The Rights Framework
The Digital Personal Data Protection Act, 2023 empowers individuals with substantive rights over their personal data. These are not aspirational principles but enforceable entitlements. Data Fiduciaries who fail to honour these rights face penalties reaching Rs 250 crore. Understanding and operationalising these rights is therefore a compliance imperative.
The DPDPA grants Data Principals five core rights: access, correction, erasure, grievance redressal, and nomination. Each right creates corresponding obligations for Data Fiduciaries. Let us examine each in detail.
Right of Access
Data Principals have the right to obtain from the Data Fiduciary a summary of the personal data being processed and the processing activities undertaken. This is not merely the right to know that data exists. It is the right to understand what data is held, why it is held, and how it is used.
When an access request is received, you must provide information about the personal data categories being processed, the purposes of processing, the categories of third parties with whom data has been shared, and any other information specified in regulations.
Implement systems to retrieve this information efficiently. A Data Principal should not wait months for a response. While the exact response timeline awaits rules notification, international standards suggest 30 days as a benchmark. Build processes that can meet this timeline consistently.
Verification Challenges
Before responding to an access request, you must verify the requester's identity. Responding to a fraudulent request could itself constitute a data breach. Establish verification procedures that confirm identity without creating excessive burden for genuine requesters.
Balance security with accessibility. Multi-factor authentication, verification questions based on account details, or document submission can all serve verification purposes. The appropriate method depends on the sensitivity of data involved and the context of the request.
Right of Correction and Erasure
Data Principals may request correction of inaccurate or misleading personal data and completion of incomplete data. They may also request erasure of personal data no longer necessary for the purpose for which it was collected, provided the Data Fiduciary is not obligated to retain it under any law.
These rights recognise that data accuracy matters. Incorrect data can lead to incorrect decisions affecting the Data Principal. Outdated data retained beyond its useful life creates unnecessary risk. Enabling correction and erasure serves both individual and organisational interests.
Operational Implementation
Create clear channels for correction and erasure requests. Online forms, dedicated email addresses, or in-app request functions all serve this purpose. The channel should be easily discoverable and simple to use.
When a correction request is received, verify the claimed inaccuracy. In some cases, the Data Principal's assertion alone suffices. In others, supporting documentation may be appropriate. Balance thoroughness with responsiveness.
For erasure requests, assess whether continued retention is legally required. Tax records, employment records, and transaction logs may have statutory retention requirements that override the erasure right. If retention is required, inform the Data Principal of the legal basis for continued retention.
Right of Grievance Redressal
Every Data Fiduciary must provide a mechanism for Data Principals to register grievances regarding processing activities. This is not optional. The absence of a grievance mechanism is itself a compliance failure.
Appoint a contact person or establish a process to handle grievances. This person need not be a dedicated Data Protection Officer for all Data Fiduciaries, but someone must be accountable for responding to grievances.
Grievances must be addressed within the timeframe specified in regulations. Maintain records of grievances received, responses provided, and resolution achieved. These records demonstrate compliance with the grievance redressal obligation.
Right of Nomination
A unique feature of the DPDPA, the nomination right allows Data Principals to nominate another individual to exercise their rights in case of death or incapacity. This provision addresses situations where the Data Principal cannot personally exercise their rights.
Implement mechanisms to record and verify nominations. When a nominee presents themselves to exercise rights, verify both the nomination and the triggering event (death or incapacity). Treat the verified nominee as you would the Data Principal for rights exercise purposes.
Building Rights Fulfillment Infrastructure
Rights fulfillment requires dedicated infrastructure. A rights request portal centralises submissions and tracking. Workflow automation routes requests to appropriate teams. Dashboards provide visibility into request volumes and response times.
Train customer-facing staff to recognise rights requests. A complaint that begins as a service issue may actually be a data access request or correction request. Staff should know how to identify and escalate such requests appropriately.
Response Templates and Procedures
Develop standard response templates for common request types. A template ensures all required information is provided, reduces response preparation time, and maintains consistency across responses.
But templates must be adapted to specific circumstances. A generic response that does not address the particular request will not satisfy the Data Principal and may not satisfy regulators. Use templates as starting points, not final products.
Handling Complex Requests
Some requests are straightforward. Others involve complexities requiring careful analysis. A request involving data shared with multiple third parties requires gathering information from those parties. A request where compliance conflicts with legal obligations requires legal analysis.
Do not let complexity become an excuse for delay. Acknowledge receipt promptly. If full response will take time, communicate the timeline. Keep the Data Principal informed of progress. Demonstrate that their request is being taken seriously.
Refusal and Appeals
In limited circumstances, you may refuse a rights request. If the request is manifestly unfounded or excessive, or if compliance is prohibited by law, refusal may be appropriate. But refusal requires justification. Document your reasoning and communicate it to the Data Principal.
Inform Data Principals of their right to escalate to the Data Protection Board if dissatisfied with your response. This is not an admission of weakness but a demonstration of commitment to fair process.
