In 2024, a major Indian insurance (NBFC) company discovered a problem it did not create.
A third-party service provider it had engaged exposed nearly six lakh customer records on a dark web forum. Names. Email addresses. Mobile numbers. Policy details. The kind of information that, in the wrong hands, enables identity fraud, targeted scams, and loan applications that were never filed by the people who own those identities.
The company moved quickly. The incident was resolved and confirmed to have no material operational impact. Reassuring, on the surface. But here is what the resolution did not address: the gap in the system that allowed a third-party vendor to hold and expose six lakh records in the first place.
That gap is not unique to one insurance company. It exists in some form at nearly every Indian bank, NBFC, and financial institution operating today. And as of November 14, 2025, it is no longer just a security risk. It is a legal liability.
What Changed on November 14, 2025
On that date, the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025. The DPDP Act, which sat in legal limbo since it was passed in 2023, is now fully operational.
The Data Protection Board of India is constituted and empowered to investigate, audit, and impose financial penalties. Complaints from customers can now trigger formal proceedings. The clock on compliance is running.
This is not a future regulation to prepare for. It is a present obligation that most Indian financial institutions are already behind on.
The enforcement timeline is structured across three phases:
Phase 1 (effective November 14, 2025): Administrative provisions, the establishment of the Data Protection Board, and definitions are live.
Phase 2 (effective November 14, 2026): The “soft enforcement” phase ends. The Data Protection Board transitions from awareness-building to active regulatory supervision.
Phase 3 (effective May 14, 2027): All substantive provisions of the DPDP Act and Rules come into full force. This is the hard deadline. Every obligation, every penalty, every audit right.
Eighteen months sounds generous. It is not. Not when you consider what compliance actually requires.
Why This Is a Bigger Problem for Banks and NBFCs Than Anyone Else
Every business that handles personal data of Indian residents falls under the DPDP Act. But banks, NBFCs, insurance companies, and fintechs are in a different category of exposure.
They hold the most sensitive personal data in the country. KYC documents. Bank account numbers. Loan histories. Transaction records. PAN and Aadhaar linkages. Credit scores. Income details. This is not marketing data or browsing behaviour. This is the financial identity of their customers.
Under the DPDP Act, organisations that handle large volumes of sensitive personal data will likely be classified as Significant Data Fiduciaries. That classification comes with obligations well beyond basic compliance: a Data Protection Officer who reports directly to the Board, annual independent audits, Data Protection Impact Assessments for every new product or process, and AI governance mechanisms if algorithmic decisions affect data subjects.
If your NBFC runs a credit scoring model, that model now has a regulatory framework around it. If your bank uses customer transaction data for cross-selling, that use case needs a documented consent trail.
And the penalties for getting this wrong are real. Up to ₹250 crore per violation for inadequate security safeguards that lead to a breach. Up to ₹200 crore for failing to notify the Data Protection Board and affected customers within the required timeframe after a breach is discovered. These are not theoretical maximums. The Board has the authority to investigate and levy them.
The IBM Cost of a Data Breach report for 2025 already puts the average breach cost for Indian businesses at approximately ₹22 crore. Add a regulatory penalty of ₹250 crore on top of that, and the business case for preparation becomes simple arithmetic.
What the DPDP Act Actually Requires You to Do
This is where many organisations lose track. The DPDP Act gets discussed in boardrooms as a consent and privacy regulation. It is that. But it is also, very specifically, a technical security regulation. The two cannot be separated.
Here is what the Act and Rules require, stripped of legal language:
- Know what personal data you hold and where it flows
You cannot protect what you cannot see. The Act requires you to maintain a clear record of what personal data you collect, what you use it for, who you share it with, and for how long you retain it. Most Indian financial institutions today do not have a complete, auditable answer to this question.
- Obtain explicit, granular consent and honour withdrawal requests
Pre-ticked boxes and buried clauses in application forms no longer qualify. Consent must be free, specific, informed, and documented. More importantly, when a customer withdraws consent, you must be able to act on that withdrawal across every system that holds their data. If your core banking software, your CRM, your loan management system, and your marketing platform all hold the same customer record, the withdrawal must propagate to all of them. This requires technical integration, not just a policy document.
