India's Digital Personal Data Protection Act (DPDPA), passed in August 2023 and progressively enforced through 2025 and 2026, represents the most significant shift in how organizations must handle personal data within the country. For financial institutions running Video KYC operations -- where every session captures Aadhaar numbers, PAN details, live facial biometrics, geo-location data, and recorded video -- the DPDPA introduces obligations that touch every stage of the verification lifecycle, from the moment consent is captured to the day the data is permanently deleted.
DPDPA Overview: What Financial Institutions Must Know
The DPDPA establishes a comprehensive framework for the processing of digital personal data in India. It introduces the concept of a "Data Fiduciary" (the organization that determines how and why personal data is processed) and a "Data Principal" (the individual whose data is being processed). Every entity conducting Video KYC is a Data Fiduciary, and every customer undergoing verification is a Data Principal. The act also creates the role of "Significant Data Fiduciary" for organizations that process large volumes of sensitive data -- a category that includes most banks, large NBFCs, and insurance companies.
The DPDPA is built on seven core principles: lawfulness (processing must have a legal basis), purpose limitation (data can only be used for the stated purpose), data minimization (collect only what is necessary), accuracy (data must be kept correct and current), storage limitation (data cannot be retained indefinitely), security (appropriate technical safeguards must be in place), and accountability (the Data Fiduciary must demonstrate compliance). Each of these principles has direct, practical implications for how Video KYC systems are designed and operated.
Enforcement is handled by the Data Protection Board of India (DPBI), which has the authority to impose penalties of up to INR 250 crore per instance of significant non-compliance. The Board can also direct organizations to take specific remedial actions, including suspending data processing activities -- which for a financial institution relying on Video KYC for customer onboarding, could effectively halt new account acquisition.
Impact on Video KYC: Consent, Purpose Limitation, and Data Minimization
Video KYC is inherently data-intensive. A single verification session generates a live video recording (typically 5-15 minutes), captured facial biometrics, photographs of identity documents, OCR-extracted data fields, GPS coordinates, device metadata, AI model outputs (liveness scores, face match confidence), and the verification official's assessment notes. Under the DPDPA, every piece of this data must be collected with a clear legal basis, used only for the stated verification purpose, and limited to what is strictly necessary.
Purpose limitation is particularly impactful. If an institution collects a customer's facial biometrics during Video KYC for account opening, it cannot subsequently use that biometric data for marketing analytics, behavioral profiling, or any purpose beyond identity verification -- unless it obtains fresh, specific consent for each additional purpose. The same video recording captured for regulatory compliance cannot be repurposed as training data for AI models without explicit consent from the Data Principal.
Data minimization requires institutions to critically evaluate what they capture during video sessions. If the regulatory requirement is to verify identity through PAN and Aadhaar, capturing additional documents "just in case" without a specific legal basis violates the minimization principle. Similarly, retaining the full video recording when only a photograph and verification outcome are legally required creates unnecessary data exposure. Institutions must map each data element they capture to a specific legal requirement or legitimate business purpose.
Consent Management Requirements
The DPDPA imposes strict requirements on how consent is obtained and managed. Consent must be free, specific, informed, unconditional, and unambiguous. For Video KYC, this means the customer must be clearly informed, before the session begins, about exactly what data will be collected (video recording, biometrics, documents, location), why it is being collected (identity verification for account opening), how long it will be retained, who will have access to it, and their right to withdraw consent.
Consent must be captured through a clear affirmative action -- not pre-ticked checkboxes or bundled consent buried in terms of service. The institution must maintain a record of when consent was given, what was consented to, and the specific version of the consent notice that was presented. If the consent notice is updated (for example, to reflect a change in data retention period), fresh consent must be obtained from affected Data Principals.
The right to withdraw consent adds operational complexity. If a customer withdraws consent after completing Video KYC but before the account is activated, the institution must cease processing their data and delete it within the timeframe specified in its privacy policy -- unless retention is required by another law (such as anti-money laundering regulations). Institutions need clear internal processes for handling withdrawal requests, including escalation workflows for cases where regulatory obligations conflict with the withdrawal.
