All articles
Data Principal Rights 7 min read 15 July 2026 Primitra

Data Principal Rights Under the DPDP Act: Building a Request-Handling Process Before It's Required

Access, correction, erasure, and grievance redressal: the DPDP Act gives every customer real rights over their data. A practical guide for Indian SMEs on building a process to handle these requests before the obligations take effect.

Data Principal Rights Under the DPDP Act: Building a Request-Handling Process Before It's Required

When people talk about the DPDP Act, the conversation usually stops at consent banners and breach reporting. The part that quietly creates the most ongoing work is different: data principal rights. Under India's Digital Personal Data Protection Act, 2023, every person whose data you hold can ask you to show it, correct it, erase it, or explain what you did with it. Once the core obligations take effect, a customer who emails asking "delete my data" is making a legal request, and you will need a real process to answer it.

The Rules were notified on 13 November 2025, and the government has signalled that the substantive obligations follow in stages, with a target of around 13 May 2027 for full effect. Most Indian SMEs don't have a rights process today. Here's what these rights are, and how to build the machinery to handle them without hiring a legal team.

What "data principal rights" actually means

A data principal is the individual the data is about. A data fiduciary is you: the business deciding why and how that data gets used. The Act gives the data principal four practical rights you'll deal with regularly.

Right to access means they can ask for a summary of the personal data you hold about them and what you've done with it, including who you shared it with. Right to correction and erasure means they can ask you to fix wrong data, complete incomplete data, or delete data you no longer have a lawful reason to keep. Right to grievance redressal means they can complain to you first, and you must have a way to receive and resolve that complaint before they escalate to the Data Protection Board of India. Right to nominate means they can name someone to exercise these rights on their behalf if they die or become incapacitated.

There's a matching duty most businesses forget. Withdrawing consent has to be as easy as giving it. If your signup form takes one click, your "stop using my data" option can't be buried in a three-week email chain.

Why start now if the deadline is still ahead

Two reasons. First, the timelines are staged, not simultaneous. The Rules were notified in November 2025, the Consent Manager registration framework is expected to become operational around November 2026, and the substantive obligations follow after that. Building a rights process is slow work that touches your systems, so the real runway is shorter than the 2027 date suggests.

Second, the penalties are not symbolic. The Act allows financial penalties up to ₹250 crore per instance for serious failures. A single mishandled erasure request won't trigger the top number, but a pattern of ignored requests is exactly the kind of thing a regulator notices. Getting the process right early costs far less than retrofitting it under scrutiny.

The five things your process needs

You don't need enterprise software. You need a repeatable path from "request received" to "request closed." Here is the skeleton.

One front door. Publish a single contact point for privacy requests: an email such as privacy@yourcompany.in plus a short web form. If requests arrive through five different channels, three of them will get lost.

An identity check. Before you act, confirm the person is who they claim to be. A request to delete "all my data" from someone you can't verify is a security risk, not a compliance win. Match against the email or phone number on file, and ask for a second identifier when something looks off.

A data map. You can't hand someone their data if you don't know where it lives. List your systems: CRM, billing, email marketing tool, support desk, and the spreadsheets sitting on someone's laptop. This map is the single most useful artifact you'll build, and it feeds your breach response too.

A clock. Decide your internal turnaround time and write it down. The Act expects requests to be answered within a reasonable period, and you'll want to respond well before anyone thinks to complain. A working target of two to three weeks keeps you safe and sets expectations for your staff.

A log. Record every request: who asked, what they wanted, when you responded, and what you did. If the Board ever asks how you handle rights, this log is your evidence. Without it, you're relying on memory.

Where SMEs get tripped up

The most common failure isn't refusing a request. It's a slow answer combined with incomplete deletion. Someone asks to be erased, your CRM record goes, and their email address quietly lives on in your newsletter tool for another year. That gap is real exposure, and it's why the data map matters more than any policy document.

The second trap is treating erasure as absolute. You can, and sometimes must, keep certain data despite a deletion request, for example records you're legally required to retain for tax or other regulatory reasons. The right answer is to delete what you can, keep only what the law requires, and tell the person which is which. Silence looks like non-compliance.

The third is having no owner. If nobody at the company is named as responsible for privacy requests, the default owner becomes "whoever opened the email," and that person changes every week. Even a small business benefits from naming one person, and larger firms should look at formal Data Protection Officer support.

A sensible first step

Before drafting any policy, do the boring part. Sit down for an afternoon and write out every place your business stores personal data and who has access to it. That one exercise tells you how hard access and erasure will actually be, and it doubles as the foundation for a privacy impact assessment. Once you can see your data, the rights process is mostly plumbing.

If you'd like a structured starting point, our DPDP compliance checklist walks through the readiness steps in order, and you can talk to us about mapping your specific systems.

This article is general guidance and reflects the DPDP Act, 2023 and the DPDP Rules, 2025 as understood at the time of writing. It is not legal advice. For obligations specific to your business, get in touch through our checklist or contact page.

Get help implementing this

Turn this reading into a compliance plan.

Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.

Book a free 30-minute consultation