In this insightful conversation, Aditi Sharma shares her experience as a legal and data privacy expert working at the intersection of law, technology, and compliance. As a Senior Consultant (Data Privacy) at Grant Thornton Bharat LLP, Aditi brings a rare combination of legal acumen and deep technical understanding. She plays a key role in advising businesses on how to manage privacy risks, navigate global regulations, and build effective compliance strategies under evolving frameworks like the GDPR and India’s DPDPA.
Aditi reflects on the importance of integrating privacy by design into business strategy and how she helps organizations prepare for and respond to regulatory challenges in sectors ranging from finance to e-commerce. With rich academic credentials and international certifications, she is a strong advocate for responsible data governance in the digital era.
Who is Aditi Sharma?
Aditi Sharma is a data privacy professional and technology lawyer, currently serving as Senior Consultant (Data Privacy) – Cyber & IT Risk at Grant Thornton Bharat LLP. She holds multiple global certifications, including CIPP/E, OneTrust Certified Privacy Professional, and expertise in incident management. With an LL.M. in Science & Technology Law, Aditi brings legal and technical depth to privacy compliance. She advises clients on GDPR, DPDPA, and other regulations, conducting privacy audits, managing risk assessments, and supporting ROPA and policy development. Aditi has worked across sectors like finance, healthcare, media, and e-commerce, helping organizations align with global data protection standards. She also contributes to international workshops and publications, championing ethical and effective data governance in today’s digital age.
Q1. Can you share your professional journey and how it led you to work in the field of data privacy?
Aditi: My journey into data privacy has been quite dramatic, shaped by both legal grounding and a deep interest in the evolving tech-policy landscape. I started my career practicing law at the Delhi High Court and district courts, where I worked on cases related to NDPS and cybercrime matters. That exposure made me realize how rapidly technology was outpacing traditional legal frameworks. After transitioning into consulting, I joined Grant Thornton Bharat LLP, where I’ve been fortunate to work across various sectors, helping clients build a practical, future-ready privacy ecosystem. What motivates me every day is the impact of knowing that I’m helping organizations not just comply with the law, but build trust, protect individuals, and navigate one of the most important challenges of our digital age.
But beyond the client side, what really motivates me is the larger impact. Strong data protection laws and ethical data practices are crucial to how India is perceived globally. When companies respect privacy, they build consumer trust. When a country enforces privacy well, it attracts investment, improves ease of doing business, and boosts investor confidence, all of which have direct effects on the economy. Better foreign trust means more FDI, stronger capital markets, and more opportunities for innovation and job creation. That trickles down to improved living standards, increased average income, and a more empowered digital citizen. So, for me, working in data privacy isn’t just a career, it’s a chance to contribute to India’s digital and economic growth story in a way.
Q2. Can you tell us about your work in the data privacy space and your role as a Senior Consultant at Grant Thornton Bharat LLP?
Aditi: In my current role I help clients across sectors build practical, future-ready privacy programs. My role goes beyond legal interpretation, I lead end-to-end privacy gap assessments, design multi-jurisdictional frameworks, draft essential documentation, and support implementation of privacy controls aligned with laws like DPDPA, CCA, PDPA and GDPR. I collaborate with legal, and cyber teams to embed privacy into business operations, vendor ecosystems, and digital products. For me, privacy isn’t just about compliance, it’s about helping organizations build trust, reduce risk, and make privacy a core part of their growth strategy. Overall, my work is about helping clients shift from being reactive to proactive. That’s the lens I try to bring to every engagement, and it’s something I’m genuinely passionate about.
Q3. What do you like most about DPDPA?
Aditi: What I like most about the DPDPA is how thoughtfully it’s been crafted to reflect India’s unique digital reality, while still aligning with global privacy principles. It’s not just a copy-paste of GDPR, it’s a law built for India’s scale, diversity, and pace of digital transformation.
- One thing that really stands out to me is how the Act simplifies consent without diluting its importance. The idea of a consent manager, for example, is quite innovative. It recognizes that not every user has the same level of digital awareness, so instead of overwhelming people with legal jargon, it provides a more accessible way to manage choices. That’s a very grounded, user-first approach.
- Another aspect I appreciate is the way the Act handles cross-border data transfers. Unlike stricter regimes that often default to localization, the DPDPA introduces the concept of notifying trusted countries, which keeps the door open for global data flows while still protecting national interests. It’s a smart middle path, especially for a country like India, that’s positioning itself as a global tech hub.
- And lastly, I like that the Act focuses on building a governance structure like the Data Protection Board instead of just relying on penalties. It shows that the intent isn’t just to punish, but to create accountability and improve digital trust over time. That approach demonstrates maturity in enforcement, and I believe it shapes the direction data regulation is taking in the future.
Q4.What do you dislike most about DPDPA?
Aditi: While it does a great job of modernizing India’s approach to data protection, it still leaves some critical gaps, especially when it comes to checks on government power and transparency.
