Dealing with Data Subject Requests Under the DPDP Act, 2023

A. Introduction

The Digital Personal Data Protection Act, 2023, has shifted the privacy compliance landscape for businesses in India in a rather fundamental way. One of the more immediate areas of operational consequence is the legal recognition of what the Act calls “requests by Data Principals”. Commonly understood in global practice as data subject rights, these are not vague or optional anymore. The statute now mandates formal mechanisms for recognising and responding to such requests, and companies failing to comply risk enforcement from the newly constituted Data Protection Board of India.

To put it simply, the law allows individuals to approach businesses, particularly those designated as Data Fiduciaries, for specific actions concerning their personal data. These include:

Accessing the information a company holds about them;
Asking for errors or outdated entries to be corrected;
Requesting deletion of their personal data where retention is no longer necessary;
Lodging a grievance if their request is mishandled or ignored; and
Appointing a nominee to act on their behalf under certain circumstances.

These rights were not entirely new concepts, but their enforceability under Indian law had so far remained patchy. Now, with DPDP Act 2023 compliance becoming a regulatory necessity, businesses need to realign how they manage such requests internally, from tracking timelines to setting up user-facing request portals.

In effect, the process of dealing with data subject requests in India is no longer something that can be handled on an ad hoc basis. Whether a company is a fintech platform or a B2B SaaS firm, it must have defined protocols for how to handle data requests, along with internal SOPs to fulfill data fiduciary obligations in India. Failure to do so doesn’t just affect trust; it now invites penalties. And these penalties, in many cases, may not be insignificant.

B. Types of Data Subject Requests Under The Act

Once the identity of a Data Principal is legally established, the next compliance checkpoint is recognising what specific rights they can exercise. Unlike earlier frameworks (like the IT Rules), the DPDP Act now gives teeth to privacy rights in India. This is where most organisations are struggling because the time window to comply is short, and the operational readiness is often lacking. Read our other article: Legal Compliances for Startups in India: A Practical Checklist for Founders

Right to Access Information

Every Data Principal has the right to know what personal data is being processed about them, why it is being processed, and with whom it has been shared. This forms the foundation of transparency obligations.

Companies must prepare to respond to such right to access personal data requests by ensuring:

Proper indexing of personal data per individual.
Categorisation of purpose (e.g., marketing, KYC, payroll, etc.).
Logs of shared data (especially with third parties or vendors).

No generic or templated response will suffice because the law anticipates granular disclosures.

‍Right to Correction, Completion, and Updating

Section 12(1)(b) allows a Data Principal to require correction or completion of any inaccurate or misleading personal data. This right covers everything from contact details to profiling inaccuracies.

For example:

If an e-commerce portal lists a user’s old address and fails to correct it, it can’t later deny liability if a package is misdelivered.
A fintech company storing outdated credit scores without flagging updates may be exposed to breach of fairness obligations.

Operationally, this means companies must build correction workflows, not just data entry systems.

‍Right to Erasure of Personal Data

A commonly misunderstood right. Erasure is allowed when:

The data is no longer necessary for the stated purpose.
Consent is withdrawn; and
The processing itself was unlawful.

However, the right is not absolute. There are exceptions, like retention may still be required under tax, contract, or law enforcement purposes. Still, the onus to justify continued retention lies with the data fiduciary in India and not the user.

‍Right to Grievance Redressal

If a request is ignored, mishandled, or unreasonably delayed, the individual has the right to data correction through complaint. Each Data Fiduciary is required to set up a grievance officer or mechanism.

Common complaints include:

Not acknowledging a valid request;
Partial/incomplete responses; or
Delay beyond statutory limits (usually 7 working days for acknowledgement).

Grievance mechanisms are now part of the minimum DPDP Act 2023 compliance posture, as ignoring them can trigger an inquiry by the Board.

‍Right to Nominate (Posthumous Requests)

A forward-looking provision, Section 14 of the Act allows a Data Principal to nominate another individual to act on their behalf in case of death or incapacity.

To comply with such requests:

Businesses must request nomination documentation; and
Ensure logs are updated (i.e., the request came from the nominee, not someone else).

Few companies have this built into their SOPs currently, but it will likely become a standard ask in sensitive sectors like banking and healthcare.

C. Who Is A Data Principal Under The DPDP Act?

Before diving into compliance processes, it’s essential to settle one fundamental point: Who exactly is the person making the request?

This might sound obvious, but under the Digital Personal Data Protection Act, 2023, the legal position is slightly more layered. The Act introduces the concept of a “Data Principal”, but this is not just any individual sending an email or clicking a form. The statute assigns specific rights to this party, and unless that person qualifies under the definition, the obligations under the Act don’t trigger.

Now, most businesses assume it’s simple: if someone says “I want my data,” you provide it. But under the law, it’s not about what the person says—it’s about whether they meet the definition and whether your systems can verify that. In short, identifying the Data Principal is the very first compliance checkpoint in dealing with data subject requests in India.

