{"id":20613,"date":"2026-07-07T12:58:45","date_gmt":"2026-07-07T07:28:45","guid":{"rendered":"https:\/\/www.naavi.org\/wp\/?p=20613"},"modified":"2026-07-07T12:58:45","modified_gmt":"2026-07-07T07:28:45","slug":"aggregated-data-fiduciaries-a-new-governance-model-for-dpdpa-compliance-in-the-banking-sector","status":"publish","type":"post","link":"https:\/\/www.naavi.org\/wp\/aggregated-data-fiduciaries-a-new-governance-model-for-dpdpa-compliance-in-the-banking-sector\/","title":{"rendered":"Aggregated Data Fiduciaries: A New Governance Model for DPDPA Compliance in the Banking Sector"},"content":{"rendered":"<p><a href=\"https:\/\/www.naavi.org\/wp\/wp-content\/uploads\/2026\/07\/Bridging_the_Data_Governance_Gap-scaled.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-20614\" src=\"https:\/\/www.naavi.org\/wp\/wp-content\/uploads\/2026\/07\/Bridging_the_Data_Governance_Gap-1024x572.png\" alt=\"\" width=\"640\" height=\"358\" srcset=\"https:\/\/www.naavi.org\/wp\/wp-content\/uploads\/2026\/07\/Bridging_the_Data_Governance_Gap-1024x572.png 1024w, https:\/\/www.naavi.org\/wp\/wp-content\/uploads\/2026\/07\/Bridging_the_Data_Governance_Gap-300x167.png 300w, https:\/\/www.naavi.org\/wp\/wp-content\/uploads\/2026\/07\/Bridging_the_Data_Governance_Gap-768x429.png 768w, https:\/\/www.naavi.org\/wp\/wp-content\/uploads\/2026\/07\/Bridging_the_Data_Governance_Gap-1536x857.png 1536w, https:\/\/www.naavi.org\/wp\/wp-content\/uploads\/2026\/07\/Bridging_the_Data_Governance_Gap-2048x1143.png 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">One of the distinguishing features of the <strong>Digital Personal Data Protection Act, 2023 (DPDPA)<\/strong> is that it places <strong>accountability<\/strong> at the centre of personal data governance. The law identifies the <strong>Data Fiduciary<\/strong> as the entity that determines the purpose and means of processing personal data and makes that entity responsible for complying with the obligations prescribed under the Act.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">In legal terms, the position appears straightforward. A bank is a corporate entity and therefore the Bank is the Data Fiduciary. Its branches are merely operational units and not separate legal persons. Consequently, the branches are not independently recognized as Data Fiduciaries under DPDPA.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">However, legal definitions do not always reflect operational realities.<\/p>\n<h2 style=\"text-align: justify;\"><strong><span style=\"font-size: 14pt;\">The Reality of Banking Operations<\/span><\/strong><\/h2>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Modern banks operate on sophisticated Core Banking Systems (CBS), giving the impression that all customer information is centrally managed. While this is technologically true, it does not mean that personal data is processed only at the Head Office.<\/p>\n<p style=\"text-align: justify;\">In the Banking practice before the advent of &#8220;Anywhere Banking&#8221;, a Customer was a customer of a Branch. This concept has now undergone a change and Banks recognize that a Customer is a Customer of the Bank with a &#8220;Parent Branch&#8221; being recognized for the purpose of documentation.<\/p>\n<p style=\"text-align: justify;\">This change brought by the Digital Banking system is not however ideal for the compliance of DPDPA since the collection of personal data often originates at the branch level and then gets onboarded on to the enterprise servers. Consent Management therefore happens at the Branch level. However the KYC may be managed by an organization which has a contract signed at the HO level and not at the branch level.<\/p>\n<p style=\"text-align: justify;\">In cases where Branches use the services of centrally appointed service providers for KYC etc, the status of the Head office and its vendor needs to be defined along with that of the branch as either Data Fiduciary, Joint Data Fiduciary or Data Processor.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Customer grievances are handled at branches as well as through the website.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Loans are processed through branch-level officers and by the models governed by the Central office while loan assets are often managed physically at the Branch level.\u00a0Documents are collected, verified, digitized and stored through branch operations.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Hence, even where centralized databases exist, the operational handling of personal data remains highly decentralized.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">For a customer, the Branch Manager is the face of the Bank. It is the branch that decides how the customer is onboarded, how documentation is verified, how service requests are processed and, in many cases, how customer data is shared with third parties for legitimate banking operations.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">The Branch, therefore, exercises significant operational control over personal data.<\/p>\n<h2 style=\"text-align: justify;\"><strong><span style=\"font-size: 14pt;\">Centralized Systems, Decentralized Processing<\/span><\/strong><\/h2>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">This distinction between centralized storage and decentralized processing is becoming even more complicated because many branches independently use:<\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"list-style-type: none;\">\n<ul data-spread=\"false\">\n<li>AI-assisted customer service tools.<\/li>\n<li>Document verification software.<\/li>\n<li>OCR-based KYC applications.<\/li>\n<li>Loan scoring models.<\/li>\n<li>Fraud detection systems.<\/li>\n<li>Analytics platforms.