or targeted ads.
  11. Provide a clear point of contact – Publish details of your Data Protection Officer (if required) or another responsible person so customers know whom to reach out to in case of any issues.

REs are also liable under the Digital Lending Directions, 2025

In May 2025, RBI enshrined data protection obligations in the Digital Lending Directions (DLD). Since these Directions are already in force, REs are required to be in compliance with them. The requirements under the DLD are   -

  1. Prior and explicit consent of the borrower should be taken, having an audit trail 
  2. The purpose of obtaining borrowers’ consent needs to be disclosed
  3. All REs should have a Privacy Policy in place, which is publicly available
  4. Customers should have an option to 
    1. Give or deny consent for use of specific PII,  
    2. Revoke consent already granted to collect PII and if required, make the RE/LSP delete/forget the data.
    3. Restrict disclosure to third parties
    4. Data retention
  5. Need-based data should be shared with LSPs and DLAs

If you notice, the consent and personal data processing obligations in the Digital Lending Directions are virtually identical to  the DPDP Act. RBI probably relied heavily on the Act while drafting these.

The DPDP Act is not notified yet - I can wait before starting anything, right?

No. As mentioned above, the Digital Lending Directions - which are in force today - already mandate data protection compliance from all REs. 

What changes about my current lending process after the DPDP Act?

Currently, REs collect and manage customer PII long before an application is submitted, and well beyond the final repayment.

Here’s a typical loan disbursal journey - involves a lot of PII:

  1. Customer enters data in app or submits to branch/field agent
  2. KYC and other checks 
  3. Lender sanctions the loan
  4. Data stored in LMS
  5. Loan disbursed to the borrower
  6. Borrower makes payments

But when you analyze this flow from a personal data perspective, it becomes a lot more complex and a lot more steps get added. Here is the above lending flow as it actually looks today, and with DPDP Compliance added:

Stage Current Practice DPDP-Compliant Practice
Online data collection/website visit Data collected via forms, cookies, or trackers Show consent notice for each purpose (cookies, lead capture, marketing) and log consent
Telemarketing calls Leads called using collected PII Call only if the customer has given specific consent for PII use in telemarketing
Data entry in app/branch Borrower shares information Show consent notice covering all intended uses (loan processing, collections, marketing, third-party checks) and maintain logs
KYC / Credit / Fraud checks Shared with third-party vendors Vendor agreements must have DPDP clauses; borrower consent is needed for each third-party use
Data stored in LMS Data retained indefinitely Retain as per legal requirement (e.g. 5 years post-repayment); set default deletion after expiry
Loan sanction & communication Emails/SMS sent as standard Only communicate using channels borrower consented to
Loan disbursal Account details collected and stored Take specific consent for use of account details for disbursal
Repayments & reminders Contact via phone/SMS Use only contact details and channels borrower has consented to
Collections Third-party agents may contact borrower Ensure contracts are DPDP-compliant; contact limited to borrower-provided details
Customer support PII used freely for issue resolution TUse PII only if consent covers support; allow review/withdrawal
Notifications & Marketing Regular messages and upsell Send only with prior, specific consent; customer must be able to withdraw anytime

How do I make my lending flow DPDP compliant?

You’ll need to implement the following measures in your loan flow:

  1. Consent Notice: Provide clear notice and obtain specific, informed, and affirmative consent for each purpose for which data will be used.
  2. Active Data Protection: Implement strong encryption, access controls, and logging to protect data within the LOS/LMS.
  3. Third-Party Agreements: Have a Data Processing Agreement with the vendor and get specific consent from the borrower to share data for KYC/ credit checks. 
  4. Data Principal Rights: Be prepared for a data principal's right to access, edit and delete their personal information.
  5. Data Retention Policy: Implement a data retention and deletion policy, keeping data only for the necessary period or purpose.

Is there anything I need to do before implementing the above consent collection and management measures in my lending flow?

Great question - the answer is yes.

Ultimately, collecting and storing consent is pointless if your data storage and governance practices are not properly in place.

