From starting his career in contract management to becoming a recognised voice in global data privacy, Aishwary Gupta’s journey has been shaped by curiosity, hands-on problem solving, and a drive to make compliance practical. His first brush with privacy came in 2018, when GDPR had just taken effect globally and India was in the middle of landmark privacy debates. Since then, he has worked across GDPR, CCPA, and India’s DPDPA, building AI-driven compliance programs, integrating privacy by design into products, and mentoring the next wave of privacy talent. Today, his work spans strategy, technology, and training, making privacy not just a legal requirement but a competitive advantage for businesses.
Who is Aishwary Gupta?
Aishwary Gupta is a privacy and compliance expert with global experience across GDPR, CCPA, and India’s DPDPA. He has led large-scale privacy automation initiatives, most notably at Neiman Marcus, where he implemented AI-driven solutions for data subject requests, DPIAs, and vendor risk assessments. As Co-founder of CKonnect, he is bridging the skills gap in privacy by creating India-focused, practical training programs for aspiring professionals. Known for balancing legal nuance with technology automation, Aishwary helps organisations embed privacy into their culture, operations, and products. His expertise cuts across sectors and geographies, with a focus on building scalable, trust-driven compliance frameworks.
Q1. What first drew you toward the field of data privacy and compliance? Was there a specific moment or challenge that sparked your interest?
Aishwary: I started my career in 2018 with a contract management role and had no idea I’d eventually get into data privacy. Around the same time, GDPR came into effect globally, and in India, the Supreme Court recognised the right to privacy during the Aadhaar case. That caught my attention and made me curious, what is this “privacy” and why is everyone talking about it?
While working on contracts, I kept coming across Data Protection-related clauses, which pushed me to dig deeper. Later, I got a project where I had to help build a tool that could auto-generate privacy notices for companies being compliant with the data privacy regulations. I ended up reading dozens of privacy notices, studying how they were structured, and creating a data model for our tech team. That project really pulled me into the privacy space, and since then, I’ve never looked back.
Q2. What do you like most about DPDPA?
Aishwary: What I really like about DPDPA is that it puts consent at the center of everything. It clearly sets the expectation that if consent is managed properly, companies are on the right track. I also appreciate how the law introduces the concept of a Consent Manager, which helps make the process of giving and managing consent more transparent and user-friendly. It brings a much-needed layer of accountability and accessibility, especially in a diverse country like India where digital literacy varies greatly.
Another positive aspect is that DPDPA empowers individuals without making compliance too rigid for businesses. This balance ensures that privacy rights are protected while still allowing innovation and digital growth. Overall, the Act sends a strong message that individuals should be in control of their data and that’s the direction privacy laws should move toward.
Q3. What do you dislike most about DPDPA?
Aishwary: One thing I personally feel is missing in the DPDPA is the distinction between personal data and sensitive personal data. In my opinion, this is a very important gap, because not all data types carry the same level of risk. For example, if someone’s email ID is leaked, the impact is far less severe compared to the misuse of biometric information, which is used in critical areas like banking, Aadhaar authentication, etc.
When there’s no classification between normal and sensitive data, it becomes difficult to apply the right level of protection. Either companies will end up over-protecting low-risk data, or they might under-protect highly sensitive information, because the law treats both equally. This lack of clarity can create confusion and even lead to non-compliance without intent.
Also, if DPDPA applies higher restrictions uniformly across all personal data, it might become difficult for organisations to manage operations efficiently. Having a clear distinction would have allowed companies to prioritise and allocate resources properly, ensuring higher safeguards where needed, while keeping things practical for day-to-day data processing.
So, from both a compliance and risk-management perspective, I believe a clear categorisation or at least some guidance around data sensitivity should have been included in the Act.
Q4. You’ve worked with global laws like GDPR and CCPA. What stands out to you about DPDPA’s structure and obligations from an Indian context?
Aishwary: What stands out to me most about DPDPA is how it’s built around India’s vision of becoming a digitally empowered economy. Unlike GDPR or CCPA, which came from already mature data governance ecosystems, DPDPA is arriving at a time when most Indian businesses, whether real estate companies, hospitals, or even small startups, are just beginning to manage personal data in a structured digital format.