<\/li>\n<li>Cloud-based business applications.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Branches also interact with numerous third-party service providers such as:<\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"list-style-type: none;\">\n<ul data-spread=\"false\">\n<li>Recovery agencies.<\/li>\n<li>Valuation agencies.<\/li>\n<li>Legal firms.<\/li>\n<li>Marketing agencies.<\/li>\n<li>Document digitization vendors.<\/li>\n<li>Collection agencies.<\/li>\n<li>Technology support vendors.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Each of these relationships may involve processing of personal data.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Although corporate policies may require approval from the Head Office, operational decisions are frequently taken at the branch level, creating a situation where privacy risks arise far away from the office of the Bank&#8217;s Data Protection Officer (DPO).<\/p>\n<h2 style=\"text-align: justify;\"><strong><span style=\"font-size: 14pt;\">A Governance Gap<\/span><\/strong><\/h2>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">This creates an interesting governance challenge for DPDPA Compliance.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Legally, accountability rests with the Bank.\u00a0Operationally, responsibility is distributed across hundreds or even thousands of branches.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Traditional compliance models tend to assume that privacy governance is centralized. In practice, however, DPDPA compliance succeeds or fails at the operational level.<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">If a branch employee collects excessive information&#8230;<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">If customer consent is not properly recorded&#8230;<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">If a local vendor mishandles customer information&#8230;<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">If an AI tool is deployed without adequate assessment&#8230;<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">&#8230;the resulting non-compliance affects the Bank as a whole.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">The law may hold the Bank accountable, but the operational failure occurs at the branch.<\/p>\n<h2 style=\"text-align: justify;\"><strong><span style=\"font-size: 14pt;\">The Concept of an Aggregated Data Fiduciary<\/span><\/strong><\/h2>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">To bridge this governance gap, DGPSI-Bank proposes the concept of Bank as an &#8220;<strong>Aggregated Data Fiduciary&#8221;\u00a0 <\/strong>while the branches are<strong> &#8220;Operational Data Fiduciaries.&#8221;<\/strong><\/p>\n<p style=\"text-align: justify;\">Kindly note that this is a Governance approach and does not legally redefine the concept of Data Fiduciary or a Significant Data Fiduciary. Given the sensitivity of the financial information however, both the Bank and the Branch are to be considered as &#8220;Significant Data Fiduciaries&#8221;.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Under this model:<\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"list-style-type: none;\">\n<ul data-spread=\"false\">\n<li>The <strong>Bank<\/strong> remains the sole legal Data Fiduciary under DPDPA.<\/li>\n<li>Every branch functions as an <strong>Operational Data Fiduciary<\/strong> for governance purposes.<\/li>\n<li>Accountability is cascaded to the level where processing decisions are actually implemented.<\/li>\n<li>Enterprise-wide legal responsibility remains centralized.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">A company has one Board of Directors, yet each factory, plant, regional office and branch has managers responsible for operational compliance.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Similarly, DPDPA accountability should flow from the Board to the branch.<\/p>\n<h2 style=\"text-align: justify;\"><strong><span style=\"font-size: 14pt;\">The Role of the Branch Manager<\/span><\/strong><\/h2>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">For most customers, the Branch Manager effectively represents the Bank.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Accordingly, the Branch Manager should ordinarily function as the <strong>Branch Privacy Officer<\/strong> or <strong>Branch Data Protection Coordinator<\/strong>, unless another officer is specifically designated for this purpose.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">This should not be confused with the statutory DPO appointed by the Bank.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">The enterprise DPO continues to discharge the legal responsibilities prescribed under DPDPA, while the Branch Privacy Officer becomes responsible for implementing privacy controls, maintaining records, ensuring evidence of compliance and coordinating with the central privacy office.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">This creates a practical governance hierarchy without altering the statutory framework.<\/p>\n<h2 style=\"text-align: justify;\"><strong><span style=\"font-size: 14pt;\">Implications for Independent Data Auditors<\/span><\/strong><\/h2>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">The concept of an Aggregated Data Fiduciary also has important implications for Independent Data Auditors.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">An audit limited to Head Office policies is unlikely to provide meaningful assurance regarding actual compliance.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Auditors should evaluate:<\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"list-style-type: none;\">\n<ul data-spread=\"false\">\n<li>Branch-level consent management.