Right of Retention Strategy
On November 13, 2025, the ministry of Electronics and Information Technology (MeitY) notified the implementation timelines for the Digital Personal Data Protection (DPDP) Act, 2023, and released the final DPDP Rules, 2025. The Act and Rules adopt a phased implementation approach, with core operational obligations taking effect in May 2027. This grants data fiduciaries (entities handling personal data) an 18-month transition period to align their systems and practices with a new privacy regime.In this context, India’s Securities Market, despite existing data governance rules that resemble privacy structure, now faces a key turning point requiring greater regulatory attention. For example, data retention obligations under SEBI mandate registered intermediaries, such as stockbrokers, to preserve books of account, records, and documents for at least five years.
However, these SEBI rules were primarily designed for market surveillance, anti-money laundering compliance, and investor dispute resolution. As a result, the existing regime has historically viewed data as an asset to be preserved, rather than as an individual right that must be carefully managed.
Strengthening Data Security and Regulatory Compliance
While confidentiality obligations are in place, these are primarily enshrined in operational circulars, and their effectiveness is often undermined by broadly worded consents in standard client agreements. Data security has largely been addressed through IT governance norms and cybersecurity directives.
However, a critical gap remains: the lack of a systematic requirement to delete personal data once its regulatory or operational purpose is served. As a result, investors’ personal data in the securities market may accumulate indefinitely without robust data deletion and minimization protocols.
Alignment of Financial Regulation with DPDP Act
Regulators are set to review existing guidelines to align sectoral financial regulations and data protection requirements with the Digital Personal Data Protection Act, 2023 (DPDP Act), ensuring consistency between regulatory obligations and core data protection principles.
The review will primarily focus on the KYC framework under the PMLA. While regulated entities must collect and retain customer data for AML/KYC purposes, any additional data collection will require a clear legal basis and strict adherence to the DPDP Act’s data minimisation principle. Regulators are expected to clarify permissible data retention periods and confirm that data sharing with authorities for AML purposes constitutes a lawful and proportionate use under the DPDP Act.
Regulated entities will also be required to uphold data principal rights, including access, correction, and erasure, and may be encouraged to conduct Data Protection Impact Assessments. Overall, this signals a shift towards a rights-based, proportionate, and accountable regulatory approach, while maintaining market integrity and effective surveillance.Interaction of Consent Managers within the Account Aggregator Ecosystem
The Consent Manager framework under the DPDP Act is expected to coexist and potentially intersect with the established Account Aggregator (AA) ecosystem. While the AA framework provides a mature, consent-based mechanism for financial data sharing across regulated entities, Consent Managers under the DPDP Act are designed as sector-agnostic intermediaries, enabling data principals to manage consent across diverse categories of personal data under the oversight of the Data Protection Board.
Given the shared features of both frameworks—standardised consent artefacts, interoperable systems, auditability, and restricted data access and regulators face the policy question of ensuring interoperability without duplication. Potential approaches include recognising Account Aggregators as specialised Consent Managers for financial data or harmonising technical and governance standards. Such alignment is likely to emerge progressively through regulatory guidance and coordinated supervisory action, rather than a single policy mandate.
Strengthened Outsourcing Accountability under the DPDP Framework
The DPDP Act strengthens the principle of principal liability for outsourced functions, holding data fiduciaries accountable for the acts or omissions of data processors, regardless of contractual terms. Unlike traditional securities regulations, it extends liability to privacy-specific obligations, including mishandling consent withdrawals, inadequate security measures, or excessive data retention. This shift will require intermediaries to revise vendor contracts for covering cloud providers, payment gateways, and data vendors to embed explicit DPDP compliance and privacy governance obligations alongside operational performance standard.
Strategic Opportunities and Transition
As the securities sector moves toward deletion-centric protocols, granular consent mechanisms, and privacy-focused governance, early adopters stand to gain a competitive advantage. Intermediaries that develop transparent and user-centric consent architectures, automate data deletion for non-regulatory purposes, and proactively communicate privacy commitments can build greater client trust, transforming regulatory compliance into a meaningful market differentiator.
