By Sandeep Parekh
On November 13, the ministry of electronics and information technology notified the implementation timelines for the Digital Personal Data Protection (DPDP) Act, 2023, and published the final version of the DPDP Rules, 2025. Although implementation of both the DPDP Rules and Act follows a staggered model, with core operational obligations applicable from May 2027, data fiduciaries now have an 18-month transition window to realign their systems and practices to the new regime. In this backdrop, India’s securities market, albeit already operating under data governance structures that may appear akin to privacy frameworks, is now at an inflection point that calls for closer regulatory scrutiny.
Take, for instance, data retention obligations. Much like the DPDP framework, the Securities and Exchange Board of India (Sebi) requires its registered intermediaries to preserve specified data sets. Stockbrokers, for example, must maintain books of account, records, and documents for five years, But these requirements were designed with a different purpose in mind—market surveillance, anti-money laundering (AML) compliance, and investor dispute resolution. The regulatory architecture, therefore, treated data primarily as an asset to be retained rather than as a right to be managed.
Strengthening Data security compliance measures
While confidentiality obligations do exist, their force lies largely within operational circulars, and broadly worded consents embedded in standard-form client documentation can dilute their application. Data security has been addressed primarily through IT governance norms and cybersecurity standards. Yet, one key element remains absent—a systematic obligation to delete or erase personal data once its regulatory or operational purpose has been met. As a result, investors’ personal data within the securities market may continue to accumulate over time in the absence of effective deletion and data minimisation protocols.
Regulators to review existing guidelines
Regulators are now poised to review existing guidelines to ensure financial regulations and data protection laws align with the DPDP Act’s requirements, preventing any conflict between sectoral mandates and core data protection principles. A key area of focus is expected to be the Know Your Customer (KYC) regime. The current KYC Master Directions, derived from the Prevention of Money Laundering Act, require regulated entities to collect and retain certain customer data for providing financial services. While consent is mandatory for obtaining such information, any additional data gathered under a customer acceptance policy will now require a sound legal basis and must conform to the DPDP Act’s principle of data minimisation.
In line with this shift, regulators may issue instructions on setting appropriate data retention periods for AML/KYC processes, clarifying that customer data should be retained only as long as necessary to meet statutory AML obligations. They may also reiterate that while sharing customer data with authorities for AML constitutes a legitimate interest under the Act, such sharing must be both necessary and proportionate to the request made.
Further, intermediaries may be required to respect customer rights under the Act, including the right to access data and rectify inaccuracies. Regulators may encourage the use of Data Protection Impact Assessments to evaluate potential privacy risks and update related instructions on customer protection, third-party due diligence, monitoring, and data privacy to bring them in line with the new legal framework.
What emerges is a regulatory architecture in transition, shifting from a retention-based model to one centred on rights, proportionality, and accountability. The challenge for the securities market will be to pivot without compromising the robustness of market surveillance and financial integrity.
Another interesting aspect to note is that the emerging Consent Manager regime under the DPDP framework may sit alongside, and potentially intersect with the existing Account Aggregator (AA) ecosystem. The AA framework has already created a consent-driven infrastructure for financial data-sharing, with standardised consent artefacts, open application programming interface, and a large set of regulated financial institutions participating across regulators. In contrast, the Consent Managers envisioned under the Act are designed as sector-agnostic intermediaries, enabling data principals to give, manage, review, and withdraw consent for various categories of personal data, with registration and oversight placed under the Data Protection Board.
Both frameworks share key conceptual building blocks, including interoperable platforms, consent logging, limits on accessing underlying data, and restrictions on outsourcing. This raises an important policy question: Can the two systems be read harmoniously? One potential approach could be to treat AAs as specialised consent managers for financial data, or alternatively to align the technical and legal standards so that intermediaries are not forced to navigate two parallel, and possibly overlapping, consent infrastructures.
Such integration, however, would require careful cross-regulatory coordination and may emerge gradually, shaped by regulatory guidance and industry practice rather than by a single, definitive policy shift.
Further, the issue of outsourcing responsibility reflects a principle already embedded within securities regulation but the DPDP framework may expand its scope in ways that warrant deeper examination. Historically, Sebi regulations have held intermediaries accountable for compliance lapses by third parties to whom functions are outsourced, even when the intermediary has limited operational control. The DPDP regime adopts a similar approach: A data fiduciary remains liable for breaches by data processors, irrespective of contractual arrangements.
However, DPDP may broaden the dimensions of liability by including privacy-related obligations not traditionally captured in securities regulation. An intermediary could now face exposure if an outsourced vendor mishandles consent withdrawal requests, fails to deploy mandated security safeguards, or retains personal data beyond approved timelines. Such developments may compel intermediaries to revisit and renegotiate existing contracts with processors to explicitly embed DPDP obligations, particularly for entities reliant on cloud providers, payment gateways, or external data vendors. Service agreements that historically focused on operational metrics may now need to be recast through the lens of privacy compliance.
As the securities market transitions from retention- to deletion-centric protocols, from bundled consent to granular controls, and from operational oversight to privacy-centric governance, early adopters may find a competitive edge. Intermediaries that build transparent, user-friendly consent systems, automate deletion for non-regulatory data, and communicate privacy-first practices to clients could cultivate stronger trust, turning compliance into a market differentiator.
The writer is Managing Partner at Finsec Law Advisors. The article has been co-authored with Pragya Garg and Yash Vardhan, associates, Finsec Law Advisors
Disclaimer: Views expressed are personal and do not reflect the official position or policy of FinancialExpress.com. Reproducing this content without permission is prohibited.