In this engaging conversation, Ketan Modh, an acclaimed privacy advisor, bestselling author, and data protection expert, shares his deep insights into the evolving world of data privacy, cybersecurity, and governance. With a rich academic background holding double PhDs in information policy and law and hands-on experience advising companies across India, the EU, and the US, Ketan has become a leading voice on privacy issues. His recent book, Privacy Matters, aims to demystify India’s DPDPA and global data protection challenges, making complex topics accessible to both professionals and everyday users. In this interview, Ketan discusses his motivations, the gaps he sees in the privacy field, and his vision for a future where individuals have stronger control over their personal data.
Who is Ketan Modh?
Ketan Modh is an internationally recognized data protection professional, privacy advisor, and bestselling author. With dual doctorates in information policy and law from the University of Malta and the University of Groningen, he combines academic rigor with practical expertise. Ketan specializes in helping companies navigate regulatory landscapes across India, the EU, and the US, conducting impact assessments, advising on data breaches, drafting privacy policies, and delivering privacy training. Beyond his corporate advisory work, he has contributed to major international projects, including work with the United Nations Special Rapporteur on privacy rights. His latest book, Privacy Matters, breaks down the complexities of India’s DPDPA and global privacy laws, helping individuals and organizations understand how to better protect personal data in the digital age.
Q1. Can you share your journey and what motivated you to specialize in data privacy and data protection?
Ketan: I’ve been a tech enthusiast since I was a kid, but I had set that aside while getting my degree from NLU, Jodhpur focused on corporate law. I was sure there was no scope in merging my passion for technology and law together back then. I was pleasantly surprised when my first job at Thomson Reuters required me to negotiate complex technology agreements for a Fortune 50 company – for licensing, customizing, and ‘hosted applications’ (before the cloud was a thing). My visit to the client’s office in the US led me to meet their subject matter expert on data privacy and information security in 2014, which is when I realized how deep I could go in the field. Technology was everywhere, and I wanted to learn even more about its governance – or how technology changed societies.
This led me to pursue a masters at Leiden University with a scholarship, and let me meet my professor in data privacy, Prof. Gerrit Jan-Zwenne. He was someone deeply involved in drafting the legislation that we now know as the GDPR. Our conversations led me to believe that I myself could pursue the field of data protection. I was lucky enough to be accepted as a Marie Curie Fellow for a European Commission-funded project on security science. My supervisors were Prof. Joe Cannataci, then UN Special Rapporteur on the Right to Privacy, and Prof. Hans Vedder, Professor in Economic Law and Judge in the Netherlands. It was through their guidance that I gained knowledge of the field as I completed my double doctorate in information and policy law.
Finally, after a long stint at the University of Malta, ending as a Lecturer (our equivalent of Assistant Professor), where I taught and trained hundreds of students on privacy, I saw India was finally close to passing its own data protection law. This led me to move back so I could contribute usefully by protecting people’s data while also enabling businesses to do what they needed to succeed. I’ve written “Privacy Matters: Navigating the Data Protection Maze” as a distillation of these 12 years of experience in the field to help individuals and corporations on their data protection journey.
Q2. What do you like most about DPDPA?
Ketan: The DPDPA is India’s most significant step towards protecting Indians’ personal data. We are beset by intrusive, personalized marketing everywhere, and the DPDPA finally gives people the ability to consent – or withdraw their consent – to it. It also enables companies to develop trust with their consumers by ensuring that they secure any personal data they do have access to, thus improving their credibility not just within India, but worldwide. The importance of data, and increasingly, its use in generative AI, is going to keep shooting up. It’s high time that a country of 1.5 billion has something in place to deal with this in a lawful and just manner. I believe the DPDPA is the best foot that the government could have put forward. It’s finally increasing awareness in individuals and corporations. As I say in my book, the right to privacy is like a muscle – the more you exercise it, the stronger it gets. And the DPDPA finally enables that and doesn’t simply relegate it to a constitutional right requiring expensive litigation to exercise.
Q3. What do you dislike most about DPDPA?
Ketan: Consent has taken too prominent a role in the law. You have to be informed to give consent, but in a lot of cases, you really can’t understand what happens to your data, or you don’t have a real choice. The imbalance of power between a company offering services, and an individual who deeply needs those services, is too great in a lot of cases. This is why other laws, such as the GDPR, clearly spell out the need for privacy by design AND default – if you don’t know what you’re doing, your personal data should still be protected. Both of these ideas are missing from the DPDPA. It only requires companies to have reasonable security safeguards and appropriate technical and organizational measures; but no mention of privacy by design at all.
Second, the law has too many loopholes for the government. One way that other countries set limits on government overreach is by specifying the principle of necessity and proportionality. This means that any use of personal data for purposes such as national security, defense or criminal investigations is limited to those that are necessary and proportionate in a democratic society. Essentially, the arms of the government still have to play by the rules and justify themselves for the way they use personal data to ensure they are not harming individuals. Under the DPDPA, though, the government can exclude itself entirely from the measures set out in the law.
Q4. How has India’s DPDPA reshaped the landscape of data protection for businesses and individuals?
