According to the DPDP Act, NBFCs must collect customer consent before collecting their data. They need to mention the purpose, keep the data secure, and delete it when it is not required. Apart from this, NBFC must report the data breach on time.
If you also work in an NBFC compliance team, you must know about the RBI audits, KYC checks, and regulatory reporting. The DPDP ACT NBFC is a new and important law that every NBFC must comply with.
What Is the DPDP Act?
The Digital Personal Data Protection (DPDP) Act, 2023, is India’s data privacy law. It applies to every organization that collects or processes digital personal data.
The DPDP Rules explain how businesses must:
- Collect customer data
- Take consent
- Protect personal information
- Delete data after use
- Report data breaches
Simplify Your Compliance & Stay Audit-Ready
Help your team manage controls, risks, and audits with ease
Does the DPDP Act Apply to NBFCs?
Yes, Every NBFC is a Data Fiduciary because it decides why and how customer data is used.
This includes information such as:
- Loan applications
- KYC documents
- PAN and Aadhaar details
- Bank statements
- Credit reports
- Repayment history
That’s why DPDP Act NBFC Compliance is applied to all NBFCs.

What Personal Data Do NBFCs Collect?
NBFCs collect and process a large amount of personal data during the customer lifecycle. This includes information collected before loan approval, during servicing, and after repayment.
- Customer name, address, mobile number, and email
- PAN and Aadhaar details
- KYC documents
- Bank account and IFSC details
- Salary slips and income proof
- Credit bureau reports
- Employment information
- Loan repayment history
- Device and IP address information collected through mobile apps
- Video KYC recordings and customer photographs
Since all of this information can identify an individual, it must be handled according to the DPDP Act.

What Does DPDP Act NBFC Compliance Require?
These are the rules an NBFC should know and follow:
Take Clear Customer Consent
Before collecting personal data, you must tell customers:
- What data you’re collecting
- Why you need it
- How it will be used
Consent must be:
- Clear
- Specific
- Given through a positive action
Pre-ticked boxes or consent hidden inside long loan agreements are not valid.
Customers should also receive the notice in English or any of India’s 22 scheduled languages.
Use Data Only for the Approved Purpose
Use customer data only for the purpose they agreed to.
For example, if a customer shares information for a loan application, you cannot use the same data to sell insurance or other financial products without getting fresh consent.
Delete Data When It Is No Longer Needed
Do not keep customer data forever.
If no law requires you to retain it, delete it once the purpose is complete.
Protect Customer Information
NBFCs must protect personal data using reasonable security measures such as:
- Encryption
- Access controls
- Activity logs
- Regular monitoring
Weak security can lead to heavy penalties.
Report Data Breaches Quickly
If a personal data breach occurs:
- Inform affected customers without delay.
- Report the breach to the Data Protection Board within the required timeline.
Having a clear incident response plan is essential.
Respect Customer Rights
Customers can:
- Know what data you hold
- Correct incorrect information
- Request deletion
- File complaints
- Nominate another person to act on their behalf
Manage Your Vendors
Loan Service Providers (LSPs), DSAs, collection agencies, and technology vendors also handle customer data.
You should have proper data processing agreements with every vendor because your NBFC remains responsible for protecting customer data.
How Does the DPDP Act Work with RBI Rules?
The DPDP Act does not replace RBI regulations. Both apply together.
For example:
- KYC is legally required under RBI and PMLA, so you don’t need separate consent for it.
- However, if you want to use customer data for marketing, analytics, or cross-selling, you must obtain separate consent.
The same applies to data retention.
PMLA requires certain records to be kept for a fixed period. After that legal requirement ends, the DPDP Act expects you to delete the data instead of storing it indefinitely.
What Are the Penalties for Non-Compliance?
The penalties are much higher than most RBI fines.
For example:
- Up to ₹250 crore for failing to protect personal data.
- Up to ₹200 crore for failing to report a data breach.
These penalties can apply for each violation.
What Is the Compliance Deadline?
The DPDP Rules are being introduced in phases. Most key requirements, including consent, customer rights, privacy notices, and breach reporting, become enforceable from 13 May 2027.
Although the deadline seems far away, updating systems, contracts, and internal processes can take several months.
How Should an NBFC Prepare?
The organization can prepare for DPDP Act NBFC compliance in the following way:
- Map where customer data is stored.
- Review and update consent forms.
- Rewrite privacy notices in simple language.
- Define how long each type of data should be kept.
- Automate data deletion wherever possible.
- Sign data processing agreements with vendors.
- Create a breach response plan and test it regularly.
Managing all of this manually becomes difficult as your business grows. Using a compliance platform like SureGrid can help automate evidence collection, track controls, and stay audit-ready across DPDP and RBI requirements.
FAQs
Ques: Is DPDP Act compliance mandatory for NBFCs?
Ans: Yes, the DPDP Act is mandatory for all organizations that collect and process customer data, including NBFCs.
Ques: What is the maximum penalty under the DPDP Act?
Ans: The maximum penalty is ₹250 crore per violation for failing to protect personal data. Failure to report a breach can result in up to ₹200 crore.
Ques: When do NBFCs need to comply?
Ans: NBFC has to prepare for the DPDP Act before the deadline of 13 May, 2027.
Ques: Who enforces the DPDP Act?
Ans: The Data Protection Board of India enforces the DPDP Act.
Ques: Can NBFCs use customer data for marketing?
Ans: Only if the customer has provided separate consent for marketing. Consent collected for loan processing cannot automatically be used for promotional messages or cross-selling financial products.