The firm — a listed non-banking financial company in India — entered the engagement on the eve of the country’s new data protection regime. The board’s question was not technical. It was whether the institution’s posture toward customer data was, in the language of the regulator, defensible — and what would have to be true for it to be so.
Our work began with a careful audit of the data estate as it actually was, rather than as the firm’s documentation described it. From that picture we sequenced a multi-year programme that placed regulatory obligations ahead of internal optimisations, on the principle that a firm cannot improve a posture it has not yet established.
The engagement closed once the firm was able to operate, audit, and explain its data practice without our presence in the room.
The technology question, in regulated finance, is rarely a technology question.
What we did
- — Mapped the firm's data estate against DPDP Act controls — consent, retention, processor obligations, breach posture.
- — Sequenced a transformation roadmap that placed compliance-blocking work ahead of margin-improving work.
- — Worked with the firm's leadership on a vendor and partner posture compatible with the new regime.
- — Stood up an internal review cadence outliving the engagement.
Practice · Technology