Mr. Anurag Shushant is the CEO at ‘Zedroit Global Solutions Private Limited’. Zedroit is a global service provider with exclusive specialization in the Data Protection and privacy domain. Starting his legal career with TATA AIG by securing a campus placement from Faculty of Law, Banaras Hindu University, he discovered the potential of the domain of ‘Data Privacy’. After investing all his assets to his interest, he established himself and started his career in the field of Data Privacy as a Senior Privacy Associate at KPMG Lower Gulf, Dubai.
1. To begin with, could you please tell us about your legal journey, from the beginning to becoming who you are today?
By the time I completed my law degree (BA LLB) from Law School, Banaras Hindu University, I had secured a job at Tata American International Group (AIG) through campus placements. I never had an interest in litigation or judiciary (as per the cherished trend of traditional law schools). I always had the vision of ultimately setting up a venture of my own. Anyway, after college, I joined Tata AIG as an in-house Counsel and was promoted to Manager after a year.
During my stint at Tata, I got my hands on “data privacy” and realised the potential of this domain. I made a big decision and left my job at Tata AIG to pursue my career in privacy full-time. I enrolled in an MBA program with a specialisation in Privacy Management from Swiss School of Management. I then invested all my time, money, and energy in building my profile in privacy.
Within 3 months, I secured 4 job offers in the privacy domain after several interviews. Out of the four, I decided to join Deloitte India Limited Liability Partnership (LLP) as a Senior Privacy Analyst. I cleared all the essential certifications, exams, and credentials expected from a privacy professional. I also kept my online presence strong and always used to talk about data privacy on LinkedIn and other social media platforms.
After about three-quarters of a year, I started receiving job opportunities from multinational companies (MNCs) and big consulting firms from abroad. After several interviews, I finally had three offers from abroad. I did not want to join in-house at MNCs and found Consulting more exciting and dynamic. So out of the three offers, I joined Klynveld Peat Marwick Goerdeler (KPMG) Lower Gulf, Dubai as a Senior Privacy Associate. Among other tasks at KPMG Dubai, one of my long-term projects required me to discharge the responsibilities of a Data Protection Officer (DPO) for a multinational bank, where I got designated as the Assistant Vice President to perform day-to-day privacy operations with the legal team in the Middle East and North Africa (MENA) region. I extensively worked on the privacy frameworks and regulatory compliances in the Middle East, including the Saudi market for the upcoming Personal Data Protection Law (PDPL). I never stopped learning and simultaneously kept on teaching privacy to the masses as well. I completed my Master of Business Administration (MBA) degree, and also started training and guiding others in this domain.
In the meanwhile, India and Saudi Arabia implemented their first data privacy Regulation called “the Digital Personal Data Protection Act, 2023” (DPDP Act) and “the Personal Data Protection Law” respectively. This basically meant that it was the perfect time for me to get into the market on my own. My entrepreneurial juices kicked in and I decided to quit my job at KPMG Dubai. It was indeed a very tough decision though. But this was the time when both the Indian and the Saudi markets were expected to witness a boom in the opportunities in the privacy domain.
Currently, I am the Chief Executive Officer (CEO) at “Zedroit Global Solutions Private Limited”. Zedroit is a global service provider with exclusive specialisation in the data protection and privacy domain. We lead the market in providing comprehensive as well as customised privacy solutions to a wide variety of regional and multinational clients, ranging from high-impact startups to mature market-leading organisations. Our mission is to empower businesses with the knowledge and tools they need to safeguard their data and maintain the trust of their customers. We are operational in several regions across the globe, including India and the Middle East.
2. Do you think young lawyers should concentrate more on honing a single talent or area of expertise, or are you a believer of holistic approach?
I am a person who believes in dynamism. I believe that magic happens at intersections. And I am not just talking about taking a holistic approach in the field of law, rather I always suggest looking beyond law — look for intersections of law with other fields as well.
In my case, I chose privacy way before the Indian privacy law (DPDP Act, 2023) was enacted. I saw a beautiful intersection of law, technology, and management in the domain of privacy. I saw the potential and the upcoming boom of opportunities in this domain and dived into it. And this worked well for me.
