Overview
IndusInd Bank is a prominent Indian private sector bank, offering a wide range of financial products and services. As a bank, it handles an immense volume of highly sensitive personal data belonging to millions of customers – things like account details, transaction history, KYC documents (PAN, Aadhaar), loan applications, and investment records. Under the new DPDP Act 2023, how a bank like IndusInd manages this data is critical.
However, a fundamental issue exists: the privacy policy URL provided by IndusInd Bank (https://www.indusind.com/in/en/privacy-policy.html) leads to a “page not found” error. This means the public, including you, cannot access their official privacy policy. This in itself is a significant DPDP compliance problem.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
The DPDP Act requires Data Fiduciaries (the company that decides how your data is used, in this case, IndusInd Bank) to give clear notice and obtain valid consent (your permission) before collecting and processing your personal data.
What the policy says: We couldn’t find a functional privacy policy at the provided URL. The page displays a “We can’t seem to find the page you’re looking for.” message.
DPDP requirement: Notice must be clear and given before or at the time of data collection. Consent must be free, specific, informed, and unambiguous.
The problem: Without an accessible policy, Data Principals (that’s you, the individual whose data is collected!) cannot understand how IndusInd Bank collects or uses their personal data, what information is being collected, and for what purposes. This is a fundamental breach of transparency under the DPDP Act.
Section 7 — Certain Legitimate Uses 🔴
The DPDP Act allows data processing without consent in very specific, “legitimate uses” (like for state functions, medical emergencies, or employment). Companies often try to claim other reasons, but DPDP is very strict.
What the policy says: No policy text available to review.
DPDP requirement: Legitimate uses are narrowly defined. Most commercial processing, especially for marketing or general service improvement, requires explicit consent.
The problem: Since the policy is missing, it’s impossible to check if IndusInd Bank is accurately applying these limited exceptions or if they are overreaching. This creates uncertainty about how your data might be used without your explicit permission.
Section 8 — Obligations of Data Fiduciary 🔴
This section covers the responsibilities of the company holding your data to keep it safe and accurate. This includes implementing security safeguards and responding to data breaches.
What the policy says: No policy text available to review.
DPDP requirement: Data Fiduciaries must implement “reasonable security safeguards” to prevent data breaches and ensure accuracy.
The problem: For a bank handling highly sensitive financial data, robust security measures are paramount. Without a policy, customers have no clear statement or assurance from IndusInd Bank about how they fulfill these critical obligations under DPDP.
Section 9 — Data Retention 🔴
DPDP Act mandates that personal data should only be kept for “as long as is necessary” for the purpose for which it was collected. Once that purpose is fulfilled, the data must be erased.
What the policy says: No policy text available to review.
DPDP requirement (Section 9): Data must be erased when the purpose is fulfilled or consent is withdrawn. Clear retention periods are expected.
The problem: You have no idea how long IndusInd Bank plans to keep your financial records, KYC documents, or transaction history. This lack of defined retention periods is a significant gap, as indefinite retention increases the risk of data exposure.
Section 11 — Rights of Data Principal 🔴
The DPDP Act gives you several important rights, like the right to access your data, correct it, erase it, and nominate someone to act on your behalf.
What the policy says: No policy text available to review.
DPDP requirement: Data Principals have rights including access, correction, erasure, and grievance redressal, and companies must facilitate these.
The problem: Without a policy, you don’t know how to exercise your rights. Can you easily request your data? Can you ask them to correct an error? Can you even ask them to delete your marketing data? The answer is unclear because the policy is absent.
Section 12 — Right of Grievance Redressal 🔴
If you have a problem with how your data is being handled, DPDP requires a clear path for you to complain, eventually escalating to the Data Protection Board.
What the policy says: No policy text available to review.
DPDP requirement: A Data Fiduciary must have a readily available Grievance Redressal mechanism, including details of a Grievance Officer, and eventually, the Data Protection Board.
The problem: While IndusInd Bank likely has general customer service, there’s no DPDP-specific grievance process or named officer in a public privacy policy. This makes it difficult for you to complain about privacy violations specifically under the new law.
Section 16 — Cross-Border Data Transfer 🔴
This section deals with whether your data might be sent outside India. DPDP is clear that this can only happen to countries notified by the Central Government.
What the policy says: No policy text available to review.
DPDP requirement: Cross-border transfer is permitted only to countries notified by the Central Government, with appropriate safeguards.
The problem: As a bank with potential international operations or third-party service providers, it’s crucial for IndusInd to be transparent about any cross-border data transfers. Without a policy, you have no information on where your sensitive financial data might be going globally.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | Critical | Fundamental non-compliance with DPDP transparency requirements |
| Transparency & Notice | Critical | Customers cannot understand data practices, leading to loss of trust |
| Consent compliance | Critical | No basis to verify valid consent for data processing |
| Data principal rights | Critical | Customers unable to exercise statutory rights effectively |
| Data Retention | Critical | Undefined retention periods for sensitive financial data creates high exposure |
| Public perception | High | Major brand reputation damage for a leading bank |
Recommendations
- Publish a functional privacy policy immediately — Ensure the official URL works and prominently link it on the website.
- Explicitly reference the DPDP Act 2023 — Clearly state compliance with the new law.
- Provide clear notice and consent mechanisms — Detail what data is collected, why, and get explicit, granular consent.
- Define specific data retention periods — Inform customers exactly how long different types of data are kept.
- Outline Data Principal rights and how to exercise them — Create clear pathways for access, correction, and erasure requests.
- Establish a DPDP-specific grievance redressal process — Name a Grievance Officer and include the Data Protection Board as an escalation path.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.