Karishma Sundara, Founder of Kintsugi Law, is a technology and data privacy lawyer whose journey spans literature, Cambridge Law and a decade in emerging tech regulation. With experience shaping India’s evolving data protection landscape, she brings analytical clarity and domain depth. As the founder of Kintsugi Law, she reflects on her path, the ruse of privacy law and the future of focused, integrity-driven tech practice.
This interview has been published by Anshi Mudgal and The SuperLawyer Team
What initially inspired you to pursue law after an academic background in literature and what experiences influenced your decision to move in this direction?
The decision was not an automatic one for several reasons. The most important being: I loved studying English Literature, and part of me wanted to continue on that path and ultimately teach. At the same time, the thought of a career in law was also deeply appealing.
Deciding to gather more information before I made a choice, I signed up for an introductory summer school programme at the London School of Economics and Political Science. I enjoyed the course, and realised that if a short summer programme could inspire such interest, pursuing a full-time programme would be time well spent.
Through my fourth year, as I wrestled with a series of deadlines and commitments, the decision became clearer. Once the Cambridge acceptance letter came through, I’ll admit, the decision was made for me.
Over time, I realised that it wasn’t eventually a choice of one subject over another. English Literature and Law share a natural correlation in terms of the interests and skills that they cultivate. Both subjects, for example, encourage close reading and an exploration of multiple interpretations as you analyse the primary text and identify the best arguments, whether on the basis of these primary texts, secondary reading, or precedents. Above all, they’re both founded on the lasting appeal of the written and spoken word.
From a literary perspective, words can paint you a picture, or you can paint one with them: bright and sunny; dark and gloomy; or just deeply introspective. It can be something meaningful or light, but it’s never ‘nothing’.
Words are just as central to the law. They define its limits in black, white, and grey; variations in facts and circumstances change outcomes and arguments, and a line between what is permissible and isn’t can shift or change based on the perspective that you bring to it.
Ultimately, I chose both subjects because I believe that words, language, and how we deploy them can be transformative.
What kind of exposure did you receive at Cambridge and how did it change your perspective in terms of academic, cultural, and professional experiences?
Studying Law at Cambridge was an incredible experience, both rigorous and rewarding. The eight-week term structure (with the undergraduate academic year spread over three terms) encourages immersive, focused learning, which is bolstered and evaluated in small-group tutorials (supervisions).
The lectures, often led by the professors who authored the primary textbooks for the course, brought the subjects to life. Supervisions, led by subject matter experts, only enhanced the learning process. Conducted in small groups, they required detailed preparation, often yielding deeply engaging discussions. While the study and practice of law can differ in certain ways, the skills you imbibe as a law student – whether analysing complex facts and judicial precedents, or learning the value of alternative opinions, will direct and ground your path as a practitioner.
The structure of the course, with busy eight-week-long terms, made the wins, whether big or small, mean more to each of us.
I recall preparing for a Tort Law moot with a teammate, two months into law school. Neither of us had participated in a moot before, and it was scheduled in the midst of a packed week.
Even the hard weeks at Cambridge, however, often come with a side of humour. The moot court problem concerned occupiers’ liability on college grounds, and issues of trespass – all centred around familiar signs that pepper lawns across Cambridge, encouraging students to ‘keep off the grass’. Despite being sleep-deprived and new to the world of mooting, we came in first. Being named the Best Speaker, amidst the tough (and, seemingly, less sleep-deprived) competition that morning was the highlight for me. It made every other challenge that week manageable.
The educational dialogue at Cambridge as with any educational institution, isn’t, of course, restricted to a designated discussion room. Some of the most enlightening conversations I’ve had have been over a cup of coffee in a common room, with students pursuing different fields of study or research. The sense of community that comes from the collegiate system binds it all together.
In the end, a strong education, wherever it is received, provides a foundation that we each build on – and, hopefully, harness, throughout our careers. I would not be who or where I am today without the education that I received at Cambridge, or the four wonderful years that I spent at the University of Edinburgh prior to that. Together, they laid the foundation for what I continue to build on today.
In the initial stages how did your roles at various firms and entities enhance and compliment your understanding of data privacy and also how did you notice the legal landscape evolve over the years?
I would like to think that I chose technology law first, but the truth is that it chose me.
When I first began working in this space, privacy law was at an inflection point – not just in India, but globally. 2016 brought with it the adoption of the General Data Protection Regulation in the European Union. The following year, the Supreme Court of India affirmed that privacy is a fundamental right, setting in motion an eight-year-long process that culminated in the notification of the Digital Personal Data Protection Rules, 2025 last month.
