When Data Protection Hits Deals: How DPDP Reshapes M&A Documents in India

[Suprava is a student at Gujarat National Law University.]

Transactions in the financial sectors are mostly data-based; banks retain KYC files, and brokers log in every trade. Data governance was already very significant in today's world until the Digital Personal Data Protection (DPDP) Rules 2025, were introduced on 13 November 2025. 

The DPDP framework does not replace the RBI Master Directions or the SEBI Intermediaries Regulations. It adds another horizontal privacy layer on top of vertical sector rules, thus creating new challenges that will now affect deal lawyers. Like in the case of valuations, any mistake in data governance risks a penalty from the Data Protection Board (DPB) which can amount upto INR 250 crores. In practice, warranties now have to address a mixed compliance landscape, because DPDP sites alongside sectoral rules from RBI and SEBI. When we review outsourcing contracts, we will need to incorporate RBI’s audit requirements, along with the DPDP norms. Even something as basic as “legal obligation” retention under RBI norms cannot be taken for granted and has to be tied to a clear purpose under DPDP. 

This article examines four key points that typically matter most in deals: how retention rules conflict, the evolution of outsourcing contracts, the flow of data within a group structure, and the implications for drafting.  

Retention and Data Life Cycle 

When data is collected, the entity collecting the data is required to keep it for a certain time period in order to meet the statutory compliance under various provisions. Under the RBI's KYC Master Directions, identity records must be mandatorily retained for 5 years after the end of the customer relationship. In certain cases involving PMLA, this can extend up to 8-10 years. The SEBI Intermediary framework works in a similar manner. Under it, brokers are required to retain data for a minimum of 5 years. These retention requirements are mandatory 1qaand involve inspection mandates. 

On the other side, the DPDP framework, in order to protect a data principal’s data, advocates for purpose limitation and storage minimisation. This means that data has to be retained only for the purpose for which it has been collected and to be deleted once the purpose is over. For a few cases specified in the Third Schedule of the DPDP Act 2023, a three-year ceiling limit is imposed, after which the data must be deleted. In the financial sector, rules and regulations given by RBI and SEBI operate as special law, which means they take precedence over the DPDP framework. Section 8(1) of the DPDP Act recognized the same by stating, “necessary for compliance with any law”. This means sectoral mandates have to be followed. 

The best way to go about these provisions is by not treating them as conflicting provisions. Most RBI-regulated fintecs now build retention matrices that can match the data SEC to the exact statutory provision that requires keeping it. Once the mapping is clear, they can rely on Section 7 of the DPDP Act 2023 to justify the retention while making sure it is not reused. 

The EU banks handle GDPR in a similar manner. Article 17(3)(b) protects retention which is done under a legal duty. But for deal lawyers, this changes the diligence exercise. It is no longer enough to check if a company has a retention policy or not. Now lawyers need to go into depth on whether the policy is backed by the correct RBI or SEBI provisions and ensure that the DPDP rationale is documented and that the entity actually follows it in practice. Any gap in this chain can be a governance risk that can easily affect negotiations on points like the valuation of indemnity coverage. 

Outsourcing and Processor Contracts 

India’s outsourcing sector is growing fast, the IT services outsourcing market alone generated more than USD 21.4 billion in 2024, and BPO exports around USD 45 billion. Outsourcing is already a high-risk area for banks, NBFCs, and capital market intermediaries before the enactment of the DPDP framework. RBI’s outsourcing guidelines mandate the regulated entities to retain “unlimited control” over outsourced activities and ensure the confidentiality of customer data. SEBI’s outsourcing circular does the same for intermediaries and ensures that the third parties are responsible for protecting client information, preserving records, and maintaining the IT security. The expectation of the regulators has always been that outsourcing does not mean outsourcing responsibilities. 

The data protection framework adds another layer to this. Data fiduciaries need to ensure that every service provider handling any kind of personal data meters the standards for security safeguards, restricted use, and breach notifications. This means that in the case of outsourcing contracts in the financial sector, they can no longer be the traditional IT or BPO templates with a few formalities and confidentiality clauses. They need to now function as a full-fledged data processing agreement (DPA). A DPA would involve clearly defining the scope of processing of data, prohibition of secondary use of data and setting breach notification timelines that allow the fiduciary to meet the DPDP deadlines. 