- Implement reasonable security safeguards
The Rules specifically mandate encryption, obfuscation, masking, and tokenisation as baseline security standards. But “reasonable security safeguards” go further. The Board will look at whether you had controls in place to prevent unauthorised access to personal data. Network access control, device verification, and monitoring of third-party connections are directly relevant here.
- Report breaches to the Data Protection Board within 72 hours
This is a significant change from what most Indian companies practice today. The current CERT-In requirement already mandates reporting within six hours of detection. The DPDP Act adds an obligation to notify affected customers as well, with no minimum threshold. A breach involving even one record must be reported. If you discover a breach today and your incident response process takes two weeks to reach a notification decision, that process is now legally non-compliant.
- Manage vendor and third-party data processors contractually and operationally
The Act makes the data fiduciary, meaning your bank or NBFC, fully responsible for what your data processors do with personal data. If a vendor you engage exposes customer records, the regulatory liability falls on you. Your vendor contracts must now include binding data protection obligations, and you need operational visibility into what those vendors are doing with your data. A signed contract is not sufficient. You need the ability to monitor and verify.
The Security Gap That Makes All of This Hard
Most Indian banks and NBFCs have firewalls. Many have basic endpoint protection. Some have SIEM systems or security operations teams.
What very few have is real-time visibility into every device that connects to their network.
That matters for DPDP compliance because personal data does not sit still. It moves across devices, across systems, across vendor connections. And every device that has access to a network segment holding personal data is a potential breach point.
Consider the typical NBFC IT environment. Branch staff connect personal laptops to the office Wi-Fi to access internal systems. A software vendor’s engineer plugs into the network for a system upgrade. A printing or CCTV vendor installs a device that quietly sits on the LAN and never gets reviewed again. A departing employee’s credentials remain active because IT offboarding was not coordinated with HR.
Every single one of these scenarios creates a device on your network that you may not have authorised, may not be monitoring, and may not know about. Under the DPDP Act, if any of those devices contributes to a personal data breach, you are liable.
The Act does not ask whether you intended to have a security gap. It asks whether you had reasonable safeguards in place. If an unknown or unmonitored device accessed customer data, the absence of network visibility is itself a compliance failure.
This is where EasyNAC addresses a specific and documented gap in the DPDP compliance picture. Network Access Control gives you a real-time inventory of every device connected to your network. It identifies rogue or unrecognised devices the moment they connect. It can enforce policy-based responses automatically, blocking unauthorised devices before they can access sensitive data segments.
Critically, EasyNAC works without requiring any changes to your existing switch infrastructure or network reconfiguration. For an NBFC or bank that needs to demonstrate network security controls to a DPDP auditor, this is the kind of evidence that matters: not a policy statement, but a live system that shows exactly what is on your network and what it is allowed to do.
A NAC solution that enforced network segmentation for vendor devices and flagged any unusual data access from those devices would have limited the blast radius dramatically and might have triggered the internal alert that stopped the leak before six lakh records were gone.
Steps Every Indian Bank or NBFC Should Take Before November 2026
The November 2026 deadline is when the Data Protection Board shifts from guidance to enforcement. That is approximately 18 months from when the Rules were notified. Most of that time has already passed. Here is what needs to happen now.
- Conduct a personal data inventory across all systems
Map every system that holds personal data: core banking, loan management, CRM, HR systems, marketing platforms, third-party integrations, and cloud storage. For each, document what data is held, who has access, and how it is secured. This inventory is the foundation of everything else.
- Audit every third-party vendor who touches your customer data
List every fintech partner, software vendor, BPO provider, and IT services company that processes personal data on your behalf. Review their contracts. Assess their security posture. Determine whether they meet the DPDP Rules’ minimum security standards. Where they do not, you have two choices: build compliance requirements into a revised contract, or stop sharing data with them until they meet the standard.
