Digital Lending and Data Protection: The Need for Borrower Awareness

As India accelerates in the digital lending era, a critical concern exists among borrowers about how lending companies use their personal data. In a study conducted by Home Credit India on ‘How India Borrows Survey 2023’, only 18% of borrowers are aware of the data privacy laws, guidelines, and rules in India. Among these, 88% only have a superficial understanding, while 65% are completely unaware of data privacy issues. This limited knowledge leaves borrowers highly vulnerable to data fraud and misuse.

Only less than one-fourth (23%) of borrowers understand how their data is used by lending apps. The study also says that borrowers in Chennai appear more digitally savvy, with 78% claiming to understand the usage of their data.

According to the Reserve Bank of India (RBI) guidelines, regulated organizations are permitted to store only the bare minimum of borrower data. A lender may keep records of information needed to handle and distribute a loan as well as its repayments, such as the borrower’s name, address, and content information.?

What is India's Digital Personal Data Protection (DPDP) Act?

The Digital Personal Data Protection (DPDP) Act was established in August 2023 to balance the importance of borrower’s rights and protect their data with the necessity of processing such data for lawful purposes. The DPDP Act emphasizes several rights for our citizens known as Data Principles. These include:

• Individuals have the right to be informed about the personal data being collected about them, the purpose for which it is collected, and the third parties with whom it is being shared.
• Individuals can access the personal data processed by an organization
• Individuals can correct inaccuracies in their personal data or request deletion under certain circumstances.
• Complaints can be filed with the Data Protection Board of India if their data is processed in non-compliance with the DPDP Act.

Responsibilities for Lending Organizations

• Lending organizations must obtain consent from individuals before processing borrowers' personal data.
• Personal data must only be used for the purposes for which it was collected.
• Lending Organizations must implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, alteration, and destruction.
• Organizations must respond to individuals’ requests for access, correction, deletion, and objection within a reasonable timeframe.
• Data breaches must be reported to the DPB within 72 hours of becoming aware of the breach.

To comply with the DPDP Act, organizations can additionally conduct assessments to identify areas where practices need correction for compliance, create data protection policies that outline the organization’s commitment to protecting personal data, appoint Data Protection Officers, and regularly conduct periodic audits.

As many organizations strive to comply with the DPDP Act, how important is this for you when considering digital lending solutions? Would this be a priority for your organization? At Novac Technology, we specialize in guiding you navigate through your financial landscape with ZIVA?, our comprehensive digital lending solution!?