DPDPA doesn’t just regulate data, it pushes businesses to completely rethink how they collect, store, and process it. In sectors where data is still scattered across paperwork or unstructured systems, the Act brings in much-needed accountability. It compels organisations to shift toward secure, purpose-driven, and consent-based data practices. This is not only good for user trust, but also encourages businesses to operate in a more organised and future-ready way.
From a compliance perspective, I see this law not as a burden, but as an opportunity for Indian companies to build responsible data cultures from the ground up, something that will only grow in relevance in the years to come.
Q5. Tell us about your work with CKonnect. How did the idea originate, and what gaps are you solving in the privacy training space?
Aishwary: The idea for CKonnect came from a simple observation: while the demand for privacy professionals is rising, there’s a clear lack of practical, accessible, and India-focused privacy training. Many newcomers, especially freshers or legal professionals moving into tech, find it challenging to understand and apply complex laws like GDPR, CCPA, and now DPDPA.
My own path into privacy was entirely hands-on and self-taught, shaped by real-world compliance work. I realized that if a structured, practical learning platform had existed earlier, it would have made the journey smoother for me and many others. CKonnect aims to fill that gap and build a strong privacy talent pool in India because in the near future, privacy won’t be optional, it will be essential to how organizations operate.
Q6. How do you balance legal nuance with technology automation when building privacy compliance programs across jurisdictions like GDPR, CCPA, and DPDPA?
Aishwary: When building privacy compliance programs, I see legal nuance and technology automation as partners, not opposites. Legal frameworks like GDPR, CCPA, and DPDPA each have their own specific obligations, but at their core, they’re all about protecting individuals’ rights and building trust.
My approach is to first break down the legal requirements into operational tasks, clear, actionable steps that a system can execute. Then, I use automation to handle the repetitive, high-volume, and time-sensitive parts, things like data mapping updates, DSAR workflows, consent management, and breach notifications.
However, automation doesn’t replace the human element. The ‘legal nuance’ part comes in when interpreting grey areas, adapting to jurisdictional overlaps, and making judgment calls that a machine can’t. So, I design the process so that technology does the heavy lifting, while legal expertise provides oversight and context.
This way, compliance isn’t just a tick-box exercise; it’s an agile, scalable framework that works across multiple jurisdictions without losing the depth of legal interpretation.
Q7. What’s your approach to integrating privacy by design into cross-functional teams, especially product, legal, and security?
Aishwary: Honestly, my approach is pretty simple but very structured. I believe Privacy by Design is not just a “compliance checkbox”; it has to be part of the mindset across all teams. So, I usually start by making sure everyone speaks the same language when it comes to privacy; product, legal, security, everyone needs to understand what privacy risks look like in their own scope of work.
From there, I work cross-functionally from the very start of the project, not after things are built. With the product team, it’s about embedding privacy requirements into the design phase itself.
With the legal team, I focus on aligning business goals with regulatory requirements so there’s no conflict later. And with security, it’s more about ensuring that technical safeguards support the privacy promises we make; encryption, access controls, monitoring, etc.
Overall, it’s a collaborative loop, continuous discussions, risk assessments at each milestone, and making privacy impact analysis a natural part of the workflow, not a bottleneck.
Q8. What advice would you give Indian companies just beginning their DPDPA compliance journey?
Aishwary: If I had to give one piece of advice to Indian companies starting their DPDPA compliance journey, it would be, don’t treat it as just a legal formality. This law is not just about ticking checkboxes; it’s about building trust with your customers in a digital-first India.
Start with mapping the personal data you collect, know exactly what data you have, where it’s stored, and why you’re using it. The DPDPA is consent-centric, so put strong processes in place to get, manage, and withdraw consent in a transparent way. If you can, appoint someone internally or work with a Consent Manager early on, it will make your life much easier later.
Also, remember the law gives individuals clear rights over their data. Be ready with simple, user-friendly ways for people to exercise their rights, whether they want to access their data, correct it, or request its deletion.
Lastly, don’t wait until the last minute. Even small steps now, like updating privacy notices, training your teams, and setting up internal processes, will put you miles ahead. Compliance under DPDPA isn’t just about avoiding penalties; it’s about showing your customers that you respect their privacy and take it seriously. And in today’s market, that’s a huge competitive edge.
