Privacy compliance is the easy part. Nobody warns you about what comes next.

Privacy compliance is the easy part. Nobody warns you about what comes next.

Let me guess.

You know what the GDPR says. You've read every DPDPA summary that hit LinkedIn in 2023. You've bookmarked the EU AI Act explainers. You might even be the person writing those explainers.

And yet — your privacy program is still on fire.

Your DPIA process exists on paper. Nobody follows it. You're the only person losing sleep over a vendor contract missing a data processing clause. You've inherited something called a "privacy program" that is, on closer inspection, a policy document and a prayer.

I know. Because I've been exactly where you are.

I'm Devika Subbaiah. I work in Privacy Operations and AI Governance — not as a consultant who lands with a framework and disappears before implementation begins. I sit inside the function. Inside the organisation. Inside the mess. And every single day, I try to make privacy actually work.

Here's the thing nobody tells you when you take this job:

The law is the easy part.

You can read it. Interpret it. Explain it confidently at a conference. But knowing Article 7 of the GDPR doesn't help you when engineering ships a feature that should have gone through a DPIA three sprints ago. Section 8 of the DPDPA doesn't prepare you for the business stakeholder who says consent management is "a product problem, not a legal one." And the EU AI Act tells you nothing useful when your AI vendor can't answer a single question about their training data.

Practical implementation is a completely different game.

New problems arrive daily. Frameworks lag behind reality. And somewhere in the middle of all of it, you're expected to have answers.

That's why this site exists.

Not to explain what the law says — there's no shortage of that. But to talk honestly about what you actually do with it. How you build a privacy function that doesn't collapse when you're not in the room.

How you get engineering to care. How you govern AI when the technology is moving faster than any regulator can type. How you handle the unglamorous, under documented, nobody-prepared-you-for-this reality of privacy operations.

If you're a privacy manager building from scratch, a GRC lead navigating AI governance, or someone handed a compliance mandate with no playbook — you're in the right place.

Subscribe below. I write when I have something worth saying.

In this field, that's pretty much all the time