Chapter VI of the Personal Data Protection Bill 2019 enlist the rights of data principals.
Some of these rights which affect compliance for lenders are as follows:

• Informed Consent:
  Personal data shall only be processed after explicit consent given by the data principal at the commencement of its processing. Hence, lenders cannot assume implied consent for processing customer data. As per Section 11, the consent must be free, specific, clear, capable of being withdrawn and most importantly €“ it must be informed with the information specified in Section 7 of the Bill.
   
• Specific Purpose:
  Personal data shall be collected only to the extent that is necessary for the purposes of processing. This means that it cannot be collected for reasons that are not known or declared.
   
• Data Erasure:
  Personal data must be erased after the purpose for which it was shared has been met. The data principal has the right to ask for the erasure of their personal data. This poses an issue because Fintechs and NBFCs may be required by other statutory laws to store the data for a longer period. In case the Data Principal exercises the right to be forgotten, the same will have to be complied with since the Bill prescribes for an overriding effect.
   
• Data Portability:
  When the processing of the personal data has been carried out through automated means, the data principal has the right to receive a copy of their personal data in a structured, commonly used and machine-readable format.
   

These rights have a bearing on the different types of data collected at different steps of the lending process.

KYC Process
When commencing the process of lending, basic documents such as identity proof and address proof are needed to get to know the customer.

The clauses from the draft bill that can affect the KYC process are:

• Storage Limitation:
  after the loan has been repaid, the data principal can request erasure of all the KYC data
• Data Portability:
  with eKYC and VideoKYC being adopted, automated processing is becoming common. The data fiduciary must keep a copy of the data in case it is requested by the data principal

Credit Underwriting
A number of data sources are inspected as a part of the credit underwriting process. Although the provisions of the bill do not apply to data collected from public sources, but it has huge implications for those collected from private sources. Credit assessment done by oulling information through methods like SMS Reading, Bank and Email login based pull would need to be consent based.

Credit Bureau Access
Lenders are often obligated to share a customer's personal data with credit bureaus and other third parties while servicing a loan. Under the bill's provisions, the transactions, details of the companies involved and the justification for this data transfer must be explained by lenders to their customers.

Although credit scoring is a €œreasonable purpose€ exception in the bill which allows personal data to be processed without consent, it is not certain if it grants an exception from the right to data erasure. The storage of personally identifiable information (PII) implies that a data principal can request it to be completely erased.

Data localisation norms
Data localisation has been an important issue for Fintech entities, particularly those who have global business and foreign headquarters. The storage norms impose strict restrictions on storage of data. The Bill proposes that sensitive personal data (which includes financial data) must be stored in India only. The same may be transferred abroad, however this is again subject to certain conditions such as taking approval of the relevant authority.

Privacy by Design
The bill mandates every data fiduciary to build a robust privacy system for storing and processing of personal data. Fintech entities along with other data fiduciaries must prepare a privacy by design policy that must contain the essential features laid down in Section 22. The policy formulated may be sent to the Data Protection Authority for certification. The policy must be published on the organisation and the authority's website.

Penalties
Non-compliance is liable to a penalty. This penalty could go up to 15 crore rupees or 4% of a data fiduciary's total worldwide turnover of the preceding financial year, whichever is higher. It is thus imperative for fintech companies and banks to start preparing for these compliance measures.