From a young associate advising on India’s 2011 privacy rules to analysing every draft of the data protection law until its enactment during my last role as a Counsel – I’ve seen the framework evolve in many ways, and with it, my understanding and practice of this area of law.
For data-driven businesses, an increasingly wide group, navigating an evolving data protection landscape was and continues to be crucial. Advising clients – from global tech companies to native startups on this evolving space, allowed me to engage closely with the law on a daily basis and assess the practical implications of different compliance approaches.
This was an immersive and engaging experience, particularly as each draft of the law presented its own unique challenges. From deciphering what localisation of certain personal data could require, to navigating differential global standards for handling children’s personal data – every issue had to be considered from a theoretical and practical lens. This often involved conducting intricate gap assessments with foreign counsel; recommending alterations in user interfaces, experiences, policies, and internal processes; and assessing possible outcomes.
Having the opportunity to immerse myself in some of the most interesting aspects of technology law from the get go, was especially instructive. On the privacy front, this included being instrumental to advising on privacy and regulatory compliance for social media offerings, global privacy policy updates, and managing related litigation before various High Courts and the Supreme Court.
Being in the trenches was the best way to learn how to navigate these aspects of technology law. It is what has enabled me to confidently take nuanced positions on intricate issues, and listen to plausible alternatives, whether they come from peers, or younger, enthusiastic colleagues.
On the whole, my experiences across these roles enhanced my ability to convert my interest in, and understanding of, this dynamic area into domain expertise.
What was the turning point that changed your perspective and led you to establish your own practice and what was the vision that guided you?
There’s only so long that you can live in Bangalore without being bitten by the startup bug! In all seriousness, though, the start of something new requires opportunity, expertise, confidence, and a determination to bring this all together. For me, these factors coincided this year.
Having been embedded in the TMT space for the length of my career, the signs were unmistakable. With the pandemic driving tech adoption to unprecedented levels, regulation has since tried to keep pace – and continues to globally. I was certain that there could be no better time to harness domain expertise in a new avatar and approach emerging legal issues with a fresh perspective. The latter half of this year, which has ushered in several key technology law and policy developments, confirmed this.
Having helped entities shape and deploy compliant, impactful tech products and features for years, the entrepreneurial path and the autonomy and change that it can bring – seemed like the natural next step. As a first-generation lawyer, I am also no stranger to the hard work that shaping your own narrative demands. I’ve built my legal career and reputation from scratch, from cold calls and emails when I first returned to India to forging lasting client relationships based on clarity, expertise, and trust. Finally, while taking a seat at an existing table as a woman is incredibly important for gender equity, I strongly believe that building your own table can also be deeply meaningful.
That’s how Kintsugi Law was born. Building it, of course, is a whole other – but equally enriching – journey!
The name, inspired by a Japanese art form, reflects the sustainable, resilient ethos on which I wanted to found the practice. To me, the kintsugi process reflects attention to detail, being undeterred by complexity, and choosing resilience over legacy: as a result, preserving the best of the old, while creating something new and lasting.
This, in many ways, aligns with my decision to channel my years of experience into a new practice – like the tech-driven space that Kintsugi Law serves, which constantly harnesses what has gone before to build something new.
What are your aspirations for the future and how do you see your practice evolving in the coming years considering the dynamic legal landscape of Data Privacy Law?
There is a growing audience for the hands-on, dedicated legal assistance that boutique practices can provide in their specific arenas. There is also no time like the present to shape a robust TMT practice to address the dynamic legal landscape. The aspiration has always been to do things differently through Kintsugi Law, and that begins with recognising what has shifted, what must shift, and why.
It isn’t just the laws that are evolving by the minute; the expanse of clients who require specialised assistance is changing, too. With every entity adopting an online presence, and tech driving every business, the application of technology law is not limited to a few, especially, when it comes to legislation like the DPDPA.
Similarly, clients across the board have always recognised the value of expertise, and this remains true today. How they expect to receive advice or support, or where they see value peak has, however, changed. In-house counsel, often, require quick, concise advice from senior practitioners, advice that does not have to be further decoded before it is presented to their internal business partners. Rigid, legacy approaches to providing legal advice are becoming increasingly outdated.
Shedding older ways of working must also occur meaningfully, in terms of client delivery, as well as how we shape the future of each practice. For example, it isn’t enough to embed AI tools into a practice’s structure and mandate their use: it’s important to do this mindfully, and to ensure that it accelerates but does not fetter legal reasoning.
