DPDP and KYC: How India's Data Law Reshapes Verification
DPDP KYC describes what customer verification now looks like in India once the Digital Personal Data Protection Act, 2023 sits on top of an onboarding flow. Firms still collect Aadhaar, PAN, and the rest, because RBI and the PMLA demand it. What the DPDP Act governs is narrower but unavoidable: how consent gets asked for, how long the data may be held, what a customer can later demand back when the relationship ends or the stated purpose lapses. Two rulebooks, one screen. Getting that overlap right is the whole game.
Stakes climbed sharply in November 2025. Government notified the Digital Personal Data Protection Rules, 2025 that month, and a long-dormant framework finally acquired operational teeth. Banks, NBFCs, fintechs, insurers: every regulated entity that runs identity checks must now reconcile two statutory obligations that pull against each other across the same set of customer records and the same moment of onboarding.
Why "DPDP KYC" is suddenly a real compliance category
For years the DPDP Act was a statute without machinery. Parliament passed the 2023 law, then stalled. Nothing moved for a long stretch. Momentum returned when the Digital Personal Data Protection Rules, 2025 were notified on 13 November 2025, with Gazette publication the following day. Provisions standing up the Data Protection Board took effect immediately. Most operational obligations carry an eighteen-month runway, a timeline that places full compliance around mid-May 2027, while the consent-manager registration regime opens on its own clock, roughly a year after the notification date itself.
Clocks are running. Penalties bite too. Failure to implement reasonable security safeguards can draw up to INR 250 crore under the Act, a ceiling steep enough that compliance leaders are now treating data protection as a board-level exposure rather than a documentation chore. Hardly a parking ticket.
Consider the tension every KYC team is now wrestling with. PMLA and RBI's KYC Master Direction push toward collecting more and keeping it longer, for anti money laundering reasons, while the very same customer file is now subject to a data-minimisation duty that wants the opposite outcome. DPDP cuts the other way, demanding less collection and earlier erasure on data-minimisation grounds. Both apply at once. Reconciling them is the new craft.
Consent: the part of KYC that changes most
Specific, informed, tied to a stated purpose: that is what consent must be under the DPDP Act. Bundling "open my account" with "share my data with a credit bureau" and "market other products to me" inside one tick box no longer passes muster, since the statute reads each of those as a distinct purpose that a customer must be free to accept or refuse on its own. Each purpose stands alone.
Abstract until you map it to a real onboarding screen. A customer might agree to identity verification for account opening while declining, say, credit-bureau sharing for a use they never signed up for. Statutory collection follows a different logic. Where PMLA and RBI rules require Aadhaar, PAN, and proof of address to onboard a regulated customer, that processing rests on a legal obligation, so a separate DPDP consent for those mandatory fields is generally not needed. Drawing the line matters. Mandatory KYC fields sit on one legal footing; optional, purpose-driven processing sits on another, and consent capture has to reflect both cleanly.
In practice that demands consent notices written in clear language, an auditable record of what each customer agreed to and when, and a withdrawal route that works without friction or a phone call to a branch. Build it sloppily. The result is the exact audit gap the Data Protection Board is empowered to investigate.
Retention: where DPDP and the PMLA openly disagree
Here sits the contradiction that keeps compliance heads up at night. Data minimisation under the DPDP Act says to erase personal data once the purpose it was collected for has been served, which on its face would clear out a customer record the moment an account closes. RBI's KYC norms and the PMLA say the opposite. Regulated records must stay.
Numbers tell the story. Banks generally must keep KYC documentation and transaction records for years after a relationship ends, a figure commonly cited around the five-to-seven-year range under AML rules, with some records held longer under specific RBI circulars. DPDP accommodates this, allowing longer retention where another law in force requires it. So the resolution is not "minimise everything." Better framed this way: minimise what you can, retain what the law compels, and prove which is which.
When a customer files an erasure request, refusing outright is not an option, and the institution must instead point to the specific statute that compels it to retain the regulated records before deleting whatever genuinely falls outside that mandate. Spell out the basis. Then erase the rest. Granular retention now beats blanket retention.
