DPDP compliance for NBFC teams: where your personal data actually sits
09:40 AM, Friday. The amber signal was a spreadsheet nobody owned
DPDP compliance for NBFC teams sounds like a documentation project. It is not. The head of compliance at a 200-person NBFC in Mumbai had asked me to spend a Friday with her team. She wanted a DPDP gap review. She thought she had a policy problem.
She had a data problem. They almost always do.
We started with a question that sounds simple and never is. Where does your customer personal data sit, right now, today? She pointed at the loan management system. Achha, good start. Then the call recording platform. Then the KYC vault. Then she paused, mid-sentence.
“And the collections team keeps a tracker,” she said. “On a shared drive.”
That tracker was the amber signal. A spreadsheet with names, phone numbers, PAN numbers, and outstanding balances for 8,000 borrowers. It had been copied and forwarded for three years, renamed along the way by whoever touched it. Nobody owned it. Arre, nobody even remembered who built it. That one file held more exposure than the entire policy binder she had spent two months writing.
What the data map found that the policy missed
A policy says what should happen. A data map shows what is actually happening. The gap between those two is where every NBFC gets hurt under the Digital Personal Data Protection Act.
By lunch we had a list. Customer personal data was sitting in 41 distinct places. The core systems were fine, more or less, because they had access controls and audit logs. The problem was the edges. Eleven of those 41 locations had no owner, no access list, and no deletion schedule.
Here is what the map turned up that the binder did not.
- Three years of call recordings with no retention limit. Every conversation with a customer, kept forever, because nobody had set a rule to delete them.
- Loan application PDFs in a shared mailbox that four departments could open.
- A vendor data feed going to a collections agency with no contract clause on what they could do with it.
- Aadhaar numbers in plain text in two old spreadsheets that predated the current KYC vault.
None of this showed up in the policy. The policy said “personal data is stored securely.” Bas, one sentence. The data said otherwise.
200+ Indian businesses supported. Response within 24 working hours.
Why dpdp compliance for nbfc starts with data discovery, not documents
Most compliance projects start at the wrong end. They start with the consent notice, the privacy policy, the grievance officer appointment. All of that matters. The Act, published by MeitY, requires it. But none of it protects a single borrower if you do not know where the data is.
Think about the obligations the way a regulator will. A data principal asks you to delete their data. Can you find every copy? A breach happens. Can you tell the CERT-In team and the affected customers what was exposed, within the reporting window? You cannot answer either question from a policy document. You answer it from a data map.
This is the part of dpdp compliance for nbfc work that gets skipped because it is unglamorous. There is no certificate for it. It is a jhamela of interviews and screen-shares and questions people would rather not answer. We have seen NBFCs spend six figures on a fancy consent management tool while an Aadhaar spreadsheet sat unencrypted on a drive any intern could reach. The tool was real. The exposure was somewhere else entirely.
For an NBFC there is a second layer. The RBI outsourcing and IT directions already expect you to know where customer data flows, especially to third parties like collections agencies and DSAs. DPDP and the RBI expectations point at the same first step. Map the data. The two regimes reward the same hour of work.
The four-question test we ran on every data location
For each of the 41 places, we asked four questions. Not three. The fourth is the one that finds the unowned spreadsheets.
| Question | What a clean answer looks like | What an amber answer looks like |
|---|---|---|
| Who owns this data location? | A named person and their backup | “I think IT?” or silence |
| Who can access it? | A current access list, reviewed this quarter | “Anyone on the shared drive” |
| How long is it kept? | A written retention period with auto-deletion | “Forever, I suppose” |
| Does a copy leave the building? | A contract clause covering the third party | “We email it to the agency” |
Eleven locations failed on at least two questions. The fix for most of them was not a product. It was a decision. Delete the old Aadhaar spreadsheets, because the live KYC vault already held the same data with proper controls. Set a retention rule on call recordings. Lock the shared mailbox. The data you choose not to hold cannot be breached, cannot be subpoenaed, and cannot end up on a collections agent’s personal laptop.
The locations that did need a control got a real one. Encryption and access logging on the loan PDFs through structured data protection controls. USB and download restrictions on the machines that touched borrower data, because the collections tracker had been copied to a USB stick more than once. The classic exfiltration path. We covered that with USB and device control.
Free 24-hour readiness scan. No card, no contract, no sales pitch.
What it cost, and what the cheapest control turned out to be
The compliance lead expected the bill to be the scary part. It was the opposite.
The single biggest risk reduction came from deletion, which cost nothing but a sign-off. Eleven unowned locations dropped to four owned, controlled ones. The paid controls covered the data that genuinely had to stay: email-borne customer documents through email data loss prevention, and the device-level controls on the collections team’s machines. The full programme, wrapped into the DPDP compliance package, came in well under what they had quietly set aside for a single enterprise privacy suite.
The vulnerability beat, the part I always tell teams about. When she first sent me the shared-drive tracker, I had assumed it was a duplicate of the loan system, harmless. It was not. It held fields the core system never captured, including notes collectors had typed about borrowers’ families. That file alone would have turned a minor breach into a reportable, headline-grade one. Yaar, one spreadsheet.
Key takeaways
- DPDP risk for an NBFC lives in the data, not the policy binder. Map where personal data sits before you write another document.
- Run the four-question test on every location: owner, access, retention, copies leaving. The fourth question finds the unowned files.
- The cheapest and strongest control is deletion. Remove data you should never have kept.
- RBI IT directions and DPDP reward the same first step. One data map serves both.
- Buy controls for the data that must stay. Do not buy a tool to guard data you could simply delete.
FAQ
How long does a DPDP data mapping exercise take for a mid-size NBFC?
For a 200-person NBFC, the first pass is one focused day of interviews and screen-shares, followed by about a week to confirm owners and retention rules. The map is then a living document, reviewed each quarter.
Do we need an external Data Protection Officer?
The Act expects a clear point of accountability for personal data. Many mid-size NBFCs use a DPO-as-a-service model rather than a full-time hire. You can read how that works on our DPO as a service page.
What is the first thing to do before the DPDP rules are enforced?
Run a readiness scan and a data map. Knowing where your data sits is the input every other obligation depends on. Start with a DPDP readiness assessment.
Reach us on WhatsApp at +91 91375 93228, 10-7 IST. 200+ Indian businesses supported.
P.S. Priya here. The compliance lead messaged me a month later. They had found a twelfth unowned file, on their own, and deleted it before anyone asked. That is the whole point. The data map is not the deliverable. The habit of asking where the data sits is. Security is a verb.

