DPDP Act 2023

Data Privacy • Co-Operative Banking • DPDP Readiness DPDP Preparation for Co-Operative Banks: Use the Timeline Well For co-operative banks, the present period should be treated as working time. The law is in place, the commencement dates are known, and the institutions that use this window properly will be in a far stronger position than those that leave the exercise for the end. By Ashish Vilas Sonawane Advocate | Founder, Nyaya Niti Strategic Legal Consultancy LLP For co-operative banks, data privacy should now be treated as a live implementation subject. The Digital Personal Data Protection Act, 2023 is already in force as the governing statute. The Digital Personal Data Protection Rules, 2025 were notified in November 2025, and their commencement is staggered. Under Rule 1, Rules 1, 2 and 17 to 21 came into force on publication, Rule 4 is to come into force one year later, and Rules 3, 5 to 16, 22 and 23 are to come into force eighteen months after publication. For institutions that handle personal data every day, this period should be used for preparation. 14 November 2025 The Rules were notified. Rules 1, 2 and 17 to 21 came into force on publication. 14 November 2026 Rule 4 is to come into force one year after publication. 14 May 2027 Rules 3, 5 to 16, 22 and 23 are to come into force eighteen months after publication. Why this period matters In most institutions, privacy risk does not arise from one dramatic error. It arises because records, systems, vendors, archived files, and internal responsibility have grown over time without one clear view. The law may be new, but the records are already there. A co-operative bank does not deal with personal data in one narrow compartment. It handles account opening records, KYC documents, loan papers, nominee and guarantor details, employee records, CCTV footage, recovery files, customer communication, and digital banking information. Some of this sits with branches. Some of it remains within internal departments. Some of it moves through software systems, archived records, and outside service providers. The DPDP Act applies to digital personal data, including personal data collected offline and later digitised. In the banking context, that gives the subject a wider operational reach than many institutions may initially assume. Banking regulation has, of course, never ignored confidentiality. RBI’s outsourcing framework has long required banks to retain control over outsourced functions, preserve customer confidentiality, and ensure that records remain available in line with legal and regulatory requirements. DPDP does not replace that discipline. It adds another layer to it. The subject is no longer confined to secrecy, cyber-security, or system access. It now also concerns notice, processing, grievance handling, and retention in a more structured statutory setting. For co-operative banks, this is less a drafting exercise and more an exercise in bringing records, systems, documents, vendors, and responsibility into one order. What the timeline means The period up to 14 November 2026 should be used to understand the bank’s own record position and to correct the documents and systems through which personal data is handled. The period up to 14 May 2027 should be used to ensure that the revised structure is actually working in practice. These are not dates to be merely noted in a compliance calendar. They divide the preparation window into two practical stages. The difficulty in this area is usually not in reading the law. It is in understanding the institution’s own records, systems, vendors, and internal responsibility. In many co-operative banks, information is not held under one control point. One part remains with operations, another with technology systems, another with HR, another with recovery, and another with outside processors. Until this position is examined properly, privacy compliance remains incomplete even if a policy has already been drafted. Before November 2026 The first part of the work is foundational. The bank should identify what personal data it holds, where it is stored, through which systems it moves, which departments use it, which outside vendors handle it, and why it is being retained. This review should not stop with customer onboarding. It should extend to nominee and guarantor records, employee files, recovery documentation, archived scans, CCTV, website forms, app interfaces, customer support records, and information handled by technology and service vendors. If that internal picture is unclear, later corrections tend to remain partial. Once the records and flows are understood, the documents should be reviewed together. Customer-facing forms, declarations, privacy notices, app permissions, employee documents, and vendor contracts should not be looked at in isolation. They must reflect the same position. If the form says one thing, the system does another, and the vendor arrangement permits something wider, the gap will remain. This is also the stage at which vendor arrangements should be looked at carefully. A number of co-operative banks rely on outside providers for core systems, messaging, support services, scan-and-store functions, and customer communication tools. Existing agreements may contain broad confidentiality wording, but that by itself is not enough. Access, escalation, retention, post-termination handling, and record control should also be checked. RBI’s outsourcing framework is directly relevant here because it already places continuing responsibility on the bank in relation to outsourced functions and customer information. Before May 2027 The second part of the work is about making sure the revised system actually functions. By the time the wider set of Rules becomes operative on 14 May 2027, the bank should not still be deciding where requests will be received, who will route them, which records may be corrected, which must be retained, and how a vendor-side issue will be handled. By that stage, branches should know when a matter has to be escalated. Central teams should know where the relevant record sits. Vendor-side obligations should be capable of enforcement in practice. Senior management should know which parts of the institution are in order and which still require correction. The practical difference Institutions that begin early will have time to correct forms, systems, and contracts carefully. Institutions that