- Deploy network access control to establish device visibility
Before you can demonstrate “reasonable security safeguards,” you need to know what devices are on your network. EasyNAC provides this without a disruptive infrastructure change. It is the foundation on which network security compliance sits. Without device visibility, a compliance audit starts with a gap you cannot explain away.
- Tighten employee access management and offboarding
Under the DPDP Act, access to personal data must be limited to what each role genuinely requires. More importantly, when an employee exits, their access to systems holding personal data must be revoked immediately. A manual offboarding process that takes days or weeks is a compliance risk. For organisations without a structured HRMS that coordinates IT access revocation with departures, this gap is worth addressing directly. OfficeSIA handles this as part of its employee lifecycle management, ensuring that the moment an exit is recorded in the system, access revocation is triggered automatically.
- Update your consent architecture across customer-facing systems
Review every customer touchpoint: account opening forms, loan applications, digital onboarding journeys, marketing communications. Every consent request must meet the Act’s standard of being free, specific, informed, and documented. Pre-ticked boxes, vague privacy notices, and bundled consent for unrelated purposes are all non-compliant.
- Build a breach notification protocol and test it
The 72-hour notification requirement under DPDP, combined with the six-hour CERT-In requirement, means your incident response process must move significantly faster than most Indian companies currently manage. Build a documented protocol: who declares a breach, who notifies the Board, who contacts affected customers, and what the template communications look like. Run a tabletop exercise this quarter.
- Get your leadership team the right visibility before an auditor does
The DPDP Act is not just an IT compliance exercise. A regulatory investigation or a breach that triggers Board proceedings is a board-level event. CTOs and CISOs who cannot give their CEO or CFO a clear picture of the organisation’s data protection posture in real time are operating blind. FacctorX, Skeletos’s CXO dashboard, gives leadership the operational visibility they need to track compliance status, open risks, and security posture without waiting for a quarterly IT report.
The Pattern Behind This Regulation
The DPDP Act did not emerge from nowhere. It is India’s response to a pattern of breaches, inadequate vendor controls, and a decade of customer data being monetised, shared, and lost with minimal accountability.
In 2025 alone, there were over 248 confirmed data breaches across scheduled commercial banks. Cybercrime losses across sectors hit an estimated ₹20,000 crore, with banking and financial services bearing the largest share at ₹8,200 crore. These numbers did not emerge because banks became careless overnight. They emerged because the attack surface grew, vendor ecosystems expanded, device counts multiplied, and security controls did not keep pace. Cyber Law Consulting
The DPDP Act is the government’s acknowledgement that voluntary improvement was not working. The penalties exist to make non-compliance more expensive than compliance. That calculation is now straightforward.
November 2026 is widely expected to mark the transition from India’s “soft enforcement” phase to active regulatory supervision by the Data Protection Board. Organisations that treat the May 2027 deadline as the real start date will find themselves in front of the Board’s investigators long before then. India Briefing
Final Thought
I have sat across from IT heads at banks and NBFCs who genuinely believe DPDP compliance is a legal and policy exercise. Something for the compliance team. A checkbox exercise managed by lawyers.
That understanding is going to be expensive.
The DPDP Act has teeth precisely because it reaches into technical controls. It asks whether you had encryption. Whether you monitored vendor access. Whether you could detect a breach and notify within 72 hours. Whether you knew what was on your network.
These are not questions that a policy document answers. They are questions that require systems, controls, and evidence.
The organisations that will sail through a Data Protection Board investigation are not the ones with the best-written privacy policies. They are the ones that can demonstrate, in real time, that they knew what personal data they held, who could access it, what devices were on their network, and that they moved immediately when something went wrong.
The window to get there is closing.
At Skeletos IT Services, we help Indian banks, NBFCs, and financial institutions deploy EasyNAC, a plug-and-protect Network Access Control solution that gives IT teams real-time visibility into every device on their network without any switch changes or network reconfiguration. DPDP compliance requires demonstrable security controls, not just written policies. If you want to understand what is actually connected to your network right now, we can show you in a 30-minute demo.
