The Digital Personal Data Protection Act, 2023 introduces new obligations for FinTech companies in India. FinTechs must now comply with the Act for all digital personal data, expanding protections. They must appoint a Notice and Consent Manager to provide notices and obtain consent in multiple languages. Startups receive exemptions from some obligations. FinTechs must also obtain consent from parents or guardians when processing data of children or those with disabilities, inform users of data breaches, and may face monetary penalties for violations imposed by the Data Protection Board.
The Digital Personal Data Protection Act, 2023 introduces new obligations for FinTech companies in India. FinTechs must now comply with the Act for all digital personal data, expanding protections. They must appoint a Notice and Consent Manager to provide notices and obtain consent in multiple languages. Startups receive exemptions from some obligations. FinTechs must also obtain consent from parents or guardians when processing data of children or those with disabilities, inform users of data breaches, and may face monetary penalties for violations imposed by the Data Protection Board.
The Digital Personal Data Protection Act, 2023 introduces new obligations for FinTech companies in India. FinTechs must now comply with the Act for all digital personal data, expanding protections. They must appoint a Notice and Consent Manager to provide notices and obtain consent in multiple languages. Startups receive exemptions from some obligations. FinTechs must also obtain consent from parents or guardians when processing data of children or those with disabilities, inform users of data breaches, and may face monetary penalties for violations imposed by the Data Protection Board.
Action points for FinTech companies post the Digital Personal Data Protection Act, 2023
New obligations for FinTechs to comply:
1. The Act is applicable to all digital personal data thus ensuring more protection to not just sensitive personal data as it was before. 2. In place of Policy of privacy, Notice and Consent Manager has been mandated. Notice and Consent to be provided in languages under the Eighth Schedule of the Constitution apart from English. ● For consent given before the commencement of the Act, DFs to provide them a Notice as well. Notice to include the manner in which a DP may exercise her rights as well as how to make a complaint to the Board. 3. FinTech companies that are startups have been exempted from the mandate of Notice and additional obligations for Significant Data Fiduciaries. 4. While processing Personal Data of Children or persons with disability, consent to be obtained through parent/lawful guardian. 5. Summary of personal data processed & identities of DFs with whom it has been shared to be provided to DP. 6. Data Principal and the Data Protection Board to be intimated incase of a personal data breach. 7. Board to impose monetary penalties for breach of provisions of the Act. Quantum of amount of penalty provided under The Schedule of the Act. 8. SDFs obligated to appoint a Data Protection Officer and conduct periodic Data Protection Impact Assessment. Data Protection Officer for grievance redressal & as a point of contact incase of data breach. 9. Section 16 allows extraterritorial processing & transfer of Personal Data, except to such countries restricted by Central Government through notification.