This interview has been published by Anshi Mudgal and The SuperLawyer Team
With over two decades of legal experience across aviation, manufacturing, IT, banking, and more, what first drew you to specialize in data protection and privacy law?
In 2016, I had the privilege of working with a mentor who saw potential in my analytical approach and encouraged me to explore data protection more deeply. At the time, privacy was gaining global traction with the GDPR on the horizon and organizations beginning to grapple with what responsible data stewardship truly meant. What intrigued me wasn’t just the regulatory complexity, but the human dimension: how we protect dignity, autonomy, and trust?
How did your law degree at The University of the West Indies, Cave Hill Campus, Barbados shape your worldview and influence your approach to international data protection and cross-border compliance?
Studying law in Barbados gave me a strong foundation in critical thinking and comparative legal analysis. I was surrounded by students from across the Caribbean (from The Bahamas to Guyana) and our coursework often involved comparing legal systems from the UK, India, and the US. It was a diverse, intellectually rich environment that encouraged me to look beyond borders and see law not just as a set of rules, but as a tool for societal transformation. That exposure shaped my global mindset and continues to guide my work today; whether I’m advising on GDPR compliance, India’s DPDPA, or data protection frameworks in the Middle East. I approach cross-border compliance not merely as a technical exercise, but as an opportunity to bridge cultures, align values, and foster global accountability. Legal compliance is more than a regulatory requirement. It’s a step toward building trust, empowering communities, and strengthening institutions.
You’ve advised organizations on GDPR, DPDPA, and other global privacy regulations. What are the biggest challenges multinational companies face in harmonizing compliance across jurisdictions?
When it comes to legal compliance, the saying “too many cooks spoil the pot” doesn’t quite capture the complexity. In global data protection, it’s not just about conflicting opinions, it’s about reconciling overlapping laws, operational realities, and evolving expectations. The most pragmatic approach for MNC’s is to anchor their framework in the highest standard (typically the GDPR) and then layer in jurisdictional nuances across your operations. It sounds simple, but implementation requires careful calibration. MNCs need to weigh time, cost, enforcement risk, the litigious nature of data subjects, and the reputational impact on their brand. These factors, when considered together, help determine their compliance priorities. This juggling act is one of the greatest challenges for multinational organizations. And it doesn’t end once the framework is built as keeping up with changing requirements, new enforcement trends, and emerging technologies is a continuous process. Compliance isn’t static; it’s a living, evolving discipline.
After more than a decade in inhouse legal roles, you transitioned into independent consulting and later established your own practice. What motivated this shift, and how did it change your perspective?
I reached a point where I wanted to change both professionally and personally. I had gained significant experience across aviation, manufacturing, IT, and banking, but I felt the pull to work more closely with small and medium-sized businesses that often can’t afford large legal teams but still need strategic guidance to transform their operations. Independent consulting gave me the freedom to support these organizations across industries, helping them build privacy programs from the ground up. It also allowed me to take better care of my health and spend more time with my family :something the corporate pace rarely permitted. Along the way, I’ve realized that data protection compliance is still viewed by many as a luxury rather than a necessity. It’s not always a top priority, especially for growing businesses. That’s where I bring added value not just through privacy expertise, but by integrating my cross-functional skills in contracts, intellectual property, and operational risk. I offer clients a holistic view of compliance that’s practical, scalable, and rooted in their business realities.
In your diverse practice, what has been one of the most challenging cases for you, and how did you navigate it?
Everyone uses templates and guidelines today but preparing for GDPR compliance before 2018 was a very different story. There were no ready-made toolkits, no plug-and-play solutions. Crafting documentation meant starting from scratch interpreting the law line by line, understanding its intent, and translating best practices into operational reality. It was challenging, especially under tight timelines and high-stakes environments. Time-sensitive projects always come with pressure, but I’ve learned to navigate the magnitude with focus and resilience. A few grey hairs later, I’m proud to say I’ve pulled through and helped organizations build privacy programs that are not just compliant, but meaningful.
You’re deeply involved in privacy training and awareness programs. What’s the most common misconception employees or leaders have about data protection? How do you see AI reshaping legal compliance and data protection practices in the near future?
One of the most persistent challenges in data protection is that many people still struggle to grasp the basic concept of personal data. Culturally, there’s a long-standing comfort with sharing information in many countries (photos, medical details, contact numbers) with service providers, often without a second thought. So when it comes to implementing data protection compliance within organizations, employees may not fully understand what they should avoid or why it matters.
That’s why education is critical. It’s not just about rules, it’s about understanding the reason behind the law and the consequences for both the individual and the organization. Leaders, too, often underestimate the importance of compliance. Some assume regulators won’t enforce the law, so they question the need to invest in privacy programs. What they miss is the long-term brand value that privacy compliance can bring. That’s trust, credibility, and resilience.
AI is reshaping the compliance landscape. It introduces new challenges especially around automated decision-making and data ethics but it also brings precision and efficiency. Many data breaches stem from human error, and AI can help reduce that risk by handling repetitive, high-volume tasks with consistency. When used responsibly, AI becomes a powerful ally in building smarter, more secure privacy frameworks.
While designing and implementing data protection policies and internal controls, what are the most critical factors organizations should keep in mind?
Policies should be written in clear, accessible language to ensure all employees can easily understand and apply them. They must be reviewed annually to remain relevant and effective. Updates should reflect current industry trends as well as internal insights and lessons learned. To reinforce understanding, training should be used to animate policy content, thus transforming written guidelines into meaningful, memorable practices.
How can data privacy be effectively embedded into day-to-day operations rather than treated as one-off compliance exercises?
Embedding data privacy into daily operations starts with applying core protection principles consistently, regardless of one’s role or department. When privacy is treated as a shared responsibility, it naturally becomes part of business-as-usual. One-off compliance exercises may check legal boxes, but they rarely build lasting habits or cultural awareness. By integrating privacy into everyday activities ..step by step, day by day…it becomes second nature to staff and strengthens both trust and compliance.
You’re passionate about mentoring young legal professionals. What key qualities should future privacy leaders cultivate to thrive in a rapidly evolving regulatory environment?
Future privacy leaders must embrace adaptability by welcoming new challenges, evolving technologies, and diverse ways of working. Flexibility isn’t just a skill, it’s a mindset that allows them to navigate shifting regulations and organizational cultures with confidence. Equally important is respect. Privacy is a collaborative field, enriched by voices young and old, technical and legal, strategic and operational. Every colleague brings a unique ingredient to the pot and leaders who listen, learn, and uplift others will build stronger, more resilient privacy cultures.
With data protection laws expanding globally, what major trends do you foresee shaping privacy compliance over the next five years, and how do you see your practice evolving?
Over the next five years, AI will be one of the most transformative forces in privacy compliance. Its rapid adoption will pose significant regulatory and operational challenges, especially around transparency, accountability, and lawful processing. Initially, many practitioners may struggle to keep pace with the evolving tools and frameworks. But as familiarity grows, AI will become an ally streamlining meticulous tasks such as maintaining records of processing activities, comparing cross-border legal requirements, and conducting compliance assessments. Those currently take up a lot of my time, so I’m especially keen to explore how AI can reduce administrative burden while enhancing accuracy and consistency.
Get in touch with Daniella Sankar –
Well said