In this insightful conversation, Prakash Mizar, Data Protection Officer at Skyworks Solutions, shares his journey from software development to becoming a leader in data protection and compliance. With hands-on experience across software, cybersecurity, and privacy frameworks, Prakash brings a practical perspective on building trust in digital ecosystems. In this interview, he discusses India’s DPDPA, the evolving privacy landscape, and how organizations can prepare for compliance while maintaining operational efficiency. He also highlights the common challenges companies face and shares his vision for fostering a culture of privacy by design in businesses today.
Who is Prakash Mizar?
Prakash Mizar is the Data Protection Officer at Skyworks Solutions, Inc., where he leads privacy and compliance initiatives to ensure robust data protection practices. Starting his career in software development, Prakash developed a deep understanding of how data flows within systems and the vulnerabilities that can arise without proper safeguards. His transition into cybersecurity and eventually data protection was driven by a commitment to holistic privacy, recognizing that technical controls alone are not enough without clear policies and employee awareness. Today, he combines his technical expertise and regulatory knowledge to help organizations navigate global privacy regulations, including GDPR and India’s DPDPA, while fostering a culture of accountability and trust.
Q1. Can you briefly share your professional journey and what led you to focus on data protection and compliance?
Prakash: My professional path began in software development. I spent several years immersed in building applications, writing code, and understanding the intricate logic behind various systems. This experience was foundational, providing me with a deep understanding of how data flows within an application, how it’s stored, and the potential vulnerabilities that can arise from the ground up. I learned to appreciate the importance of secure coding practices and the impact of design choices on data integrity. Eventually, my career naturally progressed into cybersecurity engineering. I was drawn to the challenge of defending systems against malicious attacks, identifying weaknesses, and implementing robust security measures.
It was during my time in cybersecurity that I started to see recurring patterns even with strong technical security controls in place, human error and a lack of clear policy often remained the weakest links. I witnessed firsthand how a misconfigured system, an unaware employee, or a poorly defined process could undermine even the most sophisticated security technologies. This realization, coupled with the increasing global emphasis on data privacy regulations like GDPR and CCPA, sparked my interest in data protection and compliance. I began to see that true data security wasn’t just about firewalls and encryption; it was about a holistic approach that encompassed legal frameworks, organizational policies, employee training, and a deep understanding of data lifecycle management. What truly led me to focus on this area was the profound impact of data breaches on individuals and businesses.
Q2. What do you like most about DPDPA?
Prakash: I appreciate most about the Digital Personal Data Protection Act (DPDPA) is its focus on a principles-based approach to data protection. Rather than being overly prescriptive, it lays down clear foundational principles like purpose limitation, data minimization, and accountability. This allows for flexibility in implementation across diverse business operations while still upholding robust data privacy standards. The DPDPA’s recognition of the “Data Fiduciary” and “Data Principal” roles clarifies responsibilities and rights, fostering greater transparency and trust. Finally, the establishment of the Data Protection Board provides a structured mechanism for redressal and enforcement, ensuring accountability and promoting a culture of data privacy within organizations.
Q3. What do you dislike most about DPDPA?
Prakash: As a DPO, while the Digital Personal Data Protection Act (DPDPA) 2023 is a welcome and necessary piece of legislation, one aspect I find most challenging is the ambiguity surrounding certain implementation details and the potential for a steep learning curve for businesses, especially SMEs. While the principles are clear, the lack of immediate, granular guidance on specific technical and organizational measures required for compliance, particularly concerning significant data fiduciaries and cross-border data transfers, creates uncertainty. This necessitates a proactive and often interpretative approach to compliance, which can be resource-intensive and expose companies to potential missteps until more definitive regulations or precedents emerge. This ongoing “wait-and-see” for detailed rules can be a source of frustration.
Q4. What do you find most exciting about India’s DPDPA and how it could affect businesses?
Prakash: What I find most exciting about India’s DPDPA is its dual focus: empowering individuals with significant control over their data while simultaneously fostering a more trustworthy digital economy for businesses.
For individuals, the emphasis on explicit, informed consent and the right to access, correct, and erase their data is truly transformative. This shifts the power dynamic, making data principals active participants rather than passive subjects.
For businesses, while compliance will require significant effort and investment, the exciting prospect lies in the increased trust and transparency it can cultivate. Companies that genuinely embrace privacy-by-design principles and prioritize data security can build stronger customer relationships.
Q5. What are your thoughts on the evolving data protection regulatory landscape in India with the introduction of DPDPA?
Prakash: Introduction of the DPDPA marks a significant evolution in India’s data protection landscape. Previously, India lacked a comprehensive, standalone data privacy law, relying on scattered provisions. The DPDPA introduces a robust framework, focusing on individual consent, data principal rights (like access, correction, and erasure), and obligations for data fiduciaries. It broadens applicability to all digital personal data processing within India, with extraterritorial reach for entities offering goods or services to Indian residents. Key changes include stringent consent requirements, the establishment of the Data Protection Board of India for enforcement, and substantial penalties for non-compliance. While similar to GDPR in principles like purpose limitation and data minimization, DPDPA is more consent-centric and introduces the concept of “Significant Data Fiduciaries” with enhanced obligations. This shift demands greater accountability from businesses and fosters a culture of privacy by design, ultimately aiming to build greater trust in India’s digital economy.