- One of my main concerns is the broad exemption given to the State. I completely understand the need for flexibility in matters of national interest, but the lack of clear safeguards or oversight mechanisms makes it feel like a step back from the promise of privacy as a fundamental right. In comparison to global standards, this creates an uneven playing field, private companies are held accountable, but government use of personal data isn’t subject to the same scrutiny.
- Another thing that stands out to me is the limited scope of data subject rights. Yes, the Act covers basics like consent, correction, and grievance redressal, but it doesn’t go far enough when it comes to rights around automated decision-making or algorithmic transparency. In a time where AI is shaping decisions that affect everything from credit to healthcare, people deserve more clarity and control.
- And finally, I think the government has left out too much—whether it’s defining “significant data fiduciaries,” deciding which countries can receive data transfers, or even appointing members to the Data Protection Board. This level of discretion, especially in the hands of the executive, can potentially dilute the independence of the entire data protection framework over time.
Q5. Do you believe Indian businesses are prepared to take action under the DPDPA? What gaps do you observe?
Aditi: In my experience, most Indian businesses are aware that the DPDPA is a game-changer, but very few are fully prepared to act on it just yet (irrespective of the fact that draft rules are out). There’s growing intent especially among larger organizations, but the real gaps show up when it comes to execution. Many companies still lack clarity on their data flows, don’t have a central data inventory, and haven’t mapped their third-party risks.
I’ve also seen a tendency to view privacy as just a legal or IT issue, rather than a cross-functional responsibility that involves business strategy, operations, and employee awareness. What’s more, smaller companies often don’t have the internal capability or bandwidth to keep pace with regulatory expectations. That said, the direction is promising. With the right awareness, practical guidance, and sector-specific support, I believe Indian businesses can not only comply with DPDPA but use it as a lever to build stronger digital trust. The law is pushing a mindset shift and that, to me, is the most important first step.
Q6. How do small businesses manage data privacy risks compared to larger organizations?
Aditi: Small businesses often manage data privacy risks very differently from large organizations mostly because of limited resources, lean teams, and competing priorities. While larger firms typically have formal privacy offices, legal teams, and structured governance frameworks (to certain extent), smaller companies rely more on agile, need-based decision-making. That said, the risk is just as real, maybe even greater because one breach or compliance failure can seriously impact their reputation and survival. What I’ve seen work well is when small businesses approach privacy with simplicity and focus by understanding what data they collect, limiting it to what’s necessary, using secure platforms, and being transparent with users. They may not have a dedicated DPO or high-end tools, but with the right guidance and clear privacy practices embedded early, they can build strong foundations that scale as they grow. In fact, I often tell clients privacy isn’t about size, it’s about mindset.
Q7. How important is it for companies to integrate privacy into their business strategies from the beginning?
Aditi: I think it’s essential for companies to integrate privacy into their business strategy right from the start. Today, privacy isn’t just a legal requirement, it’s a trust signal. You tell your users, customers, investors, and even your employees that you take their rights seriously and you’re building something that’s meant to last. When you treat privacy as an afterthought, it almost always leads to problems later, whether it’s in the form of data breaches, reputational damage, regulatory penalties, or just a general loss of user trust. But when you bake it into the strategy from day one, it becomes a strength. It shapes how you build products, how you handle data, and how you make decisions.
You’re also seeing a global shift in this direction. Companies like Apple and Microsoft are now using privacy as a part of their brand identity, and it’s working because people care. Users are becoming more aware, regulators are becoming stricter, and businesses that ignore this shift are taking real risks .On the other hand, companies that invest in privacy early build cleaner, more efficient data practices and avoid expensive fixes down the line. Especially in data-heavy sectors like AI, fintech, or healthcare, this kind of early integration can save a company from massive headaches and position it as a leader in responsible innovation.
Q8. How is DPDPA shaping India’s data privacy approach, and what changes do you see coming in the next few years?
Aditi: In my view, the DPDPA is a major inflection point in how India approaches data privacy, it signals a shift from fragmented, sectoral thinking to a more unified, rights-based framework. What’s unique is that it’s happening in parallel with India’s rapid digital growth from UPI to AI and against a backdrop of increasing geopolitical tensions and cyber vulnerabilities. With the current situation at the borders and the rise in digital threats from state and non-state actors, data sovereignty and national security have become deeply intertwined with privacy.
The Act reflects that, especially in the way it empowers the government in certain areas while also attempting to build public trust through consent and accountability mechanisms. Over the next few years, I expect to see a maturing of this balance tighter enforcement, sector-specific rules, more clarity on cross-border data transfers, and a push toward operationalizing privacy by design across organizations. We’ll also see privacy increasingly intersect with AI ethics, cybersecurity, and national policy making it not just a compliance issue, but a critical part of India’s digital and strategic future.
In Summary
Aditi Sharma’s work shows how important it is to combine legal skills with a practical understanding of technology and business. At Grant Thornton Bharat LLP, she helps companies build strong privacy systems that follow laws like DPDPA and GDPR. Her focus on making privacy a part of business from the start helps companies build trust, stay ahead of risks, and grow responsibly. As privacy becomes more important in India’s digital future, Aditi’s guidance is helping shape smarter and safer ways for organizations to handle data.
