This interview has been published by Anshi Mudgal and The SuperLawyer Team
Starting from your first role in 2008 at Khaitan & Co., you’ve built a legal career that bridges traditional law and cutting-edge technology. What mindset shaped this journey?
My journey has been one of deliberate growth — from shadowing senior counsel during internships to advising boards on privacy and AI. At NLIU, I learned discipline and legal craftsmanship. Assisting senior counsel before the Supreme Court taught me the value of precision in advocacy.
Joining Khaitan & Co. in 2008 gave me exposure to private equity and M&A, where I realized law can enable growth, not just mitigate risk. These experiences shaped my approach to law as a living system — not merely a set of rules.
“Every deal, every court brief was a rehearsal for the lawyer I was becoming.”
You pursued an MSc in Law & Finance at the University of Oxford in 2015. How did this experience reshape your perspective on law, business, and technology?
Oxford was transformational. The program pushed me to think like a policymaker and strategist, marrying systems thinking with economic foresight. The admissions process itself forces you to ask: Who are you, and what will you change?
At Oxford, I realized law is not just about resolving disputes — it’s about designing fairer futures. Today, whether drafting cross-border data policies or shaping ethical AI frameworks, I rely on those lessons — precision, foresight, and human-centered thinking.
“Oxford didn’t just open doors. It reshaped how I walk through them.”
After Oxford, you joined Baker & McKenzie, London, in 2016, working on complex cross-border deals. How did this prepare you for tech law challenges?
Baker & McKenzie exposed me to multi-jurisdictional transactions involving data, competition law, and tech-driven businesses. It refined my ability to integrate legal advice with commercial strategy — a skill that remains critical in regulatory leadership.
“Global deals teach you that law is not just local compliance — it’s about harmonizing rules with vision.”
With the Digital Personal Data Protection Act, 2023 (DPDPA) reshaping privacy frameworks, what should businesses focus on?
DPDPA 2023 introduces a consent-first, rights-driven approach. Businesses must embed privacy into their DNA. The Business Requirement Document on Consent Management becomes crucial — translating legal obligations into features like granular consent, revocation, and audit logs.
For SaaS companies, compliance means building privacy into product architecture from the start — not bolting it on later.
“Under DPDPA, privacy is no longer a checkbox. It’s a design principle.”
AI regulation is evolving fast. How should SaaS companies approach permitted AI usage?
Permitted AI usage means innovating responsibly — ensuring data processing aligns with consent, purpose limitations, and ethical safeguards. For SaaS, it requires documenting use cases, maintaining risk registers, and conducting ethical reviews before rollouts.
“Permitted AI usage is about proving that innovation respects rights, not just scaling technology.”
You transitioned from law firms to leading compliance and privacy in-house. How did this shape your leadership style?
Law firms were my training ground, but moving in-house allowed me to build rather than just fix. At CoinSwitch and later at Dun & Bradstreet, I became a translator between risk and vision — operationalizing DPDPA and IT Act obligations into workflows teams could implement.
Leading cross-border teams taught me that leadership isn’t about authority; it’s about making people feel safe, seen, and inspired.
“You can’t lead well if you’re afraid of being disliked. Courage creates clarity.”
Aligning compliance across India, Singapore, and European markets is challenging. What worked for you?
The key is balancing speed with regulation. At Dun & Bradstreet, we operationalize DPDPA alongside Singapore’s PDPA while maintaining agility. The secret lies in simplifying complex regulations into actionable steps and keeping regulatory reporting both consistent and efficient.
“Regulatory leadership is about keeping law human.”
You’ve faced curveballs in high-stakes environments. How have they shaped you?
I’ve seen strategies falter and negotiations stall — not because of effort, but because the environment changed faster than expected. Each curveball wasn’t a setback; it was a reset that made me sharper.
Examples:
- In a cross-border M&A deal, cultural misalignment nearly derailed progress. Listening and adapting saved the deal.
- During a privacy review, spotting gaps in vendor contracts early prevented regulatory risk.
- When developing a consent framework, simplifying it through user-centric design improved adoption across teams.
“Curveballs teach you to anticipate change, stay agile, and turn challenges into frameworks that drive long-term success.”
What do recognitions like being featured in prominent legal rankings or industry awards mean to you in terms of your professional journey and leadership?
These awards reflect consistency and relevance. They’re not destinations; they’re mirrors reminding me to stay adaptive, curious, and innovative while empowering the teams I work with.
“Careers aren’t built in boardrooms. They’re built in quiet moments of reflection, persistence, and refusal to be ordinary.”
You lead Regulatory, Legal & Compliance across India and Southeast Asia. How can a lawyer carve their path to becoming a DPO while managing these broader responsibilities?
Being an effective DPO while leading regulatory, legal, and compliance functions means more than knowing laws — it’s about embedding privacy into the company’s growth strategy.
At Dun & Bradstreet, where analytics power decisions for enterprises worldwide, the DPO role is integral to building trust while enabling innovation.
What works:
- Deepen expertise in privacy (DPDPA, sectoral laws, cybersecurity).
- Embed privacy into processes, not just policies.
- Work across teams — legal, product, engineering — to align compliance with agility.
- Learn from real challenges, such as mitigating risks in cross-border data flows.
- Keep learning and stay visible through certifications and thought leadership.
“A great DPO doesn’t just enforce compliance; they design trust that drives the business forward.”
What’s your advice for young lawyers entering privacy and tech law?
Pick a niche — privacy, SaaS, fintech — and go deep. Master laws like DPDPA 2023, the IT Act, AI frameworks, and client-facing SEBI regulations. Pair this with an understanding of how technology works, and share your insights through writing and forums.
“Expertise is built when curiosity meets consistency.”
You’ve handled billion-dollar deals and privacy decisions impacting millions. How do you stay grounded?
Balance is intentional. Strong mentors and high-performing teams keep me centered. High-stakes work demands clarity that comes from preparation and purpose.
“Balance isn’t slowing down. It’s designing rhythms that let you accelerate without burning out.”
Final Words to the SuperLawyer Community
Law is evolving at the speed of technology. Even in an age of AI and SaaS, three things remain timeless: trust, clarity, and courage.
My journey — from NLIU Bhopal to Oxford (2015), Baker & McKenzie London (2016), and leading privacy across India & Southeast Asia, to being recognised in the Forbes India Top 100 Lawyers 2023 and Business World Legal 40 Under 40 — is proof that deliberate choices shaped by curiosity and resilience can redefine what’s possible.
“You don’t have to be fearless. You just have to move forward despite the fear — and build a brand that speaks for itself.”
Get in touch with Kriti Sharma –