I believe, moving forward, one must always be ready to come out of their shell. My advice to young lawyers is to first have an area of expertise as a base and then develop things around it.
3. What major experiences did you have in law school that aided your advancement?
I always used to believe that investing all my time in academics could make me a good academician or a scholar but would not make me achieve my entrepreneurial goals. And it was not just about my goals, but also about my personal development. We all have a definite 24 hours in a day. Hence, I was very sure from the very first semester of law school that I needed to carve out my time and use it diligently to work on other dimensions of my professional personality and excel at them too.
So be it debates, moot courts, article writings, research papers, presentations, etc. in extra – academic activities or be it theatre, singing, poetry, etc. in arts or cricket in sports, I did all during my college days and participated in as many events as possible, in college as well as across the nation. I also used to organise events and fests. That gave me the experience of being on the other side of the table too.
Also, I am a law graduate from Law School, Banaras Hindu University. I pursued 5 years integrated law course, namely, BA LLB from my alma mater. Interestingly, we were the second batch of BA LLB there, and hence a lot of extra-academic and extracurricular activities which are generally expected to be a part of 5 years’ law curriculum were not in place. We as the initial batches of BA LLB had the responsibility upon us to work with authorities to establish and organise such activities and events in college. Yes, it was an added burden upon us, but where there is a vacuum, there is opportunity. And my juices always used to get pumped up to take upon responsibilities of establishment. Along with the college administration, I always actively contributed to such establishments and events to the best of my potential. Such involvement and the willingness to take responsibility for establishing new things kept me vibrant and taught me a lot.
So long story short, I made sure that along with my academic growth, I should also work on developing my overall personality during my five years of stay at law school. And this is what I always propagate to the newcomers as well.
4. As a data protection and privacy expert, how rapidly the cyber sector is growing in terms of crime, and how important it is to keep our digital data safe?
We all know the pace at which technology is growing. And proportionate to the growth of the digital world, the importance of data protection and privacy is also going uphill. With ever-evolving technology and digital space, cybercrimes and data breaches are obvious to explode in numbers, recently more than ever. And this will continue proportionally with the growth of technology and digitalisation. Now, the IT Acts or cyber laws of the past are not enough to regulate the usage of data in this new era of digitalisation.
In this light, Governments around the world have also become conscious and are taking active steps to ensure adequate data protection and privacy by implementing specific laws and regulations in this regard. The privacy regulations grant certain rights to the data principals/subjects and simultaneously put various obligations/measures to be implemented by the data fiduciaries/Controllers.
As a data subject, every individual must understand the importance of their personal data and be aware of his/her privacy rights. Also, every Data Controller must ensure compliance with the applicable privacy laws and showcase their best practices to their customers/clients.
I have personally been working on these aspects from both ends of the table. I have been conducting privacy awareness and training sessions free of cost for the masses. Simultaneously, I have been implementing privacy frameworks and standards for organisations to meet their obligation and achieve compliance throughout multiple jurisdictions. Now at Zedroit, we are committed to the same cause. Zedroit aims to ensure data privacy at both organisational as well as individual levels.
5. In light of the new Digital Personal Data Protection Act, which is now a law and the first of its kind, how far do you think it will go in filling the void left in the country by the lack of legislation in this area until now?
The Digital Personal Data Protection Act, 2023 is the most welcome piece of legislation in India. For about 5 years, India had to wait long in line to implement its first data protection law. Finally, we have the DPDP Act published in the Gazette of India.
DPDP Act has its own unique flavour with regard to other standard privacy regulations like the General Data Protection Regulation (GDPR). I am glad that it is not an exact replica of the GDPR with certain changes in terminology. India is a different market altogether and the Indian legislature has recognised this under the DPDP Act.
But the DPDP Act also has its lackings. There are several criticisms at certain points of the law. Also, till the time of this interview, the executive guidelines and prescriptions from the Central Government are awaited. Till then, the DPDP Act can be seen as a base structure. Most of the provisions of the law have been left open for the Central Government to prescribe implementation.
Nonetheless, the DPDP Act is indeed a milestone in the regulatory framework of the new digital India. Privacy is no more a mere concept in India, the DPDP Act has now made it a reality. The DPDP Act, without any doubt, is certainly going to fill the void left due to lack of legislation in the data protection and privacy domain. And this will grow and develop better with time and reforms.
