From retention to rights |
By Sandeep Parekh
On November 13, the ministry of electronics and information technology notified the implementation timelines for the Digital Personal Data Protection (DPDP) Act, 2023, and published the final version of the DPDP Rules, 2025. Although implementation of both the DPDP Rules and Act follows a staggered model, with core operational obligations applicable from May 2027, data fiduciaries now have an 18-month transition window to realign their systems and practices to the new regime. In this backdrop, India’s securities market, albeit already operating under data governance structures that may appear akin to privacy frameworks, is now at an inflection point that calls for closer regulatory scrutiny.
Take, for instance, data retention obligations. Much like the DPDP framework, the Securities and Exchange Board of India (Sebi) requires its registered intermediaries to preserve specified data sets. Stockbrokers, for example, must maintain books of account, records, and documents for five years, But these requirements were designed with a different purpose in mind—market surveillance, anti-money laundering (AML) compliance, and investor dispute resolution. The regulatory architecture, therefore, treated data primarily as an asset to be retained rather than as a right to be managed.
While confidentiality obligations do exist, their force lies largely within operational circulars, and broadly worded consents embedded in standard-form client documentation can dilute their application. Data security has been addressed primarily through IT governance norms and cybersecurity standards. Yet, one key element remains absent—a systematic obligation to........