India’s digital economy is scaling at a pace that its trust infrastructure has struggled to keep up with. Fraud cases are climbing, data breaches are growing costlier, and the DPDP Act is pushing organizations to confront uncomfortable questions about the data they have collected for years without scrutiny. At the center of this reckoning sits identity — who you are, what you have consented to, and whether the systems built to verify you can actually be trusted.
Malcolm Gomes, COO of IDfy, has a front-row view of all three pressure points. IDfy works across banking, fintech, insurance, and e-commerce, helping organizations build identity verification and data governance capabilities at scale. In this conversation, Gomes argues that DPDP is not merely a compliance exercise but a structural reset — one that will touch vendor ecosystems, consent architecture, and the very economics of digital trust. And for India to move from a trust-deficit economy to a trust-first one, he says, the work starts now.
CISO Forum: Most businesses are still treating DPDP as a compliance deadline rather than a strategic inflection point. Five years from now, which companies will look back and realize they fundamentally misread what this law was asking of them?
Malcolm Gomes: That is my favorite question, because whatever I am going to tell you is based on working with all the customers I just mentioned, and many more who have been working in full-fledged capacity and have done a whole range of POCs. So, whatever perspectives I share come from being in the trenches, living with the trade-offs and the debates people have. It is completely drawn from practical learning.
Six months back, most organizations thought: let me get a DPO, find someone, assign it to them — typically a CISO minus one, a CIO minus one, or a head of legal minus one — and they would do some paperwork, check some boxes, and that would be that.
As people have begun to implement, however — and I will be honest, even we are realizing this — the intricacies and the interconnections are far greater than anticipated. What might have started as one step turns into many, and when you put them all together, there is almost a reset or a transformation within organizations.
Let me give you a few examples. As organizations began examining what data they actually held — using data discovery tools — they suddenly realized they were sitting on archaic, unnecessary data. Banks discovered they were holding a record of a customer’s father’s birthplace because it had always been collected, for whatever reason. Those prompted questions: who owns this data, why do we have it, and should we purge it?
From there, what began as a DPO exercise suddenly drew in business teams and analytics teams. Here is a completely different example: under the law, you are also responsible for the data you share with your processors. That means you first need to know who your processors are, what data goes to them, when, how, and in what form. You would be surprised — most organizations do not know. Ask them for that list, and it does not exist.
Suddenly, the DPO function has to include legal, procurement, and vendor management to compile a list of critical data processors and understand what flows to them. And that opens a new set of questions: why does a particular processor need personal customer data beyond a certain point? This was all taken for granted earlier. If you shared data with a credit card printer, what that vendor subsequently did with it was not your concern. Now, everyone is waking up to that and asking, “Who are these processors?” Why are we sending this data? What are they doing with it subsequently? Are they purging it?
The third example is around consent. The law requires you to take consent explicitly, which forces organizations to ask: “What data do I really need? Because you now have to make that explicit to customers, you cannot rely on dark patterns or implicit collection. Even something as simple as collecting an IP address technically requires disclosure. That is driving a lot of questions around why data is being collected in the first place — the concept of data minimization.
If you put these three very different examples together, what you realize is that everything from how you interact with a customer, to what data you collect, how you store it, who uses it internally, and which external parties have access — all of it is now under scrutiny. So many internal stakeholders are involved, and external parties have to change how they work with you. I think people will look back in five years and realize that what seemed like a compliance exercise is actually leading to something far more fundamental — a harder set of questions, and bigger organizational change.
CISO Forum: You’ve argued that consent could evolve from a legal checkbox into a differentiator. But Indian consumers have historically traded privacy for convenience — think of how readily people share Aadhaar or phone numbers for a discount. What will actually change that behavior, and how quickly?
Malcolm Gomes: Based on how our customers are implementing and what we expect downstream consumers to experience — and a lot of this is already live; customers at Axis Bank, for example, are already giving consent in ways enabled by our platform — here is what consumers should expect.
First, much greater explicitness around what you are required to provide versus what is optional. Take a bank account: you must provide your Aadhaar to open an account, and your phone number may be required for contact purposes, but it is optional for marketing communications. The data might be the same, but the purpose for which it is used will become clearer. As a customer, you will have the power to say: you can use my phone number to send me balance alerts, but not for cross-sell offers.
Second, linked to that is the ability to clearly opt in or out of anything optional. For what is compulsory, there is no opt-out — you cannot open a bank account without providing your name and Aadhaar. But for optional purposes, the choice will be explicit.
Third, over time, the ability to go back, view, modify, and assert your rights.
