Interplay Between India’s DPDP Act and (e.g., RBI, IRDAI, SEBI, TRAI)

POSTED ON JANUARY 05, 2026 BY DATA SECURE

Related Blogs

Data Trusts and Fiduciary Models: Rethinking Ownership in the Personal Data Economy
Cross-Border Data Transfers: Reconciling Indian Law with Global Privacy Regimes
Email Marketing and Privacy Implementation: Opt-In, Opt-Out, and Double Consent Models
breach

Introduction

India’s data protection framework has undergone a significant shift with the enactment of the Digital Personal Data Protection Act, 2023 ( DPDP Act), which seeks to establish a uniform, rights-based regime governing the processing of personal data in an increasingly digital economy. Affecting nearly 1.4 billion individuals, the Act marks a departure from India’s historically fragmented, sector-driven approach to privacy regulation.

This development is particularly DPDP Actconsequential for the banking, financial services, and fintech sectors, which process large volumes of sensitive personal and financial data and remain highly vulnerable to cyber threats, data breaches, and financial fraud. While regulators such as the Reserve Bank of India (RBI) have long imposed cybersecurity, data localisation, and risk management obligations, the DPDP Act introduces an additional horizontal layer of compliance grounded in consent, accountability, and data principal rights.

As the DPDP Act operates alongside existing statutes and sectoral regulations, including RBI frameworks and the Information Technology Act, 2000, regulated entities now face an overlay regime requiring simultaneous compliance with multiple legal standards.

The DPDP Act and Its Interaction with Existing Laws:

breach

The enactment of the Digital Personal Data Protection Act, 2023, represents a watershed moment in India’s effort to construct a comprehensive data protection framework suited to an increasingly digital society. Designed to govern the processing of personal data across sectors, the Act is expected to impact nearly 1.4 billion individuals, significantly reshaping how both public and private entities collect, use, and disclose personal information. As the government prepares to notify the Act’s subordinate rules, attention has increasingly shifted from the text of the statute itself to its interaction with pre-existing legal and regulatory regimes.

While the DPDP Act aspires to bring coherence to India’s fragmented data governance landscape, early discussions reveal potential contradictions with several existing statutes, including the Right to Information Act, 2005, the Information Technology Act, 2000, and regulatory frameworks issued by authorities such as the Reserve Bank of India (RBI) and the Telecom Regulatory Authority of India (TRAI). This has generated widespread debate among businesses, regulators, and policy institutions regarding regulatory overlap, interpretational uncertainty, and the risk of conflicting compliance obligations.

The introduction of the DPDP Act has been widely acknowledged as a transformative step in India’s digital regulatory journey. However, businesses have expressed concerns about the implications of overlapping compliance regimes on trade, operational efficiency, and cross-border data flows. At the same time, government bodies such as NITI Aayog have emphasised the need to strike a careful balance between protecting individual privacy and preserving public interest objectives, including transparency, innovation, and economic growth. As highlighted in policy discussions and forums such as the IAPP Asia Privacy Forum 2024, the DPDP Act is intended not only to strengthen privacy protections but also to support the expansion of India’s digital economy, an ambition that may be undermined if regulatory conflicts remain unresolved.

Interplay Between the DPDP Act and Sectoral Regulators:

breach

  • RBI and the DPDP Act: The Reserve Bank of India has long imposed stringent data-related obligations on regulated entities, particularly banks and payment system operators. Under existing RBI norms, banks are required to retain KYC records for a minimum period of five years following the closure of an account. In addition, the RBI’s cybersecurity framework mandates rapid reporting of cyber incidents, including notification to CERT-In within six hours of detection. Payment system operators are further subject to data localisation requirements, which restrict the storage of payment data to servers located within India.

    These sector-specific mandates intersect directly with the rights-based framework introduced by the DPDP Act. While the DPDP Act grants data principals the right to seek erasure of personal data, such requests cannot override statutory retention obligations imposed by the RBI. Similarly, breach notification obligations under the DPDP Act, requiring intimation to the Data Protection Board of India and affected individuals, operate alongside RBI’s immediate supervisory reporting requirements, creating the possibility of dual or multiple disclosures arising from a single incident. Further, while the DPDP Act permits cross-border data transfers subject to government notification, RBI’s localisation rules continue to impose stricter constraints on financial and payment data.

    In practice, this means that when a digital bank receives a data erasure request under the DPDP Act , it may lawfully refuse deletion where retention is mandated by RBI regulations. However, compliance does not end with refusal. The bank must ensure that non-essential data is deleted, clearly communicate the legal basis for retention to the customer, and maintain proper documentation to justify its decision in the event of scrutiny by the Data Protection Board.

  • SEBI and the DPDP Act: SEBI’s regulatory framework places strong emphasis on cybersecurity resilience, market integrity, and investor protection. Market intermediaries, stock exchanges, and depositories are required to report cyber incidents, maintain secure and auditable IT systems, and retain investor records for prescribed periods. These obligations are central to ensuring transparency and traceability in capital markets.