Data Retention and Deletion Rules
The DPDPA's storage limitation principle requires that personal data be retained only for as long as it is needed for the purpose for which it was collected, or as required by law. For Video KYC, this creates a complex matrix of retention requirements. RBI mandates that KYC records be retained for at least five years after the business relationship ends. SEBI requires retention for eight years. IRDAI requires retention for the policy term plus five years. Anti-money laundering laws may require additional retention. The DPDPA does not override these sectoral requirements, but it adds the obligation to delete data once the longest applicable retention period expires.
Institutions must implement automated retention management that tracks the retention period for each data element independently. A customer's video recording might need to be retained for five years under RBI norms, while their account transaction data might be retained for ten years under tax regulations. When each retention period expires, the corresponding data must be securely deleted -- not just archived or made inaccessible, but permanently and irreversibly removed from all storage systems, including backups.
The deletion obligation extends to data processors (third-party vendors). If an institution uses a cloud-hosted Video KYC platform, it must ensure that the platform provider also deletes the data upon the institution's instruction and can provide certification that deletion has been completed. This requires contractual provisions with every vendor in the data processing chain and technical mechanisms to verify deletion across distributed storage systems.
Cross-Border Data Transfer Restrictions
The DPDPA restricts the transfer of personal data to countries outside India. The Central Government maintains a list of countries to which transfers are permitted; transfers to countries not on this list are prohibited. For Video KYC operations, this has direct implications for technology architecture. If the video platform's infrastructure routes data through servers located in non-permitted jurisdictions -- even transiently -- it constitutes a cross-border transfer and may violate the act.
Global financial institutions operating in India through branches or subsidiaries face particular challenges. Their parent organizations may have centralized compliance systems, data analytics platforms, or fraud detection engines hosted outside India. Under the DPDPA, Video KYC data collected in India cannot be transmitted to these global systems unless the receiving country is on the permitted list. This is driving many multinational institutions to adopt India-specific data architecture with local processing and storage, only exporting anonymized or aggregated data that does not qualify as personal data under the act.
On-Premise Deployment for DPDPA Compliance
The most straightforward path to DPDPA compliance for Video KYC is on-premise deployment. When the entire video verification stack -- application servers, media servers, AI engines, databases, and object storage -- operates within the institution's own data center in India, several DPDPA concerns are addressed by design. There is no cross-border data transfer because data never leaves the institution's Indian infrastructure. Data deletion can be verified through direct access to the storage layer. Access controls align with the institution's existing security policies. Audit trails are maintained entirely within the institution's governance framework.
On-premise deployment also simplifies the Data Fiduciary's accountability obligations. When regulators or the Data Protection Board request information about how personal data is processed and stored, the institution can point to infrastructure it directly owns and controls, with audit logs it maintains, rather than relying on certifications and contractual assurances from third-party cloud providers. For Significant Data Fiduciaries -- which includes most large financial institutions -- this level of direct control is increasingly seen as a regulatory expectation rather than a technical preference.
How BASEKYC Ensures DPDPA Compliance
BASEKYC was designed with data privacy as a foundational principle, not a retrofitted feature. Our consent management module presents clear, itemized consent notices to customers before the video session begins, captures affirmative consent with timestamps, and maintains a versioned consent registry that tracks every change to consent notices and re-consent events. When a customer exercises their right to withdraw consent, the system automatically triggers the appropriate data deletion workflow while flagging any regulatory retention conflicts for compliance team review.
Our data retention engine applies configurable retention policies at the individual data element level. Video recordings, document images, biometric data, and verification metadata can each have independent retention periods aligned with the applicable regulatory requirement. When a retention period expires, the system executes secure deletion across all storage layers -- primary database, object storage, and backup systems -- and generates a deletion certificate for audit purposes.
For institutions requiring the highest level of data control, BASEKYC's full on-premise deployment ensures that no personal data ever leaves the institution's infrastructure. For those choosing cloud deployment, our India-region infrastructure guarantees data residency within the country. In both models, the platform enforces purpose limitation through role-based access controls and data classification labels that prevent KYC data from being accessed or exported for unauthorized purposes. Every data access event is logged in an immutable audit trail, providing the accountability evidence that the DPDPA demands.