And fourth, if you have asserted a right — say, that your phone number should not be used for marketing — and that is not upheld, you will have the ability to approach the organization and, subsequently, the data protection authority for remedy.
So, from a consumer’s perspective, these four things will be different: granular clarity about what they are giving and what they are not; explicit, clear choice about optional data; the ability to view and change their preferences over time; and recourse when those preferences are not honored.
CISO Forum: India is simultaneously racing toward 900 million internet users and watching fraud cases climb to 117 a day. Does scaling digital access and reducing digital fraud require fundamentally different infrastructure, or is this a problem DPDP’s trust architecture can solve?
Malcolm Gomes: Fraud spans a wide spectrum, from impersonation and credential misuse to fake and synthetic identities. But in my view, a significant portion of fraud is enabled because personal data falls into the wrong hands.
Either internal actors have access to customer personal data because there are no proper access controls — an employee can go to a database and download everything — or that same personal data reaches third parties who pass it on further. If you look at many of the incidents reported in recent months, many trace back to customer credentials and personal information falling into the hands of internal employees, who then misuse it.
Where DPDP will intervene is on both fronts. Organizations will be forced to put controls in place for how personal data is stored: it must be anonymized, pseudonymized, masked, or encrypted. And even if an employee has access, they will get junk or unreadable data, or access will be view-only and protected. The chances of customer data — email IDs, phone numbers, bank account details — being freely shared with people who should not have it will drop significantly.
On the external side, going back to the card printer example: with DPDP implemented in the right spirit, a processor should use the data, purge it, and revert. Their ability to subsequently sell or redistribute it — and to allow it to fall into the hands of bad actors — declines considerably.
So the pipeline through which unprotected personal data reaches fraudsters — internally and externally — will, I hope, get cleaned up. That portion of fraud should become much harder to carry out because this data will no longer be openly floating on the dark web.
That said, fraud spans a broad spectrum, and DPDP will not address it all. But the part that is enabled by unauthorized access to personal data — I am very hopeful that will largely go away over time.
CISO Forum: IDfy has been vocal about the shift toward continuous identity verification. Walk me through what that actually looks like in practice — and what it means for sectors like fintech and insurance that have built entire onboarding pipelines around a single KYC moment.
Malcolm Gomes: Our perspective is that doing KYC upfront — unified KYC and all of that — is fine, but re-KYC alone does not really work if you think about it carefully.
Take an insurance example. When you apply for a life insurance policy, you go through KYC — everyone does. But most life insurers also do something called a PIVC: a video call just before the policy is issued, to confirm you are the same person who applied, that you understand the policy, and that nothing was mis-sold to you. For us, that is a practical example of continuous identity verification. KYC happened and is now mechanical. But for certain customers and use cases, it is critical to periodically verify — through additional techniques — that it is indeed the same person, thereby reducing the scope for bad actors.
Another example: we work closely with Flipkart and Uber. Drivers and riders are onboarded, but on a daily or weekly basis, before someone logs in, we verify that it is actually the same person — so the delivery rider who turns up at your door is who they are supposed to be. In use cases where ongoing identity validation is critical, we believe it must happen, and we have built capabilities to do so in a low-friction manner.
CISO Forum: How close are we to a world where AI-generated identities become genuinely indistinguishable — and what does that do to the economics of trust infrastructure?
Malcolm Gomes: The honest answer is: it is already here. Artificially generated ID documents, passports, photos, videos — they exist and are already being misused by bad actors. It is not a future scenario.
The more basic versions are relatively easy to detect. But the only real answer is to deploy increasingly sophisticated AI and techniques to catch these patterns. On the video KYC and deepfake detection side, we have a good understanding of the markers to look for.
To give a concrete example: in the e-commerce and delivery world, some individuals were using fake or AI-generated images to log in and register for daily or weekly delivery slots. Our capabilities have evolved to detect this — looking at signals beyond just the face, such as what the person is wearing, the background, the time of day, and what the surrounding environment should look like.
The reality is that this is a constant arms race: AI-generated fraud becomes more sophisticated, and the controls and verification infrastructure must stay one step ahead. That is the nature of it, and I do not think it changes.
CISO Forum: At an average breach cost of ₹ 19.5 crore in 2025 — up 39% over five years — the financial case for investing in privacy infrastructure is increasingly hard to ignore. Yet many mid-size Indian businesses still treat it as an IT cost rather than a board-level risk. What will it actually take to shift that mindset?
