Vivek Sasikumar is VP, Engineering at IDfy, bringing over 25 years of experience in the software industry across data science, cloud, and privacy. He leads engineering for Privy by IDfy, India’s first consent governance platform engineered to help businesses comply with the DPDP Act. With a focus on transparency, security, and compliance, Privy streamlines consent collection and enables real-time compliance monitoring, ensuring robust user privacy at every touchpoint and simplifying how enterprises navigate the DPDP Act’s transformative requirements.
VP, Engineering
IDfy,
In a recent conversation with Tech Disruptor Media, Vivek discussed the rapidly evolving landscape of data protection and compliance in the travel and hospitality sector. Drawing from his leadership in rolling out secure, scalable data architectures at IDfy, he emphasized the dual imperative facing Indian companies: implementing foundational technologies such as encryption and zero trust for ongoing data security, while building dynamic, system-wide approaches for explicit consent and granular compliance. As he explained, “security measures for data stand alone from regulations—but with new laws like the DPDP Act, there’s an added burden for enterprises to automate consent, data inventory, and third-party oversight at scale.” Edited excerpts are below:
The DPDP Act demands robust technical safeguards for data privacy. From your experience, what are the most critical technology implementations—such as encryption, zero trust architectures, or AI-driven audits—that travel and hospitality companies should prioritize to stay ahead of compliance?
There are two parts: the security of the data itself and compliance with regulations. Security measures are essential regardless of regulation. Data must be safeguarded with encryption at rest and in transit. Zero trust architecture means that no device, user, or system is trusted by default. Everything must be authenticated.
For compliance, laws like the DPDP Act and GDPR require explicit user consent for data collection. Blanket consent isn’t allowed. You must specify why the consent is needed, for what purpose, and how long it is valid. Data localization is also an important consideration: whether data is cross-border, who manages it, and whether third-party processors receive it. For example, an online travel agent sending data to an airline needs to minimize risk. Technology and a systems approach are required for both compliance and security.
Beyond traditional methods, which emerging technologies—like homomorphic encryption, decentralized identity, or confidential computing—will have the biggest impact on data privacy in travel tech? How soon can they be operationalized?
These technologies are at different stages of adoption. Confidential computing is already in use to some extent. For example, personal information can be kept out while other information is used to offer recommendations, with personal data stripped out before being sent to the recommendation engine. Many advertising networks already use this; in other areas, it’s still experimental.
Decentralized identity is similar to a passport but intended to be a universal identity document that works globally. There are pilots, but it’s still a few years away from adoption.
Homomorphic encryption allows computing on encrypted data without decrypting it, so the secrecy is maintained. There’s good progress, but it’s still a few years away from practical implementation. Some technologies are being used, others are on the roadmap. We’ll see increasing adoption, but not all will succeed.
AI-driven personalization is key in travel, but the DPDP Act imposes strict rules on automated decision making. How can companies implement explainable AI and real-time consent management without sacrificing customer experience?
There’s concern about disrupting user experience by adding consent steps. Travel platforms want users to complete bookings easily, and extra steps could create friction.
You need to know where all your personal data is, especially given the amount of legacy data. Automated tools should catalog all this data. Companies must seek consent for specific purposes, as the law requires.
Systems need to track consent at scale. For example, before sending a marketing email, confirm the user has given consent for their email to be used for that purpose. This must be automated and work for every data use.
Many travel platforms still rely on legacy systems. What’s your technology roadmap for modernizing data architectures to be both DPDP compliant and agile for future regulations?
First, catalog all data held in legacy systems, which may span generations. Identify where data is stored and whether governance rules, such as masking and encryption, are met. Next, migrate data into modern systems that enforce encryption, masking, and zero trust.
Finally, integrate a consent architecture that collects, records, and applies consent for each purpose. The steps are: catalog old data, modernize securely, and add consent management.
Is there any additional insight or concluding remarks you would like to share?
The DPDP Act is a strong law that protects the rights of data principals. It helps ensure data owners have control and protects data from misuse. Implementation challenges remain, but the law moves things in a positive direction. I look forward to a time when users can confidently share data, knowing exactly how it will be used.
About The Author