Q9. What do you think Indian startups and SMEs often get wrong about DPDPA readiness? How would you approach compliance differently for a lean startup?
Aishwary: From what I’ve seen, a lot of Indian startups and SMEs think DPDPA compliance is something they can “do later” once they’ve scaled. That’s a big mistake. The longer you delay, the messier it gets, because your data practices get deeply tied into your systems and workflows. Fixing it later is always more expensive and complicated.
Another thing they often get wrong is thinking compliance is only about legal paperwork. In reality, DPDPA is about how you collect, store, and use personal data every single day and whether you can clearly show you have the individual’s consent for it.
For a lean startup, I’d say keep it simple: map what personal data you collect, get proper consent in plain language, and store only what you really need. Build basic processes for responding to data access or deletion requests, even if it’s manual at first. If you bake these practices into your product and operations early, you won’t just be compliant, you’ll also build trust, which is priceless for a growing business.
Q10. What trends in AI governance or automated privacy operations do you think Indian organizations are least prepared for in the next few years?
Aishwary: I think most Indian organizations are not fully ready for the pace at which AI governance is going to evolve. Right now, AI is being adopted in almost every sector, but very few companies have proper frameworks to ensure it’s used ethically, transparently, and without bias. Globally, we’re already seeing laws like the EU AI Act setting strict requirements on risk assessments, human oversight, and transparency and it’s only a matter of time before similar expectations reach India.
When it comes to automated privacy operations, the gap is even bigger. Many companies still rely on manual processes for data mapping, consent tracking, or handling user rights requests. But with AI-driven automation becoming the norm, organizations that don’t start building scalable, tech-driven compliance systems now will find it very hard to keep up later.
The way forward is to treat AI governance and automated privacy not as “future problems” but as part of today’s strategy; starting small, but laying the right foundations for accountability, transparency, and trust.
Q11. How do you see the role of privacy professionals evolving over the next 5 years, especially with AI, global laws, and automation expanding so rapidly?
Aishwary: In the next five years, the job of privacy professionals will move from just giving advice to being part of the day-to-day running of a business. With AI, automation, and new privacy laws coming in, companies will expect privacy teams to work closely with product, legal, and security teams. The aim will be to build privacy into systems and processes from the start, not add it later. This means privacy work will be less about just knowing the law and more about making sure the business can follow it in real life while still moving forward.
At the same time, the way people judge who is a “good” privacy professional is changing. Earlier, it was mostly about theory and passing exams, but now companies want people who can actually make privacy work in real situations. They are looking for professionals who can design processes, set up consent tools, and manage compliance across different laws from day one. The future will belong to those who can combine legal knowledge with the skills to put it into action in fast-moving, technology-driven businesses.
Q12. What role do you think mentorship plays in shaping the next generation of privacy and risk professionals?
Aishwary: I think mentorship is one of the most important things in shaping the next generation of privacy and risk professionals. You can read all the laws and attend all the trainings, but nothing replaces guidance from someone who has actually done the work, faced real challenges, and built solutions from the ground up. Privacy is not just theory; it’s practical, and it’s constantly changing with technology and new regulations.
The real value comes when experienced professionals, those who have been working hands-on in privacy from day one, share their learnings, mistakes, and best practices with others. This kind of mentorship can help new professionals avoid common pitfalls, understand how privacy works in real business environments, and build the right mindset from the start. In the end, strong mentorship creates confident, capable privacy leaders who can carry the field forward.
Closing Summary
Aishwary Gupta’s career is proof that privacy is no longer just about legal compliance; it’s about building trust, enabling innovation, and creating systems that work in the real world. From rolling out AI-powered compliance programs to mentoring India’s future privacy leaders, he combines global best practices with a deep understanding of the local regulatory landscape. As India prepares for DPDPA enforcement, its approach is clear: start early, keep it practical, and make privacy a part of the business DNA. In an era of rapid AI adoption and evolving global laws, Aishwary stands out as a leader who can turn complex regulations into actionable, scalable strategies that empower both organisations and individuals.