What compliant DPDP KYC actually requires of a verification stack
Tie the policy back to the workflow. A checklist emerges. Verification has to capture purpose-specific consent at the point of collection, hold the underlying KYC data securely, and keep a clean audit trail of who consented to what and when. KYC Hub's digital KYC solution for India was built to operate in precisely that overlap.
India-specific checks on the platform line up with what RBI-regulated onboarding demands. Aadhaar OKYC runs on the paperless XML route with digital confirmation. PAN, voter ID, and driving licence verify in seconds, through what the page calls UIDAI-grade checks. Remote onboarding leans on video KYC with liveness detection to satisfy the customer-present requirement. Alignment with RBI, SEBI, IRDAI, and UIDAI rules is stated there as well, sitting alongside ISO 27001 controls, end-to-end encryption, and secure storage of the sensitive identity fields the workflow handles. None of that is optional. Reasonable safeguards are the precise obligation that the INR 250 crore penalty backstops.
Two further points deserve naming. Consent capture sits inside the flow, which counts for a great deal when the DPDP Act wants every purpose on record. Integration runs through REST APIs, SDKs, and pre-built core-banking connectors, so the consent-and-retention logic can live inside the systems a bank already operates rather than bolting on beside them as a fragile second layer that drifts out of sync.
The wider Indian data-privacy backdrop
DPDP KYC did not appear from nowhere. India's data-protection journey reaches back two decades, through scattered statutes and a landmark constitutional ruling, and today's consent-first rules read far more clearly once that long arc is set out in order.
Origins trace to the Information Technology Act, 2000. Section 43A made companies liable for breaches caused by failing to keep reasonable security practices, while Section 72A criminalised disclosing information without consent. Narrow tools. Mostly concerned with security rather than broad privacy rights. A genuine shift arrived in 2017, when a nine-judge bench of the Supreme Court in the Puttaswamy judgment held privacy to be a fundamental right under Article 21 of the Constitution. Any intrusion, that ruling demanded, must be lawful, necessary, and proportionate, and it laid the constitutional foundation for a dedicated data law.
Justice B.N. Srikrishna's committee followed. A string of draft bills then circulated between 2018 and 2022 before Parliament finally passed the DPDP Act in August 2023. Out of that law came the vocabulary the industry now uses daily: data principal as the individual, data fiduciary as whoever decides the purpose and means of processing, and a consent-first model with a Data Protection Board to enforce it.
Where DPDP sits next to GDPR and CCPA
Most observers reach for the GDPR comparison instantly, and the resemblance is real on individual rights, consent, and accountability. Mechanics diverge, though. GDPR offers six lawful bases for processing, whereas the DPDP Act leans far more heavily on consent, with a narrower set of exemptions. Penalty design parts ways too: GDPR scales fines to a percentage of global turnover, while the DPDP Act fixes hard ceilings instead, the headline figure being INR 250 crore regardless of how large the offending company happens to be.
California's CCPA is built around consumer rights and applies only above certain revenue or volume thresholds, carrying detailed rules on the sale of personal information that have no neat counterpart in the Indian text. India's law reaches more broadly and treats those questions on its own terms. For a multinational the upshot is plain. A GDPR programme buys a head start, not a finished DPDP compliance posture.
Individual rights you must be ready to honour
Whatever the verification stack, the DPDP Act hands data principals concrete rights, and your processes have to answer them. People can ask what personal data you hold and how it is being processed. Access requests deserve a clear, understandable response inside a reasonable window. Customers can also have inaccurate data corrected and, in defined circumstances, erased, subject to the retention carve-outs already covered. Grievance redressal is mandatory. Data fiduciaries must run an internal complaints route and, where required, appoint someone to field them, with the Data Protection Board sitting above as the external backstop of last resort for anyone who feels ignored. Consent, once given, can be withdrawn as readily as it was granted, after which processing stops unless another lawful basis applies.