In a practical sense, the deal lawyers now have to shift their focus from verifying the existence of an outgoing agreement to ensuring that the agreements meet the RBI/SEBI expectations as per the DPDP processor’s obligations. This would involve a buyer looking for contracts that allow regulators and auditors access rights and require secure channels for data sharing. They also need to build a proper liability allocation for data breaches. In case the contracts fall short of these provisions, the consequence might require a remediation plan which would involve amending the vendor arrangements as a condition precedent or a tightly monitored post-closing obligation. 

Data Sharing with Financial Groups

Data in the financial industry forms an ecosystem that includes depositories, mutual funds, banking groups, securities intermediaries, and fintecs. For instance, banking institutions must regularly provide their NBFC subsidiaries or related wealth management units with customer KYC information. In the same way, transaction details flow among brokers, registrars, and asset managers to maintain market integrity and investor servicing. 

For operational and regulatory reasons, organizations such as the RBI and SEBI consider some level of data sharing as essential. Under the DPDP framework, any data sharing must have a clear, legally sound basis. In general, the DPDP should include a "legal obligation or legitimate purpose" and appropriate data processing notices. This adds another level of due diligence for lawyers to analyse. They now need to analyse a comprehensive data sharing list along with the supporting purpose for the data from all the companies that receive client data. A Share Purchase agreement with warranties and indemnities that protect the owners from any kind of wrong data distribution will be built around this. 

Transaction Documents: What Changes Now 

As the data rules are becoming more stringent the paperwork cannot remain the same. Previously, most transaction documents simply contained a generic warranty, which states that the target should comply with all applicable laws. Now this needs to be changed. 

Over the last decade, regulators have become more demanding regarding the quality of compliance. Now, RBI wants clear retention timelines for KYC, and SEBI wants brokers and intermediaries to maintain a clear, audit-ready record. DPDP Act 2023 adds topping to this by asking companies to show how they collect, retain and protect personal data. Due to this, buyers would now require additional warranties that not only confirm the legality but also the actual implementation. 

Data breaches rarely show up overnight. An old retention practice from 2019 might trigger a regulatory notice in 2026. This is a pattern that the European regulators observed under the GDPR. Because of the delay, buyers will start asking for data-specific indemnities that stretch beyond the usual 3-5 year survival period. The logic would be simple that if the regulators can look back, then so should the indemnity. 

The closing conditions and post-closing governance will also shift. Earlier, closing conditions around corporate used to be board resolutions, ESOP updates, and tax filings. Now, privacy linked conditions will become standard. Sellers would be required to update the notices before closing, realign the retention schedules as per the DPDP timelines. There was a practice of keeping customer data indefinitely “just in case”, which is now a direct violation of the limitation principles under DPDP. 

Governance is handled by the board once the deal is closed. But, the investors will not be comfortable with once-a-year reporting due to significant risks.  The solution to this be what happened in Europe and Singapore, where privacy governance became a routine item for the investors. Data governance obligations like quarterly reporting, periodic audits, and higher approval for high-risk activities need to be added in the shareholders’ agreement. Ultimately, it all comes down to protecting the deal value. Any mistake can lead to enforcement action by various regulatory bodies. 

Conclusion 

The DPDP framework marks India’s move to a more regulated data environment.  DPDP is not a replacement for the already existing sectoral rules. It involves various kinds of rules, regulations to work together simultaneously. Retention timelines need clear justifications and a proper framework, outsourcing contracts have to be structured like a DPA, and any data flow needs to be supported by a legal purpose. For deal lawyers, this means diligence will completely change and will be like a test of how a company handles information.

The positive side is that if the entity gets this correct, they end up on the stronger side during negotiations. A clean retention schedule, proper vendor contracts, and disciplined governance will protect the value. As regulators continue to raise the bar of data governance, any deal is no longer an option. Change would be the main driver of deal certainty in India's financial ecosystem.