In this insightful discussion, Aviral Kulshrestha, a passionate data privacy professional and technical control enforcement expert, shares his perspectives on navigating complex data privacy regulations like GDPR, PDPL, and India’s DPDPA. With experience advising organizations to build robust data protection frameworks aligned with business goals, Aviral brings a practical approach to privacy compliance. He discusses his journey in data privacy, the evolving regulatory landscape, and how organizations can transform compliance into strategic business value while fostering secure digital ecosystems.
Who is Aviral Kulshrestha?
Aviral Kulshrestha is a dedicated data privacy professional currently serving as Lead Analyst – Data Privacy at WNS, a global business process management company. With a strong focus on GDPR, India’s DPDPA, and DPIA, Aviral specializes in helping organizations implement practical data protection frameworks that align business goals with regulatory compliance. He brings technical expertise in privacy risk assessments, policy drafting, and cross-functional collaboration to ensure data security and privacy at every stage. Aviral’s proactive approach and passion for privacy make him a valuable asset in navigating the evolving landscape of data protection regulations.
Q1. Could you share your professional background and what drew you to specialize in data privacy?
Aviral: As a BTech graduate with a background in technology and systems thinking, I was keen to explore how sensitive data is handled by digital systems. Throughout my academic and early professional career, I noticed a recurring trend: organizations were swiftly adopting digital technology, but often without putting equal emphasis on securing personal data.
My interest in data privacy was sparked by witnessing the practical repercussions of inadequate data security. The impact of privacy failures on people and society was brought to light by a high-profile breach in which millions of users’ data was collected without their consent, exposing the private information of users worldwide. When I first began started exploring the frameworks like the GDPR, I understood that privacy is not only a legal concern but is also closely related to user trust, ethics, and technology. Understanding how technological controls like encryption, access management, and data minimization fit with legal obligations fascinated me as someone with a technical background.
I enjoy the balance that data privacy offers, it requires both legal understanding and technical problem-solving. That’s what drew me to specialize in this field.
Q2. What do you like most about India’s DPDPA?
Aviral: What I like most about DPDPA is its user-centric and forward-thinking approach, especially through features like Consent Managers, the Right to Nominate, and strong Grievance Redressal mechanisms.
One standout provision is the introduction of Consent Managers. This is a very progressive step — Consent Managers are independent, registered entities that help Data Principals give, manage, review, or withdraw consent in an accessible and transparent manner. For a country as digitally diverse as India, this ensures that individuals especially those not very tech-savvy still have a meaningful way to control how their data is used.
Another powerful aspect is the Right to Nominate. It allows the Data Principal to nominate another individual to exercise their rights under the Act in case of death or incapacity. I really appreciate this human-centric provision because it respects the continuity of privacy rights and is often missing in other global laws like GDPR.
Lastly, the Act provides a structured grievance redressal mechanism, which mandates Data Fiduciaries to establish a grievance redressal system and respond to complaints within a specified timeline. If the Data Principal isn’t satisfied, they can escalate the matter to the Data Protection Board of India. This layered system empowers users to seek timely remedies while holding organizations accountable.
Together, these provisions make the DPDPA not just a compliance tool, but a framework built on user empowerment, transparency, and accountability and these are the values I strongly believe in as a privacy professional.
Q3. What do you dislike most about DPDPA?
Aviral: What I dislike most about the DPDPA is the absence of the Right to Data Portability. In today’s digital ecosystem, users should have the ability to easily transfer their personal data from one platform to another. This right is a key feature in global laws like the GDPR, and its exclusion in DPDPA limits user empowerment and makes data control less practical in real-world scenarios.
Q4. How are India’s evolving data privacy laws, like the DPDPA, impacting your role and clients?
Aviral: India’s evolving data privacy laws, especially the DPDPA, are having a significant impact on both my role and the clients I work with. As organizations prepare for compliance, there is a growing demand for privacy-by-design implementation, risk assessments etc.
