Customer Data Protection in Financial Institutions: Reading the CSITE Advisory

On 25th of March, 2026, Department of Supervision, Central Office Cyber Security and IT Risk (CSITE) Group, issued an advisory on the “Best Practices relating to Customer Data Protection. A thematic study on “Security of customer data” conducted in 2025 formed the basis of the advisory.

Commercial banks, co-operative banks, non-banking financial companies (NBFCs), all-India financial institutions fall under the scope of the advisory. It lists best practices across twelve domains. The advisory is issued at a crucial time for the financial institutions as efforts are being made in such organisations to make their systems compliant with the new data protection law, Digital Personal Data Protection Act, 2023 and Digital Personal Data Protection Rules 2025. The twelve domains listed in the Advisory are: –

1.        Governance and Regulatory Compliance

Board-approved policy frameworks formalising the roles and responsibilities of key stakeholders in the privacy risk posture of the organisation.

2.        Data Collection, Classification, and Usage

Implementation of data tagging and classification tools that allow end-to-end mapping of data flows. Consent management through centralised consent architecture.

3.        Data Inventory and Security Controls

Installing cryptographic controls for protection of customer data and implementation of data leakage prevention solutions at data exit points.

4.        Data Access Management

Enhance log monitoring and maintenance through implementation of Security Information and Event Management solutions, increasing traceability of changes made to customer data.

5.        Data Sharing and Third-Party Risk Management

Pre-onboarding privacy risk assessments accompanied with regular audits of the third-party systems and environment and transfer of data through secure channels.

6.        Incident Response and Recovery

Documentation of Post Incident-Reviews and root-cause analysis reports. Additionally, conduct cyber drills on a regular basis to test cyber resilience.

7.        Data Retention and Destruction

Strict data retention timelines for retention through internal policies and enabling automated data deletion across systems.

8.        Customer Rights and Empowerment

Efficient customer relationship management through issuing reference IDs for complaints and a comprehensive multi-channel complaint resolution framework.

9.        Audit and Testing

Include customer data security in the scope of internal/Information Security audit with timely remediation of observations. Enable roles-based access controls for servers.

10.  Emerging Technologies and Data Risks

Regular performance evaluation of AI/ML models adopted and secure hosting of customer data while adopting such models.

11.  Data Security in External Systems (Cloud)

Document baseline security measures for cloud environments and regularly report the security poster of the cloud environment to the senior management. Define roles and responsibility of service provider to protect customer data.

12.  Continuous Monitoring/Real-Time Oversight

Real-time monitoring through multi-layer tool implementation and Security Operations Centers (SOC).

The new law and the Advisory

The latest law, DPDPA has left considerable scope for the industry players to improvise and adapt to the newer standards attached to data protection. The advisory does map some of the gaps and gives an outline of how the issues related to data protection and compliance with the law can be solved. This calls for an realignment of data protection practices, from being scattered to an interconnected cross-platform network that encompasses the technological infrastructure used by the organisation as a whole. A collaborative effort on the part of the key stakeholders and senior management is required in this regard. Governance structures and hierarchies are to be documented through policies that are approved and regularly reviewed at a Board level.

Some larger principles forming the basis of the DPDPA can be traced in the advisory; (i) the principles of data minimisation and purpose limitation and requirement posed under section 6 and rule 5; (ii) general obligations of ensuring completeness accuracy and consistency and taking reasonable security safeguards under section 8; and (iii) requirement of technical measures to be taken by significant data fiduciaries under rule 13. Financial organisations expect to be notified as significant data fiduciaries considering the data processing activities undertaken by them.

These domains establish an interdependent framework for protection of customer data. The technical requirements and organisational measures go hand in hand. To enable such technical measures, extensive overhaul of policy and frameworks is required. This entails changes in privacy and security policies, documentation of SOPs with respect to incident management, and revision of contracts signed with third parties that process personal data of an organisation. This exercise enables implementation of controls such as auditing third-party systems, enforcing prompt reporting and remediation requirements for data breaches/ incidents, and ensuring data protection is a subject of focus for top management.

Another key aspect is centralisation of systems with respect to consent and monitoring. The provisions under DPDPA contemplate a new-age consent and the biggest requirement of this new-age consent is the ease of giving or withdrawing consent. With the requirement of a consent manager, every organisation under the scope of the Act must centralise consent as the processing activities are dependent on it heavily. The advisory also adds a requirement of centralisation of multi-layer security tools and measures taken. This will aid an organisation to empower the customer. The objective is to make the data protection regime of these organisations more customer centric. In the current environment, these organisations have implemented controls that secure customer data. Centralising such systems through technical measures enhances the capacity of an organisation to respond to any requests by the customers. For example, when a customer exercises the right to access their data present with a financial organisation, a data discovery tool will enable such mapping required by the organisation to appropriately respond to the request with the details of the data that is available with it and the storage points of such data. In case there is a data breach, technical controls that enhance monitoring capabilities allow an organisation to submit a comprehensive report. Post incident reviews are a key organisational measure that need to be defined and documented. Customer data protection reporting requirements are imposed, not just on specific functions but on departments across the organisation. It is therefore essential that financial organisations take stock of where they currently stand and chart a clear path toward comprehensive compliance.

Now that the road to compliance with the new data protection regime has an end, the advisory clarifies next steps for the financial organisations with respect to objectives aimed to achieve through implementation of controls and measure for protection of customer data.