About Gaurav Mehta
Gaurav Mehta, co-founder of Concur, is a seasoned technology expert with 12+ years of experience in emerging technologies, specializing in auditing, compliance, forensics, data privacy, and cybersecurity. A TEDx speaker and ex-visiting faculty at the National Academy of Direct Taxes, he has trained officers in cyber investigations and financial forensics. He has worked with central and state law enforcement agencies on cyber and auditing domain. Recently, he was honored him with multiple accolades, including the Privacy Knight Award 2024 from Foundation of Data Protection Professionals in India. He believes that true privacy comes from practical implementation, robust technological solutions, and seamless compliance—rather than relying solely on policy advocacy.
Q: Tell us something about your work in data privacy space?
Answer: I’ve never considered myself particularly strong in data privacy – especially since I enjoy gossiping, which often leads to sharing personal and sensitive information. Thankfully, my friends have learned that anything disclosed to me comes with its own risks, so they’ve become quite careful about handling data!
In my personal life, my approach to privacy may be questionable, but professionally, I take a completely different stance. Over the past seven years, I have worked with law enforcement agencies, forensic investigations, and other sensitive assignments, which have highlighted how often people take data privacy for granted in the digital space. Technology overlords have repeatedly abused this, making intervention necessary. I’m pleased to see that governments are stepping up with robust legislation, particularly the Digital Personal Data Protection Act. I believe this law will soon set a global benchmark as it is designed to evolve with the changing digital landscape—something the world urgently needs.
Q: What motivated you to move to Data Privacy Space?
Answer: It was more of a necessity than a planned journey. While working on auditing assignments, we realized we were handling vast amounts of sensitive data on online platforms and needed better ways to manage and protect it. That’s when I came across the Personal Data Protection Bill released in 2022. What started as a simple curiosity quickly turned into a deep dive – I got completely drawn into the complexities of data privacy. And here we are, three years later, still navigating this ever-evolving space but this time in form of solution for people.
Q: What drives you to build in domain of privacy?
Answer: There wasn’t a specific driving factor behind building in the privacy domain; it simply felt like a citizen’s responsibility. When we first read the draft Personal Data Protection Bill in 2022, the government’s strong vision was clear. Yet, we saw a noticeable gap between the vision and its technological implementation — and we jumped in.
With the digital space evolving rapidly, governments naturally take time to build frameworks. It became clear that bridging this gap swiftly would fall on private organizations that thrive on innovation. For us, the bill was a blueprint — a statement of work — and we began building as soon as the law was enacted. There was no grand motivation, just a simple mandate to contribute where it mattered.
Q: What is Concur – Consent Manager?
Answer: Concur is a responsibility and hope of 800 million data principals! To put it simply, Concur is the third-party Consent Manager envisioned under the DPDPA, tasked with assisting citizens manage consent and ensuring that personal data is respected. In many ways, we serve as an extension of the data principal in the digital space – acting as a digital notary and digital attorney, witnessing and safeguarding the data agreements between data principals and data fiduciaries. Our role is to empower individuals as envisaged in the law, giving them control over their personal data and how organizations process it. While we may look like just another startup, at our core, we are much more—a trusted intermediary ensuring privacy, transparency, and accountability in the digital world.
Q: How DPDPA is different from international privacy laws?
Answer: When comparing the DPDPA to the GDPR—widely seen as the gold standard—I believe India has taken a groundbreaking approach by addressing practical gaps that affect data principals directly.For instance, ask an EU citizen where their personal data is stored, and most will name platforms like Facebook or Instagram. Yet, they often overlook the hundreds of other websites where they’ve shared data. In reality, individuals must remember their entire digital footprint to control their personal information effectively. India’s Consent Manager solves this by giving data principals a 360-degree view of their personal data and its processing. This enables them to exercise control with full awareness, without relying on memory. We believe this framework could become India’s next global innovation, much like UPI, and set a new benchmark for privacy management worldwide.
Q: What you like most about DPDPA?
Answer: Not defining what personal data is was the smartest move for me. As technology evolves, the boundary between personal and non-personal data will increasingly be shaped by organizations rather than by law. What qualifies as data linked to an individual is a function of technological progress – not legal definitions.
Another thing I value is the concept of third-party consent managers. They remove the hassle of tracking where data and related information are stored. What’s exciting is that consent managers ensure data principals fully understand what they need to know. From sharing data to dealing with worst-case scenarios like data breaches, consent managers help both data fiduciaries and data principals minimize impact through quick notifications and relevant actions.
Q: What you dislike most about DPDPA?
Answer: The first challenge lies in the complexity of parental consent. One of the toughest aspects of DPDPA is requiring parental consent for minors, especially when a significant portion of Indian families lack digital literacy. Enforcing this in rural and underprivileged communities is difficult and risks unintentionally excluding many children from digital education and awareness, worsening the digital divide.
The second challenge is the effectiveness of the ₹250 crore penalty. While the fine appears strict on paper, its practical enforcement raises concerns. Identifying violations, completing investigations, and navigating lengthy legal battles could push enforcement timelines into the next decade. By then, companies may have already exploited regulatory gaps and profited from non-compliance. Without timely action, the law’s deterrent effect could weaken, allowing violations to continue unchecked.
Q: What problems you think business will face in upcoming months?
Answer: The compliance journey under DPDPA will be new for everyone, but to gain deeper insights into the disruptions businesses will face, we need to analyze them based on their approach to data privacy and compliance preparedness. We categorize businesses into four key segments:
1. Introvert Businesses – Businesses that are inward-looking and already operate with a high level of awareness regarding data collection, processing, and minimization. Example – Large B2B enterprises, multi-jurisdiction, regulatory-driven organizations, and research firms that handle data responsibly as part of their core operations.
2. Extrovert Businesses – Businesses that have high customer engagement and are directly affected by customer trust. These organizations collect and process large volumes of personal data to offer services. Example: Banks, insurance firms, fintechs, healthcare providers, and e-commerce platforms.
3. Chattery Businesses – Organizations that extensively share personal data with third-party processors.
4. Bullying Businesses – Companies that have exploited regulatory gaps, abuse data principals and take a reactive approach to compliance will have most to lose from DPDPA disruption. Extrovert business & Bullying business will face highest problems.
Q: What will be detrimental factors for DPDPA to be success?
Answer: Awareness. Access & Amount i.e. cost of compliance! Awareness will shape the success of DPDPA. Awareness isn’t just about data fiduciaries knowing their obligations — it’s equally about data principals understanding their rights and demanding compliance. Without public awareness, enforcement will fall short.
Access to technology and compliance tools is equally vital. Data fiduciaries, processors, and the government need strong infrastructure to make compliance a practical reality, not just a legal requirement.
Finally, the cost of compliance will decide how far DPDPA reaches beyond large corporations to MSMEs and startups. For smaller businesses, the financial burden of Aadhaar verification, digital lockers, and other technical mandates could make compliance feel costly and unattainable. If these costs rise further, industry pushback may follow, threatening DPDPA’s adoption. Striking a balance here is key to making the law workable for all.
Q: Where do you envision Concur in upcoming years?
Answer: In the next 3 years, Concur aims to represent 400 million data principals and ensure that 1 lakh data fiduciaries are DPDPA compliant.
