Chapter VI of the Personal Data Protection Bill 2019 enlist the rights of data
Some of these rights which affect compliance for lenders are as
- Informed Consent:
Personal data shall only be processed after explicit
consent given by the data principal at the commencement of its processing.
Hence, lenders cannot assume implied consent for processing customer data. As
per Section 11, the consent must be free, specific, clear, capable of being
withdrawn and most importantly €“ it must be informed with the information
specified in Section 7 of the Bill.
- Specific Purpose:
Personal data shall be collected only to the extent
that is necessary for the purposes of processing. This means that it cannot be
collected for reasons that are not known or declared.
- Data Erasure:
Personal data must be erased after the purpose for which
it was shared has been met. The data principal has the right to ask for the
erasure of their personal data. This poses an issue because Fintechs and NBFCs
may be required by other statutory laws to store the data for a longer period.
In case the Data Principal exercises the right to be forgotten, the same will
have to be complied with since the Bill prescribes for an overriding effect.
- Data Portability:
When the processing of the personal data has been
carried out through automated means, the data principal has the right to receive
a copy of their personal data in a structured, commonly used and
These rights have a bearing on the different types of data collected at
different steps of the lending process.
When commencing the process of lending, basic documents such as identity proof
and address proof are needed to get to know the customer.
The clauses from the
draft bill that can affect the KYC process are:
- Storage Limitation:
after the loan has been repaid, the data principal can
request erasure of all the KYC data
- Data Portability:
with eKYC and VideoKYC being adopted, automated processing is
becoming common. The data fiduciary must keep a copy of the data in case it is
requested by the data principal
A number of data sources are inspected as a part of the credit underwriting
process. Although the provisions of the bill do not apply to data collected from
public sources, but it has huge implications for those collected from private
sources. Credit assessment done by oulling information through methods like SMS
Reading, Bank and Email login based pull would need to be consent based.
Credit Bureau Access
Lenders are often obligated to share a customer's personal data with credit
bureaus and other third parties while servicing a loan. Under the bill's
provisions, the transactions, details of the companies involved and the
justification for this data transfer must be explained by lenders to their
Although credit scoring is a €śreasonable purpose€ť exception in the bill
which allows personal data to be processed without consent, it is not certain if
it grants an exception from the right to data erasure. The storage of personally
identifiable information (PII) implies that a data principal can request it to
be completely erased.
Data localisation norms
Data localisation has been an important issue for Fintech entities, particularly
those who have global business and foreign headquarters. The storage norms
impose strict restrictions on storage of data. The Bill proposes that sensitive
personal data (which includes financial data) must be stored in India only. The
same may be transferred abroad, however this is again subject to certain
conditions such as taking approval of the relevant authority.
Privacy by Design
The bill mandates every data fiduciary to build a robust privacy system for
storing and processing of personal data. Fintech entities along with other data
fiduciaries must prepare a privacy by design policy that must contain the
essential features laid down in Section 22. The policy formulated may be sent to
the Data Protection Authority for certification. The policy must be published on
the organisation and the authority's website.
Non-compliance is liable to a penalty. This penalty could go up to 15 crore
rupees or 4% of a data fiduciary's total worldwide turnover of the preceding
financial year, whichever is higher. It is thus imperative for fintech companies
and banks to start preparing for these compliance measures.