Aadhaar & eKYC Under DPDP
Liability Check
Handling Aadhaar numbers, biometric data, and eKYC records requires the highest level of diligence under the DPDP Act. Mishandling this sensitive data can trigger penalties up to ₹250 Crore and even criminal charges for your organisation.
Why Aadhaar & eKYC Under DPDP is at Risk
Your systems routinely collect and process **Aadhaar numbers, biometric scans, and personal details** via eKYC for onboarding, verification, or even employee background checks. Under the DPDP Act, this is considered **Sensitive Personal Data**, demanding enhanced security, explicit consent, and strict purpose limitation. Storing full Aadhaar numbers or biometrics without a clear, documented legal basis and robust security is a ticking time bomb. Remember, the **Data Protection Board** can audit your entire eKYC lifecycle, from collection to deletion, looking for compliance gaps.
Common Violations
- 1.Storing full Aadhaar numbers or copies of physical Aadhaar cards when only the last four digits are required for verification.
- 2.Using eKYC data (e.g., from a telecom or financial onboarding) for marketing or cross-selling without fresh, explicit consent.
- 3.Failing to encrypt or properly secure databases containing sensitive eKYC documents, making them vulnerable to breaches.
The Immediate Fix
Immediately conduct a data audit to identify where Aadhaar numbers and sensitive eKYC data are stored across your systems. Implement **Aadhaar masking protocols** (only storing the last 4 digits) wherever permissible, and review your consent flows for explicit, purpose-specific consent for eKYC data. Secure all databases storing this data with strong encryption and access controls.
Projected Compliance Deadline: Immediate