Several Indian banks are not collecting Digital Personal Data Protection Act, 2023 (DPDP) compliant consent data from the customers, according to a report by IDfy, an integrated identity verification and digital onboarding platform.
It found that eight out of 10 banks do not mention the personally identifiable information (PII) data collected in their privacy policy.
PII is the data, which includes information like account number, permanent account number (PAN) and Aadhaar number.
“Education loans are another avenue where an individual’s PII is vulnerable, as 75 percent of the PII data collected during the educational loan process was found to be sensitive,” the report said.
It showed that 9 out of 10 banks did not have a cookie consent banner and a mere 7 percent of the cookies found were actually necessary. The report’s findings showed that none of the banks collected parental consent while processing a minor’s data. “The report brings to the forefront the practice of banks asking for information like employee designation for home loans or marital and spouse’s details for personal loans, which are not integral to credit underwriting,” the report said.
Also read: RBI asks banks to comply with DPDP Act provisions under updated regulatory sandbox
The report found that one of the banks had 103 cookies on their website. Cookies are small files on websites that generate and share data with the browser. And 2 of the 10 banks did not have a single necessary cookie on their website.
Some of the top Indian banks are State Bank of India, HDFC Bank, ICICI Bank, Axis Bank, Kotak Mahindra Bank, Bank of Baroda, etc.
Email sent to the banks did not elicit a response till the time of publishing the article.
On February 23, the Reserve Bank of India’s (RBI) said that all banks under the regulatory sandbox (RS) framework must ensure compliance with the provisions of the DPDP Act. “The sandbox entity must process all the data, in its possession or under its control about RS testing, by the provisions of Digital Personal Data Protection Act, 2023,” the RBI said.
Additionally, the central bank said that under the updated sandbox framework, entities should have appropriate technical and organisational measures to ensure effective compliance with the provisions of the Act and rules made thereunder. The sandbox is a framework set up by RBI to facilitate live testing of innovations by REs in a controlled environment with supervision. RBI also said that the sandbox entity should ensure adequate safeguards to prevent any personal data breach.
Where does the DPDP Act stand?
The DPDP Act was notified on August 11, 2023, but it has not been enacted yet.
Prime Minister Narendra Modi, in his address in the 17th Lok Sabha, said that the DPDP Act would safeguard the coming generations and give them a tool to make their futures. "By bringing the Data Protection Bill, we have safeguarded future generations. We have given the future generation a tool, based on which, to make their future, they will use it well. Globally, people are interested in India’s Digital Personal Data Protection Act,” Modi said.
Union Minister Rajeev Chandrasekhar on December 6 said that the accompanying rules of the DPDP Act are ready and will be notified by the end of December or early January 2024.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