Malcolm Gomes: The analogy I like is this: Two or three years ago, the return on effort for a bad actor targeting an Indian company was not worth it. The ROI — for lack of a better phrase — from ransomware or data theft on Indian enterprises was low. But as the economy has grown and customer data has become richer, India has become a far more attractive target for hackers, dark web actors, and others.
That shift has already happened over the last two to three years. The data Indian enterprises hold is now considerably more valuable than it was. And as a result, both the frequency of incidents and the cost — direct remediation costs and indirect brand damage — have risen sharply.
The mindset is changing. From what we see, organizations are becoming much more careful about their processes and their tools. And DPDP will reinforce that, because the most valuable data for a hacker is precisely customers’ personal data — phone numbers, email IDs, and credit card details. That is what makes headlines when it leaks, and it is the most sensitive from both a regulatory and brand standpoint.
Incidents will continue to increase. But organizations are taking this far more seriously than they were two years ago. The remaining gap is in incident response — knowing what to do if a breach occurs, who to contact, and how to manage it. There is still some distance to cover there. But the seriousness and the effort being invested have changed significantly.
CISO Forum: Banking, fintech, healthcare, e-commerce, HRTech — each sector faces a different DPDP exposure. Which sector do you think is most unprepared for what’s coming, and where do you see the first serious regulatory action landing?
Malcolm Gomes: We work across sectors, so I have a reasonable view of this. The regulated sectors — BFSI in particular — have faced a double push: DPDP on one side and the RBI and IRDAI on the other. Because regulators started asking questions as far back as six to nine months ago, BFSI was forced to move earlier and faster.
By contrast, sectors like FMCG, education, and healthcare are a little further behind. I would not say they have done nothing, but they are later in the race. That said, across every sector we have spoken to, organizations have begun moving. We are not encountering large organizations — in any sector — who are doing nothing at all. Everyone is assessing, forming teams, running internal audits, or already implementing technology and automation.
Six months ago, it was largely BFSI. Today, e-commerce, telecom, fintech, and education — all of them have begun to move, at different speeds and levels of seriousness, but everyone is aware. The deadline is less than twelve months away, boards are informed, and teams are working. BFSI has a head start because they were pushed harder and earlier. That is the main distinction.
CISO Forum: UPI didn’t just digitize payments — it restructured how Indians think about money and trust. If DPDP succeeds, what’s the equivalent structural shift it creates by 2030? And what does India’s digital economy look like if it fails?
Malcolm Gomes: At IDfy, we have a somewhat macro view of this. India has the world’s fourth-largest economy and cannot function without proper data privacy regulation. That is the heart of the matter. When we engaged with relevant government entities, that was the driving argument. And as India aspires to move up that ranking, something like this becomes essential — not only for its own citizens and companies, but, critically, for attracting foreign organizations.
India is effectively a second headquarters for many global companies. A number of them were held back from doing certain work out of India, specifically because there was no data privacy regulation. Banks, telcos, large multinationals — all of them needed this assurance.
Zooming into the present reality: right now, it is a little bit of the wild west. A very crude example — you open a payment gateway to make a purchase, and a pop-up asks for your phone number. That gateway is not authorized to collect it as it does, and even if it were, the data should be used only to send a confirmation SMS and then be purged. The reality is that many such gateways collected that data and sold it — furnishing lists of, say, Mumbai residents who spend more than ₹10,000 a month on movies. There were entire businesses built on the illicit trading of personal data, which also fed directly into fraud.
The result is a trust-deficient digital economy. When an unknown number calls, the first instinct is not to pick up. We do not know who has our data or where it came from. Brands and consumers are operating with significant mutual distrust.
That is the current state. And that is why, by 2030, I see DPDP as the UPI equivalent for the digital economy — not a payments revolution, but a trust revolution. A shift from a trust deficit to a trust-first digital economy, where consumers know what they have consented to, what organizations can and cannot do with their data, and have real recourse when those boundaries are crossed.
What I believe leads to is deeper engagement — not fewer interactions, but better ones. Instead of receiving hundreds of unsolicited calls and messages, consumers will receive two that they actually want to engage with. And in time, as trust builds — and we have seen this pattern in other markets — consumers may actually volunteer more information, because the environment is safe enough to do so. Right now, the instinct is to withhold. Over time, as trust is established with certain brands, it opens up.
So my answer is: yes, I do believe this will be the UPI equivalent for the digital economy — a shift from a trust deficit to a trust-positive. Consumers will benefit from more meaningful, controlled engagement. Businesses will benefit from deeper, higher-quality relationships with their customers. That is the outcome I see this building toward.