Ketan: It has yet to reshape the landscape – the DPDPA isn’t even enforceable yet. The Rules and the Data Protection Board’s establishment are still awaited, almost two years after the law was passed. I joined my current employer on the very day the DPDPA was passed, and I saw a lot of interest from companies in ensuring readiness with it. I’ve personally undertaken 20+ projects to help companies do so, and helped out with many others, seeing problems and creating solutions in varied sectors and corporate settings. However, companies are beginning to wonder when – or if – any practical upshot of this law will be felt. I think we need to wait until the DPB makes landmark rulings and fines corporations for the misuse of or lax protection of personal data to see any reshaping occur. Having said that, I had never seen such interest in personal data from corporations or individuals before the DPDPA as I have seen after it, which is truly gratifying as someone who’s spent so many years in the field.
Q5. What inspired you to write Privacy Matters, and what message do you want readers to take away?
Ketan: My doctoral research had a major component showing how individual and cultural values shape people’s views on privacy and identity. In essence, if you are an individualist and want better things for yourself, you should care about the right to privacy since it protects you and provides services to you based on your consent. If you are a collectivist and want better things for society, you should care about the right to privacy since it enables people around you to make meaningful choices about their data and protects them from greedy corporations. Either way, you need to know your rights, and how to exercise them.
Indian companies, on the other hand, want to be seen as compliant with the law and trustworthy. To that end, CEOs, compliance officers and marketers care deeply about all the steps they need to take to comply with the law. CFOs want to avoid massive fines, which also makes them just as interested.
The book threads the needle with all these readers. It is split in three parts – the first gives you a grounding in data protection across the globe and India, the second empowers individuals to understand and exercise their rights, and the third gives companies a step-by-step guide from being completely unprepared to advanced measures. This is why I wrote the book.
Q6. Can you share some key insights from the book about how individuals can better protect their personal data?
Ketan: The most important idea for individuals to understand is that their action matters. The law is set up in such a way that both the Data Protection Board of India and companies who have their data are mandated to take their rights seriously if they choose to exercise them. You have the right to access your data, to rectify or delete it, to get your grievances addressed, or to nominate someone else in case of death or disability. Know your rights and reach out to companies and exercise them. If you see something wrong going on, complain to the Board whenever it’s set up – the Board will not take any action by itself without your complaint.
To that end, the book takes you, the individual, from awareness, to action, to advocacy. Remember, your digital footprint is the trail you leave online. Be mindful of what you share, regularly review your privacy settings, and think about the long-term implications of your online actions. Encourage others to do the same, fostering a culture of digital responsibility in your community.
Q7. What feedback have you received from readers that surprised or encouraged you?
Ketan: At this point, my book has been read by both individuals and very senior folks in companies – Chairpersons and CXOs – and they have uniformly praised the ease of reading the book despite the complex nature of the subject matter. This was hugely encouraging to me, coming from an academic background. If you read academic papers, you know we aren’t the best at communicating things simply. But the whole idea behind the book was to make people aware, especially those who haven’t come across this topic before. And to see them get it makes me very happy.
Q8. What are some of the biggest challenges companies face in implementing effective privacy programs today?
Ketan: To implement effective privacy programs, you need to know where the personal data is in the first place. That takes effort; speaking to a diverse, cross-functional group of senior leaders within your organization to understand what data they collect, how they store it, and what they actually do with it. This means meetings where you have to make them aware of the need to share information about their work, then walk them through all the purposes for which personal data is being processed. And then, finally, corroborating this information with IT, the true custodians of digital data. You need people who can talk to everyone regardless of their area of expertise, convey concepts simply, and get the information that you need to set up your policies correctly. After this, you need to actually implement these policies on a regular basis – it’s not a ‘one-and-done’ affair. These are all challenges every company must go through if they’ve rarely thought about data protection before.
If there’s one solution I could offer to these challenges, it’s that of awareness. Make everyone aware of the importance of data protection and appoint privacy champions in each function to spread that awareness and the steps the organization is taking to better comply. Make awareness mandatory, and ensure leadership is driving it; if this is not driven from the top, it is bound to fail.
Q9. How do you envision the future of the DPDPA evolving over the next decade?
Ketan: The DPDPA is a good first step, but it is only that – the first of many steps. A lot more remains to be done. The DPDPA and its Rules need to be enforced, and the Data Protection Board needs to be established on a heftier budget than a paltry Rs. 5 crores. India is a goldmine of data due to its sheer size, and more and more companies are going to find uses for it, not just related to artificial intelligence. I think we will see laws around all of it, perhaps in the form of the Digital India Act. Operation Sindoor has also suddenly brought to the fore India’s vulnerability to digital threat actors, be that in terms of cybersecurity or misinformation. Perhaps a law to tackle that may be on the cards.
The idea of ‘consent managers’ and ‘digital lockers’, brought up through the DPDPA and the draft Rules, is quite unique to India. We will see more on that soon enough, though, how they are meant to be technically implemented remains to be seen. Perhaps through technical standards made by the Bureau of Indian Standards.
This is a very exciting discipline to be in over the coming decade in India, and I’m looking forward to seeing all of it.
Closing Summary
Ketan Modh brings a thoughtful and practical voice to the conversation around data privacy. In this interview, he breaks down big topics like DPDPA and global privacy laws in a way that’s easy to understand, while also reminding us why they matter. Whether it’s helping companies stay compliant or encouraging individuals to take charge of their personal data, his insights are both timely and relatable. His book Privacy Matters is a great example, it’s not just for experts, but for anyone who wants to make sense of privacy in today’s digital world. As India moves forward in shaping its data protection landscape, voices like Ketan’s are helping guide the way with clarity, purpose, and heart.
ALSO READ: Interview with Aviral Kulshrestha, Sharing Insights on Navigating GDPR and DPDPA Challenges
