Introduction
The Reserve Bank of India (RBI) has issued a press release on 28 February 2024 (“RBI Press Release”) on the revision of the Enabling Framework for Regulatory Sandbox (“Sandbox Framework”). The RBI Press Release emphasizes the need for regulated entities within its regulatory sandbox framework to strictly adhere to the provisions of the Digital Personal Data Protection Act, 2023 (“DPDP Act”).
The RBI Press Release marks a significant stride towards reinforcing data protection and privacy measures within the financial sector. The emphasis on adherence to the provisions of the DPDP Act by entities within the Sandbox Framework highlights the importance of safeguarding personal data in the rapidly evolving landscape of financial technology (FinTech). The revised Sandbox Framework aligns with the overarching goal of fostering responsible innovation while ensuring individuals’ privacy throughout the innovation process. Further, the provision for potential relaxation of certain regulatory requirements, while ensuring that requirements related to consumer privacy and data protection remain non-negotiable reinforces the need for fostering a culture that prioritizes data protection and privacy in innovation.
Revised Framework for Regulatory Sandbox
The RBI had issued the Sandbox Framework in August 2019, to cultivate responsible innovation within the financial services sector. Eligible candidates for participation in the regulatory sandbox span a diverse range of entities across the FinTech landscape, including startups, established banks, financial institutions, as well as other corporate entities, limited liability partnerships, and partnership firms involved in collaborating with or supporting financial services businesses.
Key highlights of the revised Sandbox Framework are as follows:
(1) Eligibility for Regulatory Sandbox:
Every applicant that wishes to partake in the regulatory sandbox must demonstrate their compliance with data protection and privacy.
(2) Data Security Measures:
Sandbox entities are mandated to:
- process all data related to regulatory sandbox testing in strict compliance with the provisions of the DPDP Act;
- implement appropriate technical and organizational measures to ensure robust compliance with the DPDP Act and any rules made thereunder;
- establish adequate safeguards to prevent any personal data breach.
(3) Relaxation for Applicants:
The RBI may consider relaxing certain regulatory requirements for applicants for the duration of the regulatory sandbox on a case-by-case basis. However, requirements related to consumer privacy and data protection must be mandatorily complied with.
What Can FinTech Entities Do?
FinTech entities currently participating or desirous of partaking in the regulatory sandbox must undertake the following steps to ensure compliance:
- Conduct comprehensive assessment of existing internal data protection governance framework and privacy policies and procedures against the requirements of the DPDP Act and identify gaps and risks.
- Revise existing data protection governance frameworks to bridge the gaps identified, including the implementation of robust technical and organisational measures across their data processing lifecycle.
- Integrate data protection and privacy considerations into product development and testing processes from the outset.
- Maintain documentation and record compliance efforts, including policies, procedures, risk assessments, and incident response plans.
- Foster a culture of privacy and data protection by conducting periodic privacy trainings withing the organisation.
For more information on how entities can align with the Digital Personal Data Protection Act, 2023, please contact Sangeeta Jhunjhunwala, Partner at sangeeta.jhunjhunwala@khaitanlegal.com and Shruti Dvivedi Sodhi, Partner at shruti.sodhi@khaitanlegal.com
