On November 13, 2025, the Ministry of Electronics and Information Technology (MEIT) notified the Digital Personal Data Protection Rules, 2025 (DPDP Rules 2025), as well as notified dates for implementation of the principal legislation, that is, the Digital Personal Data Protection Act, 2023, (DPDPA 2023), which marks a major milestone for data protection and privacy in capital markets.
In addition to the general legal framework relating to personal data protection consisting of the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, capital market intermediaries are also regulated by the Securities and Exchange Board of India’s (SEBI’s) ‘Cyber Security and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)’ bearing reference number SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 August 2024 (CSCRF 2024).
Also, the outsourcing of activities, which includes third-party agencies handling customer data that are engaged by regulated entities, is regulated under SEBI circular dated December 15, 2011, titled ‘Guidelines on Outsourcing of Activities by Intermediaries’ bearing reference number CIR/MIRSD/24/2011. This framework broadly applies to all capital-market intermediaries, including stockbrokers, lead managers, portfolio managers, mutual funds, asset management companies, registrar and transfer agents, custodians, etc.
The Government of India (GoI) has notified the following phased timeline for the implementation of the DPDPA 2023, as briefly explained in the table below:
The DPDPA 2023 will introduce several changes affecting the capital markets. While specific deviations impacting the capital markets have not been separately published, the changes to the overall legal framework governing personal data, including in relation to consent, grounds of processing, introduction of the concept of significant data fiduciaries (SDFs), and reporting of personal data breaches, are highly relevant to the capital markets entities.
The financial services sector, comprising the capital market entities like stockbrokers, lead managers, stock exchanges and depositories, is significantly impacted due to its reliance on large volumes of personal data. The following are some of the important facets of the impact of the DPDPA 2023 on the capital markets:
(i) Consent and notice requirements: The DPDPA 2023 provides stringent requirements for consent as a ground of processing, including issuing standalone, clear, and easy-to-understand notices and consent requests. In practice, capital market entities can no longer bury privacy notices within lengthy, complex documents. Notices must now itemize the specific data being collected and the exact purpose for processing.
(ii) SDFs: Given the massive volume of sensitive data handled by many large capital market institutions like stock exchanges and depositories, such entities are likely to be classified as SDFs. This classification imposes a much higher compliance burden compared to the draft, including more rigorous security and governance requirements.
(iii) Data localization and cross-border transfers: The DPDP Rules 2025 clarify the mechanism for cross-border data transfers under the DPDPA 2023, confirming a "black-list" approach where transfers are allowed to any country unless specifically restricted by the government. However, the government can also impose data localization requirements for certain categories of data on SDFs. Capital market entities with international operations or cloud infrastructure in multiple jurisdictions will be directly affected. Having said that, any stricter sectoral regulations, including those of SEBI that provide for data localisation requirements, will prevail over the DPDPA 2023.
(iv) Security safeguards and breach reporting: The DPDP Rules 2025 provide illustrative baseline security requirements, including mandatory encryption and a minimum one-year retention period for logs. Further, the stringent two-fold reporting of data breaches to the DPDP Board and affected individuals has been retained from the original draft of the rules. For capital market entities, which are frequent targets of cyberattacks, the security standards and personal data breach reporting requirements will act as an additional compliance layer beyond those prescribed by the Indian Computer Emergency Response Team and SEBI.
(v) Intersection with regulations of SEBI: The DPDPA 2023 will operate alongside existing SEBI regulations, but with a heightened focus on data principal rights and accountability. SEBI's own revised data sharing policies now specifically reference the DPDPA 2023. SEBI has directed market infrastructure institutions to create their own policies, distinguishing between publicly available and personal data that must be anonymized or kept confidential. More such directions are expected, ensuring alignment and preventing conflicts with existing laws like the Prevention of Money Laundering Act, 2002.
(vi) Enhanced penalties: The DPDPA 2023 provides for much higher financial penalties than existing regulations, pushing capital market entities to prioritize data protection compliance.
On one hand, the implementation of DPDPA 2023 will set out clear roles and legal requirements that capital market intermediaries need to adhere to, resulting in a clear understanding of rights and liabilities vis-à-vis personal data of the customers. On the other hand, it will impact the Indian capital markets by imposing stricter data protection and security obligations on financial firms, including detailed consent requirements, mandatory security safeguards like encryption, clear data breach notification protocols (within 72 hours), and specific rules for SDFs that necessitate audits and risk assessments.
The DPDPA 2023 will affect how capital markets handle customer data, requiring greater transparency, enhanced security measures, and specific consent management processes, and may introduce new compliance requirements and costs for the capital market intermediaries. Having said the above, given the unprecedented penalties prescribed under the DPDPA 2023, regulated entities should take steps towards formulating compliance strategies in harmony with their existing compliance framework under the SEBI directives. Considering the phased implementation of the DPDPA 2023, and factors such as the sensitivity of data processing, it is likely that different categories of regulated entities would have to adapt their approach towards compliance rather than follow a set template as is usually done by other internet-based commerce companies.
About the authors: Soumya Mohapatra is a Partner, Dipayan Dash and Sumantra Bose are Counsel, and Shubha Ojha is an Associate at Khaitan & Co.
Views expressed are personal.
Disclaimer: The opinions expressed in this article are those of the author(s). The opinions presented do not necessarily reflect the views of Bar & Bench.
If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.