For clients, the DPDPA has created both awareness and urgency. Many are realizing that privacy is no longer just a legal checkbox but a strategic business requirement.
The law is also pushing companies to rethink their data life-cycle management, from collection to deletion — and establish processes for handling consent, ensuring purpose limitation, and preparing for future audits or investigations. As a result, my role has become more dynamic, involving cross-functional collaboration with legal, tech, and compliance teams.
In short, the DPDPA is not just shaping the regulatory environment, it’s reshaping how privacy is approached operationally, and it’s making my role more impactful.
Q5. What inspired you to shift from technical roles into a specialized focus on data privacy and compliance?
Aviral: I was drawn to data privacy and compliance because it’s where technology meets real-world impact. Handling personal data responsibly is crucial in today’s digital age, and I wanted to be part of creating ethical and transparent practices that protect individuals. The challenge of navigating evolving regulations while enabling innovation excites me. This field allows me to combine my technical skills with a meaningful purpose making technology safer and more trustworthy for everyone.
Q6. What challenges do organizations face when trying to embed privacy culture across their teams and leadership?
Aviral: One of the biggest challenges organizations face when trying to embed a privacy culture is the gap in mindset. Many teams still see privacy as a legal or a compliance issue, rather than a shared responsibility. This creates gaps where privacy is handled reactively, rather than being built into systems and processes from the start.
Another challenge is the lack of privacy training across non-legal teams like product, marketing, or engineering. These teams often process large volumes of data but may not fully understand principles like purpose limitation, data minimization, or consent requirements.
Finally, embedding privacy culture requires ongoing effort not a one-time policy rollout. Organizations struggle to make privacy part of day-to-day decision-making, risk assessments, and design processes. Without continuous awareness and accountability, the culture fades over time.
Q7. In your view, how does DPDPA compare with global frameworks like GDPR?
Aviral: In my view, the DPDPA aligns with global frameworks like the GDPR in spirit of focusing on user rights, lawful processing, and accountability, but it also introduces some uniquely Indian elements that sets it apart.
One such innovation is the concept of Consent Managers, which doesn’t exist under GDPR. These are registered entities that help users manage, give, and withdraw consent in a standardized and accessible way. This is especially useful in a country like India with varied digital literacy, making consent more meaningful and easier to manage.
Another notable addition is the Right to Nominate, which allows a Data Principal to appoint someone to exercise their rights in case of death or incapacity. While GDPR covers data subject rights extensively, it doesn’t explicitly address this kind of continuity of control making DPDPA more human-centric in this regard.
On Grievance Redressal, both laws expect organizations to have a clear mechanism in place. However, DPDPA mandates that organizations respond to grievances within a prescribed timeline, and unresolved complaints can be escalated to the Data Protection Board of India. GDPR has similar provisions, but enforcement is handled by independent Data Protection Authorities.
DPDPA introduces practical, user-focused features like Consent Managers and the Right to Nominate that reflect India’s digital context and have the potential to be strong differentiators if implemented effectively.
Q8. How do you keep up with the fast-changing landscape of privacy regulations across different regions?
Aviral: To keep up with rapidly changing privacy regulations, I stay proactive by regularly monitoring legal updates and following trusted industry news. I engage in discussions to understand how new rules are applied in practice across different regions. Most importantly, I implement whatever I learn, by updating processes and advising the teams. By this, I stay agile in managing compliance across jurisdictions.
Q9. What advice would you give to early-career professionals looking to enter the field of data privacy?
Aviral: My advice to early-career professionals is to build a strong foundation in both technology and law, since data privacy sits at the intersection of these fields. Focus on understanding key privacy principles like consent, data minimization, and user rights. Stay curious and keep learning about emerging regulations and privacy-enhancing technologies. Also, seek out practical experience through internships or certifications. Engage with privacy communities and connect with professionals. This will expose you to the real-world challenges and opportunities. Finally, developing strong communication skills so as to explain complex privacy concepts to diverse teams is crucial.