<\/li>\n<li>Local vendor governance.<\/li>\n<li>AI deployment practices.<\/li>\n<li>Record retention.<\/li>\n<li>Employee awareness.<\/li>\n<li>Incident reporting.<\/li>\n<li>Privacy governance.<\/li>\n<li>Evidence supporting compliance.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Only then can an Independent Data Auditor provide credible assurance regarding DPDPA compliance.<\/p>\n<h2 style=\"text-align: justify;\"><strong><span style=\"font-size: 14pt;\">Beyond Banking<\/span><\/strong><\/h2>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Although the banking industry provides a compelling illustration, the concept has much wider application.<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">Insurance companies.<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">Large hospital networks.<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">Retail chains.<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">Telecommunication operators.<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">Educational institutions with multiple campuses.<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">Government departments with regional offices.<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">Public Sector Undertakings.<\/p>\n<p class=\"isSelectedEnd\" style=\"padding-left: 40px; text-align: justify;\">Franchise-based business models.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">In all these cases, the legal Data Fiduciary is a single entity, while operational processing is widely distributed.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">The Aggregated Data Fiduciary model offers a structured mechanism for distributing operational responsibility without diluting legal accountability.<\/p>\n<h2 style=\"text-align: justify;\"><strong><span style=\"font-size: 14pt;\">A Natural Evolution of DPDPA Governance<\/span><\/strong><\/h2>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">Earlier, we had proposed the concept of a <strong>Super Data Fiduciary<\/strong> to describe organizations that exercise overarching governance over multiple independently operating entities, particularly in sectors such as healthcare.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">The concept of an <strong>Aggregated Data Fiduciary<\/strong> addresses a different challenge.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">It recognizes that within a single legal entity, operational responsibility may itself be distributed across numerous business units that process personal data on a daily basis.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">As organizations increasingly adopt AI, cloud services and decentralized digital operations, this governance model becomes even more relevant.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">DPDPA establishes legal accountability.\u00a0Organizations must now develop governance structures that make that accountability operational.<\/p>\n<p class=\"isSelectedEnd\" style=\"text-align: justify;\">The concept of the <strong>Aggregated Data Fiduciary<\/strong> is one such framework. It enables organizations to combine centralized legal responsibility with decentralized operational ownership, thereby strengthening governance, improving auditability and making DPDPA compliance more effective.<\/p>\n<p style=\"text-align: justify;\">It is hoped that regulators, compliance professionals, auditors and industry bodies will examine this concept and contribute to its refinement as India&#8217;s data protection jurisprudence continues to evolve.<\/p>\n<p style=\"text-align: justify;\">Open for public Deabte.<\/p>\n<p style=\"text-align: right;\">Naavi<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the distinguishing features of the Digital Personal Data Protection Act, 2023 (DPDPA) is that it places accountability at the centre of personal data governance. The law identifies the Data Fiduciary as the entity that determines the purpose and &hellip; <a href=\"https:\/\/www.naavi.org\/wp\/aggregated-data-fiduciaries-a-new-governance-model-for-dpdpa-compliance-in-the-banking-sector\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_editorskit_title_hidden":false,"_editorskit_reading_time":0,"_editorskit_is_block_options_detached":false,"_editorskit_block_options_position":"{}","_uag_custom_page_level_css":"","footnotes":""},"categories":[12],"tags":[],"class_list":["post-20613","post","type-post","status-publish","format-standard","hentry","category-privacy"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"post-thumbnail":false},"uagb_author_info":{"display_name":"Vijayashankar Na","author_link":"https:\/\/www.naavi.org\/wp\/author\/naavi\/"},"uagb_comment_info":0,"uagb_excerpt":"One of the distinguishing features of the Digital Personal Data Protection Act, 2023 (DPDPA) is that it places accountability at the centre of personal data governance. The law identifies the Data Fiduciary as the entity that determines the purpose and &hellip; Continue reading &rarr;","_links":{"self":[{"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/posts\/20613","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/comments?post=20613"}],"version-history":[{"count":1,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/posts\/20613\/revisions"}],"predecessor-version":[{"id":20615,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/posts\/20613\/revisions\/20615"}],"wp:attachment":[{"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/media?parent=20613"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/categories?post=20613"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/tags?post=20613"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}