6. Considering the rapid growth of cyberspace in past ten years, why do you think it took India so long to pass a regulating Bill?
India is a different market — economically, demographically, politically, and socially. Yes, the first privacy law of India took its sweet time to arrive, but to establish something as new and unique as the privacy legislation in a market like India was always expected to take its time. I am not saying that the extended delay could not have been avoided, but nonetheless, now we have an applicable privacy law in India.
Why is it new and unique? Because we are not just talking about a law to regulate the regular conduct of the social life, but a new life-form altogether — digital life-form. I personally consider the development of digital space as an evolution of a new life-form, a virtual/online life-form. Apart from our physical presence, everybody in the digital space has his/her own virtual/online life-form. We can also see it as a new dimension of our living being. Hence, data privacy regulation is new and one of its kind because it has to catch up with this new evolution, regulate this new dimension of life-form, and also maintain a bridge between the virtual and real world.
Above all this, considering the size and nature of the Indian market, the delay was expected. But at least now we have a privacy regulation, and thus, we shall all focus on the way forward from here.
7. What is one attribute you look for in interns, and what advice would you provide to the next generation interested in the IT sector?
Be it interns or young lawyers interested in making a career in tech law, the one thing that is most crucial is their passion for tech as well, and not just the law. When you are calling yourself a tech lawyer, you must understand the tech first. You cannot afford to maintain a distance from tech — how will you regulate tech till you do not understand it?
Therefore, one attribute that I look for in such interns or young professionals is how comfortable they are to get out of their shells. Just the interpretation of Bare Act in its linguistic sense by applying what one studied in his/her class on the Interpretation of Statutes is not going to be enough. Any day a person who understands the domain better will come and overpower such a lawyer.
In fact, I have written a detailed post on LinkedIn in this regard. The same can be read here [https://t.ly/QVlQX]
8. Could you provide some advice to our readers, particularly students, on how to perform reliable research, how to improve their research procedures, and how important effective research techniques are in our field?
In the legal field, effective and reliable research techniques are not just important; they are indispensable. By honing your research skills, you not only enhance your own expertise but also get recognition in your area of work/research. Especially in techno-legal fields like data privacy, where the legal landscape is intricately connected with technology, and a deep understanding of both is crucial for informed decision-making and providing sound legal advice, the importance of research grows multifold.
The first and foremost thing while starting a research work on a new topic is to understand the basics first. Only when our basic understanding of the research topic is clear, we can dive deep into the research work and make the research effective. Secondly, I always propagate to reach beyond legal boundaries and get into the subject-matter of the topic while doing the research. If the topic is about tech, do some research about the tech in question, if the topic is based upon social behaviour, study the society first. Also, always use credible and trusted sources to study and take references for the research. Then the choice of keywords in your research paper is also very crucial, not only to draw the attention of the reader, but also for the visibility of your article on the internet nowadays. In the end, a good research paper draws the eye of the readers not just because of its content but also because of its presentation and organised documentation. One last tip to all the students reading this interview is to be patient and continuous in your research. Sometimes you may get stuck at some point for too long, start getting bored of the topic, or start losing your interest midway, but do not stop. Keep pushing yourself and your research work. There is no better happiness than the happiness of creating something. The day your research is completed, your satisfaction and happiness will compensate for all the pain in the journey.
9. Finally, what piece of advice do you have for our readers of SCC?
SCC has been one of the pioneer online resources for research work in the legal field. I remember when I was in college, for every moot court research, article writing, research paper, or any random case study, I used to refer to SCC. I still refer to SCC resources whenever I need to check a credible source of information.
My advice to the readers of SCC would be to plan your next few years diligently and determine what you want to achieve and what you need to do in order to achieve that. Life and profession are all about having clarity and having a vision. Once you know what you want from yourself and start working accordingly, things will automatically start falling into place. And in this journey, you will need support too. Support of your peers, your family, and some credible and trustworthy source of knowledge. I believe since you all are already a reader of SCC, you have got the last base covered. It is time to define your goals, make some effective plans, and start acting.
