Digital Lending: Navigating the Interplay Between RBI Guidelines and DPDP Rules
India’s digital lending ecosystem is entering a decisive compliance phase. With the DPDP Rules notified and RBI mandates tightening, lenders and LSPs must rethink consent, data roles, legacy data, and governance frameworks ahead of the 2027 enforcement deadline.
The digital lending landscape is entering a period of fundamental transformation. With the notification of the Digital Personal Data Protection (DPDP) Rules in November 2025, the industry now has a clear roadmap toward full enforcement by May 2027.
As an industry, we are moving beyond viewing data protection as a checkbox exercise. The interplay between existing RBI sectoral regulations and the new DPDP Act requires a robust data governance overhaul that balances compliance with operational efficiency.
Understanding the Hierarchy of Roles
Success in this new era begins with a clear internal audit of data roles. The law distinguishes between the Data Fiduciary, the entity that determines the "why" and "how" of data use, and the Data Processor, who acts on the fiduciary’s instructions.
In our ecosystem, a Regulated Entity (RE), like a bank or NBFC, typically serves as the fiduciary, while Lending Service Providers (LSPs) act as processors. However, these roles are fluid. If an LSP utilizes borrower data for its own cross-selling or separate product offerings, it may inadvertently step into the role of a Data Fiduciary, triggering a separate set of statutory liabilities and the need for independent consent.
The High Bar of "Explicit Consent"
The standard for consent is significantly higher under the DPDP Act, requiring it to be free, specific, informed, unconditional, and backed by a clear affirmative action. This aligns with the RBI’s strict "need-based" requirement, which mandates that entities only collect data strictly necessary for the transaction and allows borrowers to deny consent for disclosures they deem unnecessary. To remain compliant with both frameworks, it's recommended to focus on these core principles:
• Abolishing Consent Bundling: Under the DPDP Act, each purpose requires a distinct tick box; for example, a customer applying for a loan should not be forced to consent to marketing or third-party insurance products through a single "Accept All" button. This reflects the RBI’s guidelines that allow customers to restrict disclosures and deny consent for purposes beyond the core lending activity.
• Data Minimization and Access Restrictions: Both regimes emphasize that we must only collect data relevant to the business. The DPDP Act discourages collecting irrelevant datasets, such as blood groups or health records, for lending purposes. Furthermore, the RBI imposes hard restrictions on app permissions, strictly prohibiting Digital Lending Apps (DLAs) from accessing a borrower's file system, media, or contact list, with camera and microphone access limited solely to the KYC process.
• The Right to Withdraw and "Be Forgotten": Customers must be provided with a user-friendly mechanism to withdraw consent at any time. Similarly, the RBI framework grants borrowers the right to require that an entity "forget" or delete their data. While processing must stop upon withdrawal, both the DPDP Act and RBI guidelines recognize that certain data may be retained if it is required to meet specific legal or regulatory obligations, such as statutory record-keeping.
Navigating the Interplay with RBI and DPDP
Digital lending operates in a dual-regulated environment where organizations must simultaneously satisfy the RBI’s specific framework and the DPDP Act. A strategic principle for the industry is that where sectoral regulations (RBI) impose higher or more specific standards, those mandates will prevail over the general provisions of the DPDP Act.
As of late 2024, the RBI has consolidated its digital lending directions into the Credit Facilities Master Directions tailored for various Regulated Entities (REs), such as NBFCs and commercial banks. To maintain compliance in this overlapping landscape, businesses must adhere to these specific RBI-mandated safeguards:
• Strict Access Prohibitions: Digital Lending Apps (DLAs) are expressly prohibited from accessing a borrower's file system, media, or contact list.
• Domestic Data Sovereignty: The RBI mandates that all data collected during the digital lending journey be stored on servers located in India. While the framework allows for offshore processing, the data must return to Indian servers within 24 hours, and no copy or original may be stored outside the country.
As we navigate the transition toward the May 2027 enforcement deadline for the substantive provisions of the DPDP Act- such as breach notifications and penalties it is critical to view these RBI mandates as the baseline for our technical architecture.
Managing Legacy Data
A common misconception is that the law only applies to new data collected after 2027. In reality, the DPDP Act covers all legacy data currently sitting in our systems.
The transition period offers a crucial advantage: if we have an existing consent mechanism in place, we do not necessarily need to seek fresh consent from every customer. Instead, we must provide an intimation or notice explaining the current data processing practices and providing an opt-out option. This "validation window" allows us to bridge the gap between old practices and new standards before the 18-month deadline expires.
Preparing for Immediate Obligations
While the meat of the law, including penalties and substantive provisions, kicks in by mid-2027, the groundwork must start now.
Organizations should prioritize:
• Breach Notification Protocols: Establishing internal mechanisms to immediately notify the Data Protection Board and affected individuals in the event of a personal data breach.
• Internal Process Updates: Ensuring that every individual within the organization who handles data understands the new rights of "Data Principals," including the rights to correction and erasure.
• Contractual Reviews: Updating agreements between REs and LSPs to include back-to-back data protection obligations and clear indemnity clauses.
The above content is only our interpretations of the laws based on currently available public information, and some of the scenarios would get more clarity over the period; the interpretations are also subject to change accordingly.
Read more Blogs
Operationalizing DPDPA Compliance with ROPA
With the release of the DPDP Rules on November 13th, 2025, one truth has become abundantly clear: effective privacy management begins with knowing exactly what personal data you process and why.
Navigating SEBI Onboarding: Building a Compliant, No-Code Journey with DigiStudio
Understand the key steps and compliance checks involved in SEBI onboarding, and how DigiStudio helps create faster, smoother investor experiences.
CKYC Compliance Made Simple: A Guide to the Full Search, Download, and Upload Process
A concise guide to CKYC compliance, explaining how to search, download, and upload KYC records via CKYCR, simplifying onboarding across banks, mutual funds, and financial services.
Digitally transform business operations with Digio!
Try first. Subscribe later.
Boost your legal ops efficiency by 80%
Learn how Digio can enhance your business productivity
Get 1-on-1 business use case solutioning
Speak with our business consultants to get a solution walkthrough for your business requirement
Test the APIs
Let your development team test our API suite to understand configurability and product integration
Subscribe
Get the best in industry commercials for your business usecase
