When people hear "data privacy," they often think of consent checkboxes or long pages of fine print. But beneath those tools lies a deeper infrastructure that decides how long sensitive data is stored, who can access it, and how securely it's destroyed. In industries like finance, where trust is fragile and penalties steep, this infrastructure is foundational.
For one technology leader, building that foundation wasn't just a legal requirement but an opportunity to embed resilience into how data is handled. Thrushna Matharasi, Director of Engineering with experience in healthcare, telecom, and fleet tech, led the technical delivery of GLBA compliance. Her work modernized not only how financial data was protected but also how privacy expectations were met with care.
Privacy with Purpose
The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, requires financial institutions to safeguard customer data with technical controls and procedural discipline. Many see compliance as a checkbox, but Thrushna and her team used it as a lever to build a more flexible, transparent, people-centric system.
The project stemmed from an internal risk assessment. Legacy systems had been built for short-term needs. Data was stored redundantly, disposal policies were inconsistent, and sprawl increased with new products.
Architecting a System That Could Forget
The most visible part of the solution was structured data disposal, knowing when to delete, how to do it securely, and how to prove it was done. The guiding principle: "If data isn't needed, it shouldn't be sitting around."
The team mapped how customer information moved across systems, tracing transactions and metadata from entry to storage. They uncovered areas where manual overrides or backups had quietly retained sensitive data past its lifecycle.
This effort required both technical scans and cross-department collaboration. As Thrushna noted: "You can't fix what you can't see. And you can't change what people don't understand." Her team built an automated tagging system to flag sensitive data across formats.
Next came automated disposal logic. If a customer was inactive and the data wasn't required for business, legal, or regulatory reasons, it was deleted.
Disposal requires balancing erasure with retention, especially under financial recordkeeping laws.
"Our goal wasn't just to delete data," Thrushna said. "It was to make sure we retained only what was necessary, and nothing more."
Laying a Governance Framework
The project expanded into a governance framework defining who could access what data, under which conditions, and why.
Limited access controls were embedded at the database level with role-based policies tied to identity providers. Combined with audit trails, these gave compliance officers visibility into access patterns.
Contracts reflected new handling expectations, and third-party platforms had to meet the same disposal standards as internal systems. This ensured that data shared externally, whether for marketing, analytics, or support, remained under company control.
Breach response protocols were implemented to align with GLBA. These included 72-hour notification rules, impact assessments, and simulation drills.
Measurable Outcomes
The business impact was significant. The company passed 100% of security and privacy audits, from external assessors and strict client reviews. More importantly, it gained a scalable, automated privacy foundation that could support future growth.
Customer data exposure in non-critical systems dropped by over 40% due to tighter access controls and disposal. Redundant storage costs fell by 25% through de-duplication and clean-up.
For engineering teams, predictability improved. Instead of designing features around unclear data rules, they now worked with clear guidelines on what could be collected, where it should go, and how long it should live.
Recognition and Culture Shift
Thrushna's leadership was recognized not just for results but for how she approached the challenge. Instead of creating barriers between engineering and compliance, she built a shared language around data ethics and technical feasibility.
She embedded privacy logic into both codebase and culture, leading workshops on privacy by design, coaching leads on secure defaults, and mentoring juniors on balancing speed with responsibility.
A Model for Modern Governance
Thrushna Matharasi's GLBA work proves data governance isn't about fear of fines. It's about respect for users' information, legal accountability, and responsible engineering. Customers may never see the systems she built, but they feel the impact when their data is protected, their choices respected, and their trust preserved. Quietly. Powerfully. Exactly as it should be.
