As a risk professional, I have been interacting with a lot of peers on the pending implementation of the new Digital Personal Data Protection (DPDP) Act. While a lot of conversation gravitates to the impact on the way business is conducted & costs of compliance, the tone of the exchanges is inclined towards avoiding penalties of non-compliance.
In the world of creating regulations,
the typical thought has often been to create rules, impose penalties, and hope
that entities will comply. That is often reasonable in vital & incremental policy
formulations. However, sweeping changes like the DPDP Act require more than
just a check-the-box approach. To protect sovereign data, the implementation
process needs to foster a culture of compliance rather than just superficial
adherence.
Why the punitive-only models
fail
Regulations that mainly focus on punishment often lead to minimal compliance. Compliance teams tend to do only what is necessary to avoid penalties, creating a superficial culture of data protection. This is particularly true in the fintech sector, where innovation, speed, and data flow are vital. Superficial compliance can result in higher costs due to constant control adjustments or ongoing vulnerabilities caused by workarounds. The DPDP Act aims higher by granting rights to individuals and outlining obligations for data fiduciaries, while also imposing serious penalties. However, unless companies see data protection as a way to add business value, they will only achieve checkbox compliance instead of true resilience.
Fintech – a sector that
illustrates the challenge
Fintech firms serve as a clear
example. They rely heavily on data, use complex technology, and operate under
multiple regulations, such as Reserve Bank of India rules, NPCI guidelines and
KYC/AML requirements. Many are finding that the costs of adopting new
technology and shifting processes are a barrier to meaningful compliance. For
instance, legal experts point out that granular consent for each transaction, a
requirement of the DPDP Act, is being seen as a significant process obstacle
for digital payments platforms. Tech-Ops experts feel that while fintechs are
accustomed to handling data, they are less developed in privacy governance, needing
system revamp, staff training, and integration of consent management.
Incentivising the right
behaviour
Internal incentives:
Companies should establish internal KPIs related to data protection that
connect to business outcomes, such as customer trust, brand loyalty, fewer
breaches, and faster onboarding with secure data flows. They can reward teams
for "privacy by design" rather than just for completing compliance
tasks.
Regulator/business incentives:
Instead of focusing solely on fines, regulators should offer positive
incentives. This could include recognising or certifying strong data protection
frameworks, providing faster regulatory approvals to firms with mature data
governance, or offering regulatory sandboxes for new data-driven services built
on solid privacy foundations.
Habit formation: The
classic "habit-curve" applies to any change:
Awareness -> early
adoption -> routinization -> automatic behaviour.
It shows that until automatic behaviour
is reached, changes remain delicate. For fintech companies, embedding data
protection requires more than policy changes; it means integrating it into
daily routines like having a data privacy checkpoint at every product meeting,
including fiduciary obligations in vendor contracts, and making consent layers
a default part of user interfaces. Over time, these practices need to become
part of normal behaviour instead of just procedures.
Sector-specific tempo: The
speed of the habit curve varies across sectors. A fintech startup that pivots
monthly faces a different curve and risks compared to a legacy bank with mature
cycles. On the flip side, costs of changing habits, such as trainer time,
system redesign, and vendor alignment, are higher for established firms. Thus,
incentives and support need to match these nuances: smaller fintechs could
benefit from regulatory guidance, technology vouchers, or sharing best
practices, while larger firms may focus on automation, dashboards, and
self-service consent platforms.
Technology cost vs benefit:
The biggest barrier to adoption is the upfront cost of technology, such as
consent engines, data traceability, audit trails, and deletion workflows. Some
firms may implement technology superficially, but not fully, like capturing
consent without establishing the routine for deletion upon request. If companies
understand that investing in technology is not just a compliance cost, but a
competitive edge, the view changes. If users trust a platform with their data,
companies can offer better services and lower breach protection costs.
Regulators can encourage this view by indicating that mature frameworks may reduce
future regulatory burdens and inspection frequency, or even provide safe
harbours.
So…
As DPDP Act establishes the
regulatory landscape for data protection in India’s digital economy. Relying
solely on punishment, fines, and audits will only lead to nominal compliance. Actual
benefits will be accrued when organisations make data protection a habit and integrate
it into their routines while being supported by regulatory incentives.
In fintechs, where technology,
data, and trust intersect, the challenge is significant, but so is the
opportunity. Firms that can transform data privacy from a cost centre to a
value centre will display sustainable growth. The sooner the culture changes,
the faster companies will move from "we must comply" to "we
choose to excel."