Q6. From your experience, what common gaps do you observe in organizations’ readiness for DPDPA compliance?
Prakash: From my experience, several common gaps hinder organizations’ readiness for DPDPA compliance:
- Underestimation of technological investment.
- Inadequate Data Mapping and Inventory.
- Weak Consent Management.
- Insufficient data principal rights mechanism.
- Limited Third party risk management.
- Lack of employee training and awareness.
- Immature incident response plan.
Q7. How can organizations prepare their data protection frameworks for DPDPA compliance without disrupting operations?
Prakash: Preparing for DPDPA compliance without disrupting operations requires a strategic, phased approach from a privacy professional’s perspective. First, conduct a thorough Data Protection Impact Assessment (DPIA) to identify high-risk areas and data processing activities impacting Indian residents. This Pinpoints compliance gaps proactively. Simultaneously, establish a cross-functional compliance team including legal, IT, and business units. This fosters shared responsibility and streamlined decision-making. Develop clear, concise data protection policies and procedures, focusing on data minimization, purpose limitation, and consent mechanisms. Implement these incrementally, providing comprehensive training to all employees. Leverage technology: automate data mapping, consent management, and data subject access requests where possible. Prioritize re-papering vendor contracts to ensure DPDPA-compliant data processing agreements. Phased implementation, starting with critical systems and high-volume data sets, allows for adjustments and minimizes operational disruption while building a robust and compliant data protection framework.
Q8. How can third-party risk management practices evolve to meet DPDPA obligations?
Prakash: From a privacy professional’s perspective, third-party risk management (TPRM) must significantly evolve to meet DPDPA obligations. Under the DPDPA, Data Fiduciaries hold direct accountability for ensuring their third-party Data Processors remain compliant. key evolutions include:
- Training and awareness.
- Enhanced Due Diligence.
- Robust Data Processing Agreements (DPA’s).
- Continuous Monitoring and Audit.
- Incident response integration.
Q9. How do you approach conducting Data Protection Impact Assessments (DPIA) effectively, and what common gaps do you observe during these assessments?
Prakash: As a privacy professional, my approach to effective DPIAs is systematic and collaborative. Firstly, I advocate for early integration. A DPIA shouldn’t be an afterthought but rather initiated at the project’s inception when processing activities are still being defined. This proactive stance allows for privacy-by-design principles to be embedded from the ground up, making remediation far less disruptive and costly. Secondly, robust stakeholder engagement is crucial. This involves not only legal and privacy teams but also IT, security, business owners, and external vendors if applicable. Diverse perspectives ensure a comprehensive understanding of data flows, technical controls, and potential impacts. I facilitate workshops and clear communication channels to ensure all relevant parties contribute meaningfully. Regarding common gaps, I frequently observe insufficient scope definition, leading to missed processing activities or data types. Another prevalent issue is a lack of granular risk assessment; risks are often identified but not thoroughly evaluated for their likelihood and severity, hindering effective mitigation. Finally, inadequate documentation of decisions and justifications is a recurring problem, undermining accountability and future review.
Q10. Given your experience in risk management and compliance, how do you see the role of GRC frameworks evolving in the data protection landscape?
Prakash: In the evolving data protection landscape, GRC frameworks are shifting from being static checklists to dynamic, integrated systems. From a privacy professional’s perspective, this evolution is critical. Previously, GRC focused on demonstrating compliance post-facto. Now, it’s about embedding privacy-by-design and privacy-by-default principles proactively.This means GRC frameworks must facilitate real-time risk assessments, automated control monitoring, and agile policy management to keep pace with rapidly changing data regulations (like GDPR, CCPA, and emerging AI regulations). The emphasis is on continuous monitoring and adaptive strategies, leveraging AI and machine learning for predictive risk identification and anomaly detection. Furthermore, GRC needs to bridge the gap between legal requirements and operational implementation, ensuring accountability across the data lifecycle, from collection to deletion, thereby fostering a culture of privacy throughout the organization
Q11. What has been the most rewarding part of your journey in data protection and compliance so far?
Prakash: The most rewarding aspect of my journey in data protection and compliance has been witnessing the tangible impact of my work on both individuals and organizations. It’s incredibly satisfying to know that I’m directly contributing to building a more trustworthy digital environment.
Closing Summary
Prakash Mizar’s journey reflects the evolving nature of data protection, moving beyond technology into culture, accountability, and trust-building. Moreover, his insights into DPDPA and practical frameworks for compliance highlight the importance of privacy-by-design in today’s data-driven environment. As India moves toward a compliance-first digital economy, professionals like Prakash play a crucial role in guiding organizations to not only meet regulatory expectations but also build systems that respect individual privacy and enable business growth. His commitment to creating safer digital spaces offers a clear example for those aspiring to make an impact in the privacy and compliance landscape.
