Fair data handling and technology compliance form the ethical and regulatory foundation of India’s FinTech ecosystem. Data protection is not just a legal requirement but a fundamental pillar of building customer trust. In India, this is primarily governed by the Digital Personal Data Protection (DPDP) Act, 2023, and the Information Technology (IT) Act, 2000.

📄 Data Protection Obligations

<aside>

1️⃣ DPDP Act & IT Act Compliance

2️⃣ CERT-In Cybersecurity Incident Reporting

3️⃣ Restrictions on Storing Aadhaar Data

4️⃣ Vendor Contracts & Data Protection Obligations

</aside>

<aside>

📖 Case Study

  1. Fullerton India - Ransomware & Data Breach: In April 2023, Fullerton India, a major NBFC, became the target of a ransomware attack orchestrated by the notorious LockBit 3.0 group. More than 600 GB of sensitive customer data, including personal identifiers, loan agreements, Aadhaar numbers, addresses, and financial records, was leaked onto the dark web after Fullerton refused to pay the demanded ransom. This breach exposed both customers and the institution to significant regulatory and reputational risk.
  2. Ransomware Disruption via C-Edge Technologies: In July 2024, a ransomware breach struck C-Edge Technologies, a company providing core banking and payment infrastructure to nearly 300 cooperative and regional rural banks. The attack, attributed to the group RansomEXX, compelled the National Payments Corporation of India (NPCI) to isolate C-Edge’s systems from retail payment networks to contain the threat. As a result, customers of the affected banks lost access to ATM and UPI services for a brief period. Fortunately, a timely forensic audit confirmed that the breach remained contained and services were soon fully restored. </aside>

<aside>

📕 Applicable Frameworks

<aside>

Entities must comply with the following legal and regulatory instruments governing data protection, cybersecurity, and technology operations:

  1. Information Technology Act, 2000 & SPDI Rules, 2011
  2. Digital Personal Data Protection Act, 2023
  3. CERT-In Directions on Cybersecurity (2022)
  4. Master Direction - Information Technology Framework for the NBFC Sector (2017)
  5. RBI Master Direction on Outsourcing of IT Services (2023)
  6. UIDAI Regulations on Aadhaar Usage </aside>

</aside>

<aside>

⚠️ Note the disclaimers regarding the document's limitations and the need for professional legal advice.

</aside>

Once systems are secured and privacy safeguards are in place, the final step is ensuring regular filings, audits, and supervision. Proceed to Step 7: Reporting & Ongoing Compliance.

Or return to Step 5: Fair Lending & Customer Protection.

Or revisit the Toolkit Flow Overview to see the entire roadmap at a glance, or return to the Toolkit Homepage.

Need clarification on terminology? Refer to our comprehensive Glossary.