The world has soared to new heights of excellence in the current era of the Internet. All industry sectors have shifted to digital operations, given the convenience and ease of use they present to customers and service providers alike. Financial technology companies are no exception to this inevitable change.
Fintech has been the leading force behind numerous favourable modifications in how people access financial products and services. It primarily enables you to take benefit of the remarkable technological advances in the financial sector, like conveniently availing of loans with faster approval rates at reduced prices. The industry puts limitless tailored services from A to Z at your fingertips. But high-level data security? Fintech industries require and have access to sensitive data of customers to offer apt services. Consequently, it makes them more vulnerable to digital attacks. Fintech organisations witnessed about 2.5 more attacks than in the last two years!
And that is precisely how the need for an apt law for data protection became prominent and introduced the long-awaited Data Protection Bill. This article will give you a thorough insight into what the data protection bill means and how it impacts Fintech companies. So read ahead!
What is the Data Protection Bill?
The Union government released the Digital Personal Data Protection Bill, or DPDP, on November 18th, 2022. It is the latest draft iteration of the Personal Data Protection Bill, 2019, in an endeavour to design a comprehensive and felicitous legal framework that aligns with contemporary data protection standards, complies with privacy laws, and adapts to the imperative digital ecosystem.
It highlights seven core principles to ensure data protection and its safe transmission. Organisations must commit to these guidelines of the bill when dealing with the personal data of individuals:
- Lawful, Fair, and Transparent Processing
The first principle mandates the legal, fair, and transparent use of data.
- Purpose Limitation
A Data Fiduciary must have a specified, legitimate, and explicit purpose for collecting personal data.
- Data Minimization
Data controllers must process limited data that is relevant, adequate and fulfils the purpose.
- Accuracy of Personal Data
Data Controllers must ensure that the collected data is accurate and updated.
- Integrity and Confidentiality
Data Fiduciaries and Controllers should adopt security measures to ensure the processed data remains confidential and safe from unauthorised or unlawful activities.
- Storage Limitation
Data Fiduciaries must retain the personal data for no longer than necessary for the purpose.
- Accountability
The last principle makes Data Controllers responsible for adhering to the other principles of the bill. Controllers must ensure they comply with the principles and have appropriate processes and records to demonstrate the same.
In essence, the Data Protection Bill aims to provide protection and privacy in the digital world. It signifies the issues regarding the collection, retention, accuracy, and usage of data users provide when using the global digital network.
Data Protection Bill: A Need or Want?
The bill describes personal data as any information that can identify an individual. It includes processing different types of data, like financial, health, biometric, genetic, official identifiers, transgender status, intersex status, caste or tribe, and religious beliefs or political affiliations. Moreover, the act applies to all the individuals whose data is being collected or processed. For instance, Customers, Users, Job Applicants, Employees, Shop Visitors, and Website Visitors, among others.
The government aims to reconsider the pending issues in the digital world with the bill.
- It proposes multiple modern provisions to promote awareness and digital security.
- It addresses the fundamental right of a citizen to keep the data private and secure.
- Data misuse can easily open the door to economic downturns in the nation, stressing the need for a regulatory framework to prevent breaches.
- It simplifies the compliance process for startups, allowing ease of operating business.
What does Data Protection have for Fintech Startups?
Data misuse can happen in any industry, but companies engaged in financial services are the most susceptible. A small online transaction can invariably make users vulnerable. Almost 59% of Indians have been victims of data breaches by loan service providers, while 34% believe banks misuse their data. The survey outlines the need to craft appropriate measures for data security.
The bill requires them to segregate their methods of collecting, maintaining, and retaining the data based on their role as Data Fiduciaries or Data Processors. It covers the following provisions that can impact the working of the Fintech sector:
1. Extra-Territorial Application
The bill applies to any digitised personal data processing in India or outside India if it is for offering goods and services or profiling Data Principals. The Data Fiduciary must request personal data by giving a notice in English or any other language under the Indian Constitution.
For example, A wants to open a regular savings account and contacts a bank. The bank asks A to provide photocopies of address proof and identity for KYC formalities. The bank must furnish a notice to A stating that the purpose of obtaining photocopies is for the completion of KYC before collecting the documents.
2. Non-Consent-Based Processing
The bill specifically mentions the exceptions to consent under ‘Deemed Consent,’ allowing non-consent-based data processing where necessary. These situations include voluntary submission of data when data is required for legal action, for prescribed valid purposes, etc.
For instance, A shares his name, mobile number, identity and address proof, etc., with a bank to acquire a debit card. Now, A shall be deemed to have given his consent for collecting his name, mobile number, and other KYC details.
3. Consent Managers
Data Principals can take assistance from the registered Consent Managers to affirm, review, and withdraw their consent. Consent Managers will act on behalf of the Data Principals while conforming to the provisions of the Act.
4. Data Fiduciary Obligations
Fintech companies must adhere to the obligations of Data Fiduciaries when processing digital personal data. These include limitations on data retention, data quality, adequate technical and organisational measures, data breach prevention strategies and notifications, grievance redressal mechanisms, and systematic rules to transfer data to data processors. Organisations must appoint a Data Protection Officer to ensure the exertion of correct practices.
5. Data Principal Rights
The Act emphasises the involvement and consent of the Data Principal in the data collection process. Individuals providing their data have the right to information, correction, and redressing grievance.
6. Cross-Border Data Transfer
The Data Protection Bill of 2022 replaces the mandatory data mirroring and localisation with a white-listing process. The Central Government notifies territories and countries outside India where the Data Fiduciary can transfer data.
Will the Data Protection Bill be a real Game Changer?
Fintech companies require coordination and cooperation across financial regulators and other sectors to keep pace with the innovations. Although it goes against the current General Data Protection Regulation and stands far more transparent, the Act encloses some gaps and errors.
The bill ratifies the Data Fiduciary to disclose a summary of the processed data. Fintech companies accumulate data from multiple sources besides the Data Principal to test the validity. Moreover, they often share it with third parties for official purposes, which may make it challenging to lay out a summary to the Data Principal.
The bottom line is the bill seemingly appears inclusive and technology-friendly and strives to protect individual privacy. The power in the hands of the Central Government to pen rules sounds promising but can result in sector-specific regulations conflicts. The bill rests far from final, but on the bright side, it undoubtedly reflects and addresses some concerns of the earlier draft. It may be a step forward in bringing India to a data privacy law.