    The DPDP Act overlays this framework by introducing consent-based processing and enforceable data principal rights. However, SEBI-regulated entities often collect and process investor data pursuant to statutory mandates rather than contractual consent. As a result, the withdrawal of consent under the DPDP Act may be constrained where continued processing is necessary for regulatory compliance. Record retention requirements under SEBI regulations may also limit the practical application of the right to erasure. Additionally, SEBI’s grievance redressal mechanism through the SCORES platform now coexists with grievance obligations under the DPDP Act, raising questions of procedural overlap.

    For instance, if an investor seeks deletion of trading history citing DPDP rights, a broker cannot accede to such a request where SEBI mandates retention. Nevertheless, the broker remains obligated to restrict the use of such data strictly to compliance purposes and eliminate peripheral or non-essential datasets, such as marketing or analytics logs.

  • IRDAI and the DPDP Act : In the insurance sector, IRDAI regulations prioritise policyholder protection, confidentiality, and accountability. Insurers are required to maintain detailed records relating to policies and claims, including sensitive health and medical information, and must ensure robust safeguards when outsourcing data processing activities.

    The DPDP Act largely aligns with IRDAI’s emphasis on informed consent, particularly in relation to health data. However, tensions arise in relation to data retention and erasure. Claims-related records may need to be retained for extended periods under IRDAI rules, even where erasure is sought under the DPDP Act. Breach notification obligations under IRDAI regulations may also overlap with DPDP requirements, potentially necessitating multiple disclosures.

    A typical example arises where a nominee of a deceased policyholder requests erasure of medical records. In such cases, insurers must balance DPDP principles with IRDAI’s retention mandates, retaining only what is legally necessary while limiting further processing or use.

  • TRAI and the DPDP Act: TRAI regulates the handling of subscriber data through mandatory KYC requirements, data security directions, and anti-spam frameworks such as the Do Not Disturb registry. Telecom service providers are required to store subscriber records and prevent unsolicited communications.

    The DPDP Act expands the scope of consent beyond communication-related preferences, applying it to all forms of personal data processing. This expansion creates overlap between TRAI’s spam control mechanisms and DPDP’s consent and grievance framework. Further, TRAI-mandated retention of subscriber data may restrict the applicability of DPDP erasure rights.

    In practical terms, where a subscriber raises a DPDP grievance against a telecom operator for unsolicited communications despite DND registration, the operator must address both TRAI’s regulatory obligations and DPDP consent requirements. Mishandling such complaints could expose the entity to parallel regulatory action.

Key Areas of Conflict and Duplication:

breach

Across sectors, four recurring friction points emerge. First, sectoral retention mandates frequently clash with DPDP’s erasure rights, requiring fiduciaries to rely on lawful exemptions and transparent communication. Second, breach notification obligations under CERT-In, sectoral regulators, and the DPDP ActDPDP Act risk duplicative reporting for a single incident. Third, multiple grievance redressal mechanisms, such as SCORES, insurance ombudsmen, DND platforms, and DPDP grievance officers, create procedural complexity. Finally, cross-border data transfer restrictions, particularly in the financial sector, operate alongside DPDP’s government-notified transfer regime.

Way Forward:

Internationally, similar overlaps exist. In the European Union, data protection authorities function alongside sectoral regulators such as central banks, with coordination mechanisms enabling regulatory coherence. In the United States, sector-specific laws like HIPAA coexist with broader consumer protection frameworks, often resulting in overlapping obligations. The UK model, where the Financial Conduct Authority and the Information Commissioner’s Office issue coordinated guidance, offers a particularly instructive example. For India, meaningful inter-regulatory coordination will be essential to prevent uncertainty and conflicting compliance burdens.

Conclusion:

The DPDP Act introduces a comprehensive, horizontal data protection framework that operates alongside sectoral regimes administered by RBI, SEBI, IRDAI, and TRAI. While these frameworks are broadly complementary, unresolved tensions persist in areas such as data retention, breach reporting, grievance redressal, and cross-border transfers. Addressing these overlaps through coordination and clear guidance will be central to ensuring that India’s evolving data protection ecosystem is both effective and predictable.

We at Data Secure (Data Privacy Automation Solution) DATA SECURE - Data Privacy Automation Solution  can help you to understand EU GDPR and its ramificationsand design a solution to meet compliance and the regulatoryframework of EU GDPR and avoid potentially costly fines.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to GDPR, UK DPA 2018, CCPA, India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO Partner in 2025 (dpo-india.com).

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or India DPDP Act 2023 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com.

For downloading the various Global Privacy Laws kindly visit the Resources page of DPO India - Your Outsourced DPO Partner in 2025

We serve as a comprehensive resource on the Digital Personal Data Protection Act, 2023 (Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025), India's landmark legislation on digital personal data protection. It provides access to the full text of the Act, the Draft DPDP Rules 2025, and detailed breakdowns of each chapter, covering topics such as data fiduciary obligations, rights of data principals, and the establishment of the Data Protection Board of India. For more details, kindly visit DPDP Act 2023 – Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025

We provide in-depth solutions and content on AI Risk Assessment and compliance, privacy regulations, and emerging industry trends. Our goal is to establish a credible platform that keeps businesses and professionals informed while also paving the way for future services in AI and privacy assessments. To Know More, Kindly Visit – Your Trusted Partner in AI Risk Assessment and Privacy Compliance | AI-Nexus