Can a broker refuse a DPDP erasure request for trading records?

Yes. SEBI mandates 7-year retention of trading records, contract notes, and client communications. Where data is held under this statutory obligation, the DPDP Act's erasure right does not override the mandate. ConsentOS documents this exception in a denial register and generates DPBI-ready justification automatically.

How does KRA data sharing interact with the DPDP Act?

KRA (CKYC) data access events are personal data processing activities under the DPDP Act. Each KRA data sharing instance must be traceable to a specific, purpose-limited consent record. ConsentOS captures and maintains these consent chains, ensuring both SEBI KYC compliance and DPDP consent requirements are met simultaneously.

Do depository participant records count as personal data under DPDP?

Yes. Demat account records, holdings data, and transaction histories containing personal identifiers are personal data under the DPDP Act. Retention mandated by CDSL/NSDL rules is covered by the Legal Obligation Override — but only for the specific data and period required by the depository.

Could our brokerage be classified as a Significant Data Fiduciary?

Large brokers processing high volumes of client financial data, particularly those using algorithmic or AI-driven systems that profile client behaviour, are likely SDF candidates. The Compliance Vault tier is built for SDF compliance — DPO support, DPIA workflows, and enhanced audit trails included.

Registered Broker

DPDP Readiness Infrastructure for SEBI-Registered Brokers

When a SEBI examination reviews your DPDP compliance posture, your answer must be documented and verifiable. SEBI mandates 7-year retention of trading records and client communications. KYC Record Agency (KRA) data creates independent consent obligations. The DPDP Act gives your clients the right to erasure. ConsentOS implements a Legal Obligation Override that satisfies SEBI's record retention requirements and DPDP erasure rights simultaneously, giving your compliance officer and your examiner a printable, verifiable answer.

Critical Risk: SEBI/DPDP/KRA Dual Enforcement Risk

10,000+

SEBI-registered stock brokers in India

300M+

Demat accounts in India (2025)

250 Cr

Maximum DPDP penalty per incident

SEBI Examination Readiness

SEBI examinations are beginning to include DPDP preparedness as part of compliance assessments for registered brokers. The answer "we are still assessing our obligations" is not a defensible compliance position. For brokers with concurrent RBI exposure, circular RBI/DPSS/2026-27/396 (April 22, 2026) established a dual-audit standard for statutory retention vs. DPDP erasure conflicts. The standard applies wherever a regulated entity holds data under a statutory mandate. ConsentOS gives your compliance officer a printable readiness report and your SEBI examiner a documented, verifiable answer.

Obligations

Your DPDP Obligations as a Registered Broker Company

The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to registered broker operations.

SEBI / DPDP Retention Conflict

SEBI mandates 7-year retention of trading records, contract notes, and client communications. DPDP Act requires erasure on demand. Legal Obligation Override documents the statutory exception and generates denial evidence for each rejected erasure request.

KYC Record Agency (KRA) Consent

KRA (CKYC) data sharing requires documented consent chains independent of SEBI KYC compliance. Each data access event by a KRA must be traceable to a specific, purpose-limited consent record under the DPDP Act.

Client Data Rights vs SEBI Records

DPDP erasure and access rights apply to all client personal data. Data held under SEBI statutory mandate is exempted from erasure, but the exemption must be documented and communicated to the client on request.

Trading Data Purpose Limitation

Trading data collected for order execution and portfolio management cannot be repurposed for research, marketing, or third-party analytics without documented, purpose-specific consent under Section 5.

Demat Account and Depository Data

CDSL/NSDL depository participant records carry independent retention obligations. Erasure requests that conflict with depository record-keeping requirements must be handled via documented Legal Obligation Override.

Algorithmic Trading and SDF Risk

Brokers using algorithmic or AI-driven trading systems that profile client behaviour at scale may be designated as Significant Data Fiduciaries, triggering DPO appointment, DPIA requirements, and enhanced audit obligations.

Breach Notification

A client trading data breach triggers both SEBI incident reporting and DPDP breach notification obligations simultaneously. Build a single incident response workflow that satisfies both deadlines.

Timeline

Your Compliance Roadmap

Key milestones between now and full DPDP enforcement in May 2027.

Now

Build your SEBI examination readiness position

Map all personal data processing across trading, KYC, KRA, demat, and communication records. Document your DPDP posture before your next SEBI examination cycle.

Q3 2026

Implement Legal Obligation Override

Deploy the Compliance Vault: classify SEBI-retained data, isolate from DPDP erasure flow, configure denial register.

Nov 2026

Consent Manager registration

Q1 2027

Client data rights workflows

Implement access, correction, and erasure workflows with SEBI statutory exemption handling.

May 2027

Full DPDP enforcement

The Act is fully enforceable. Dual SEBI/DPDP non-compliance exposes brokers to enforcement from both regulators.

Penalty Exposure for Registered Broker Companies

Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.

Client trading data breach (failure to implement safeguards) Up to ₹250 Cr

Failure to notify breach to Board and affected clients Up to ₹200 Cr

Non-compliance with consent and rights obligations Up to ₹50 Cr

Calculate your specific exposure

Recommended Plan

Compliance Vault for Registered Broker

Brokers operating under SEBI's 7-year record retention mandate require the Legal Obligation Override, retention schedule dashboard, and denial register that only the Compliance Vault tier provides.

Implementation

₹5,00,000 one-time

₹75,000 /month

Legal Obligation Override (RBI / PMLA)
Retention schedule dashboard — per data category
Denial register for statutory erasure exceptions
DPBI-ready audit evidence packs
72-hour breach notification pipeline
Dedicated compliance support manager

Start with a free assessment Compare all plans

Learn how the Compliance Vault resolves the SEBI/DPDP conflict →

Not ready to subscribe? Start with a one-time Readiness Assessment →

Resources

Essential Reading for Registered Broker

Deep dives into the DPDP provisions most relevant to your sector.

Industry Guides

Fintech DPDP Compliance: RBI Data Localisation and Payment Rules

How the DPDP Act 2023 intersects with RBI data localisation mandates, payment data protection, and consent requirements for fintech companies operating in India.

10 min read min read

Regulatory Updates

What Is the DPDP Act 2023? Guide for Indian Business Compliance

The Digital Personal Data Protection Act 2023 decoded. What it requires, who it applies to, and what happens if you ignore it.

6 min read min read

Regulatory Updates

DPDP Penalties: ₹250 Crore Risk and Enforcement Tiers in India

A breakdown of every penalty provision in the DPDP Act 2023. Understand the financial exposure, the enforcement mechanism, and what triggers each penalty tier.

7 min read min read

When the SEBI Examiner Asks, Have the Answer Ready

The free Compliance Vault Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.

Get Your Free Assessment Talk to a compliance specialist