Embracing change across these arenas must also go hand-in-hand with strong mentorship – something that the practice aims to cement as it expands. To my mind, strong mentors are, usually, the difference between good and great lawyers. I have, across my career, devoted a significant proportion of my time to mentoring young associates. One of the greatest joys has been to see them, and especially the young women whom I have mentored, succeed at each stage of their careers.
The DPDPA compliance-building process, given the sheer volume of the diverse tasks at hand, is likely to foreground these changes. For example, assisting privacy-first global organisations will have to sit alongside advising those who are encountering these implementation hurdles afresh. How clients perceive efficiency and value is also likely to change, given that this is both a detail-heavy process and one that calls for nuanced strategic input. Determining when and how to mindfully use AI to ease the process will also play a role.
Ultimately, the aim is to cement a robust, specialised practice that reflects the attributes and values that I hold dear, internally and externally: be it integrity, or resilience.
The Digital Personal Data Protection Rules, 2025 has recently been notified; what is your take on its regulatory impact and any shortcomings you foresee?
Regardless of where we might each stand on the new data protection law, or aspects of it, there is no denying that this is the start of a brand new era. It is difficult to predict what enforcement will look like in 2027, or how uniform compliance will be. The proof will really be in the pudding.
Change and dramatic change, at that is, however, inevitable. In under 18 months, entities will have to process this tectonic shift and trigger changes in internal and external processes. Amongst other things, they will have to:
- assimilate legacy processing activities, as they plan for fresh ones;
- determine appropriate bases of processing and their implications;
- chart breach notification protocols; and
- prepare to steer clear of prohibited processing.
The same timeline will see interfaces with data principals change: whether online, or in physical spaces.
Sensitisation to change, whether internally within organisations, or externally, across a country as diverse as ours, will be one of the biggest challenges to functional and meaningful implementation.
Most entities handle digital personal data. They’ve, however, had to do so thus far on the basis of a leaner regime focused on protecting sensitive personal data. The DPDPA will necessarily overhaul existing data handling practices, and how they are functionally structured.
Meaningful implementation of a consent-driven regime can, similarly, only be achieved if data principals, with varying levels of digital literacy and spread over 28 States and 8 Union Territories understand what is about to change, how, and why.
Aside from tailoring pragmatic notices to be easily understood in English and 22 official Indian languages, data fiduciaries will have to tackle practical issues around whose personal data they may be handling. Determining when they are tracking a child on a shared device, obtaining consent for third-party personal data, and ensuring meaningful verifiable parental consent will, for example, present a challenge. Entities operating globally will, additionally, have to identify where global compliance measures converge and when India-specific ones are necessary.
Many of these issues have arisen in some form or the other since the first draft of the law was published in 2018. The road ahead, however, now requires entities to decide how to definitively tackle them.
What advice would you offer to students who wish to enter the field of law and in particular the data privacy arena?
Pursuing a career in law can be all-consuming, so take the time to decide if this is the path for you. Choosing a specialist practice area – while rewarding – also brings its own additional considerations, such as a sustained (and sustainable) interest in a specific field.
Data privacy law is one such space. It is increasingly popular amongst law students and young lawyers, but as with all specialist areas of practice, remember to:
● Invest time in familiarising yourself with the applicable laws, related developments in other jurisdictions, and the underlying technology.
● Try to gain as much experience in the space as you can before determining if this is the path for you.
Both will help you decide if this is more than a passing interest, which is deeply important for two reasons, at least. First, a passing or superficial interest, particularly in a specialist practice area, becomes quickly apparent in an interview or initial discussion and can halt the process there. Second, it may sound hackneyed, but loving what you do (if you’re lucky, more often than not) is the secret sauce here. You will spend a bulk of each working day grappling with issues in a specialist, dynamic practice area – enjoying what you do is deeply important.
For my part, loving what I do eases some of the daily operational stress. It turns every new Gazette notification into an animated discussion, and inspires me to keep returning to work with the same enthusiasm – be it joining a panel discussion on handling children’s personal data, advising on digital safe harbour law nuances, or writing about an issue that’s got my attention.
All of this, of course, comes with an important caveat: it takes time to determine if a practice area is right for you. So, allow yourself this leeway and then make an informed choice. Sometimes, these choices may change; just know that that’s part of the process, too.
One way to go about this (to paraphrase Marie Kondo) is to ask yourself: “Does this spark joy?” If it does, then don’t just retain it: centre it in your life.
Get in touch with Karishma Sundara –