To check if you have DPDP-ready data governance and storage, answer the following questions:

  • Do you have visibility across all borrower PII you store/process?
  • Have you removed data no longer necessary for its collected purpose?
  • Can you find and delete a customer’s PII on request?
  • Do vendor contracts include DPDP-compliant obligations and security instructions?
  • Is there an accessible grievance mechanism (DPO/responsible contact published)?
  • Can you detect breaches and notify customers/DPB on time?
  • Do you have documented retention rules and automatic deletion after expiry?
  • Do you conduct assessments (e.g., DPIA) when needed?
  • Is access role-based and strictly limited (employees/third parties)?

If your answer to all the above questions is yes - then you are sorted. All you need to do is plug-in consent collection and management.

If your answer to all or any is no then read on.

How do I make my lending organization DPDP-ready?

In order to turn the above Nos into Yeses - you’ll need to do the following:

  1. Appoint a DPO
  2. Conduct a gap analysis and data discovery: 
    1. Perform data discovery - an audit of all your personal data that you currently have stored with you
    2. Once data is discovered, classify it in terms of source, how it is processed, where it is stored and with whom it is shared
    3. Prepare a common standardized format for all data to be tagged and stored in your systems - for easy discovery later
  3. Practice Data Minimization - Rather than collecting “as much customer data as possible” - check if the data you are collecting is actually necessary. Stop collecting unnecessary data.
  4. Use data encryption and tokenization to add additional security. 
  5. Modify and re-execute vendor contracts to insert DPDP compliance clauses
  6. Build a "Zero Trust" model, ensuring that employees and third parties have access only to the data strictly necessary for their role.
  7. Store every consent interaction in a Meity-compliant record for future audits. 
  8. Onboard a privacy solution that helps you achieve all of the above with minimal fuss. 

‍What are the penalties for non-compliance?

The DPDP Act envisages fines of upto â‚č250 crore per violation.

‍Note: Violation means any breach vis a vis just one customer - so data breaches involving more than one customer will attract even higher fines. 

The Data Protection Board has the authority to conduct inquiries, issue remediation orders, and, in extreme cases, even recommend blocking access to non-compliant platforms. This makes the cost of non-compliance not just financial, but a direct threat to business continuity and reputation.

Over and above this, the RBI can exercise its powers of penalty under the Digital Lending Directions, 2025 separately. We have discussed this in detail in our blog - "Penalties under DPDP Act".

Essentially, lenders who violate this can face the following penalties:

  • Attract a monetary fine of upto 250 Cr. per violation 
  • Face blocking access orders from the DPB
  • Face penalties by RBI

Explore Consentin- Legality’s DPDP-compliant Privacy Platform for your DPDP Compliance needs

Book a Demo
Download Blog as PDF
Content

Related Articles

Industry Use Case

How to Classify Personal Data under the DPDP Act? BFSI Article Series Part 1

Blog avatar image

Pushkal Dubey

Industry Use Case

Ensuring DPDP Compliance in Offline Data Collection - BFSI Article Series Part 2

Blog avatar image

Pushkal Dubey

Consentin Logo
Plot No. 444, Udyog Vihar Phase 3, Gurugram,
Haryana, 122008
For enquiries - enquiry@consent.in
For support - support@consent.in
About
Who are we?Contact UsCareersPrivacy centerCookie preferenceT&C
Products
Consent ManagementData Life Cycle ManagementCompliance & PrivacyThird Party Risk Management
Compliance Handbooks
Data Retention GuideCompliance ChecklistData Mapping GuideData Compliance GuideData Retention Guide
Industry Solutions
BFSIEcommerceTelemarketing
Resources
Consent FAQProduct FAQDPDP FAQBlogs
Quick links
Whats DPDP Act in IndiaGDPR vs DPDPDPDP draft rulesWhat is Cookie ConsentExemptions in DPDP ActPenalties in DPDP Act
Other Leegality Products
Document InfrastructureAadhaar eSigneSignDigital StampingNeSLElectronic Bank GuarenteesDeal Collaboration
2025 Copyright consent.in