Legal Identity and Eligibility

Under Section 2(j) of the Act, a “Data Principal” is defined as the individual to whom the personal data relates. Not their employer. Not their spouse. Not their lawyer (unless authorized). It must be the individual in question or someone expressly permitted under law to act on their behalf.

In cases of minors or persons with disabilities, the Act recognises the lawful guardian as the Data Principal. That’s a practical solution, but also one that creates documentation requirements most companies are not used to dealing with. If you’re building a workflow for how to handle data requests, the starting point is to assess who you are dealing with. Note also that it doesn’t matter whether the person is your customer or not. If you’re storing their personal data, they become a Data Principal. Whether there’s a contract in place is irrelevant. That’s a big shift from earlier assumptions under IT rules.

Implications for Data Fiduciaries

This definition places the onus squarely on businesses to build internal systems that know who is making a valid request. And yes, this includes cases where you’re processing data for someone else, as a vendor, a payment aggregator, or even a franchisee. The individual’s rights don’t vanish just because you’re not the front-end brand.

Let’s say you run payroll for a group company, and the employee reaches out for a data correction. Even if you don’t have a direct employment relationship, your role as a data fiduciary under India’s DPDP regime means you must either act or, at the very least, respond through a formal workflow. This is not customer service anymore. This is legal compliance.

Representative Requests: Not Every “Proxy” Counts

Now here’s where things get trickier. Not everyone who claims to “act on behalf” of someone else can validly submit a request under the DPDP Act.

There are only three kinds of legally recognised representatives:

Parents or guardians for minors;
Court-appointed representatives for incapacitated persons; or
Nominees—designated in writing—when the Data Principal is deceased or unable to act.

And here’s the issue. In real-world scenarios, requests often come from spouses, family members, or colleagues, many of whom believe they’re acting in good faith. But under the Act, that’s not enough. If you process such a request without proper authority, you might actually be breaching someone else’s data rights. The reverse is true too. If you deny a valid nominee their right, you risk violating the right to access personal data under Section 11 of the Act. So the only safe way forward is documentation. You ask for proof. You verify identity. You log that process. And only then do you proceed. That’s part of the operational expectation now under DPDP Act 2023 compliance.

Here’s a quick working table that might help your internal teams:

Relationship Claim	Supporting Proof Required	Can Make Requests?
Parent of a Minor	Parent’s ID + child’s birth certificate	Yes
Nominee (after death)	Nomination document + Death Certificate	Yes
Legal Guardian (court order)	Guardianship Certificate or disability proof	Yes
Spouse (no nomination given)	Marriage proof only	No
Sibling or Colleague	None	Not valid

Keep in mind, this isn’t exhaustive, but it’s the minimum filter you need if you’re serious about how to handle data requests within the new statutory framework.

D. Legal Framework & Interpretation

The DPDP Act, 2023, didn’t arrive in isolation. It’s the result of a long-standing policy vacuum in India’s digital landscape, now finally being addressed through a formal legal structure. That said, reading the Act in isolation doesn’t always offer the full picture. The rights of the Data Principal and the obligations imposed on companies need to be seen in the context of both the DPDP statute itself and the larger ecosystem of Indian tech regulation.

Relevant Sections of the DPDP Act, 2023

To begin with, if you’re trying to understand how to handle data requests within the bounds of the law, your reference points in the statute will likely revolve around four primary sections:

Section 11: Lays out the Data Principal’s right to obtain access to their personal data, the nature of processing, and the categories of entities it is shared with. This is essentially the foundation of the right to access personal data.
Section 12: Provides for the right to data correction, completion, updating, and erasure, subject to conditions. Importantly, the erasure right is not absolute.
Section 13: Establishes grievance redressal rights and internal timelines for fiduciaries to respond. Notably, silence is considered non-compliance.
Section 14: Introduces the nomination rights, a relatively new concept in Indian data protection law. It allows a Data Principal to designate another individual to exercise rights on their behalf in case of incapacity or death.

It is worth pointing out that these rights aren’t aspirational. The law is drafted to be enforceable. That means there’s a statutory obligation; companies can’t just defer it to a “policy review cycle” or say it’s under evaluation.

Interplay with Other Indian Laws

Here’s where most internal legal teams get tripped up: the DPDP Act does not repeal or override sector-specific laws. It works in tandem with them. So, depending on the nature of your business, you may be operating under parallel obligations.

Examples include:

The Information Technology (Reasonable Security Practices and Sensitive Personal Data) Rules, 2011, which still apply to data security until explicitly replaced.
RBI’s Master Directions for NBFCs and Payment Aggregators impose additional conditions on storing and processing financial data.
SEBI’s regulations on investor data, KYC norms, and log retention.

What this means is that if your team receives a request to erase data, and that data is still required to be retained under an RBI circular or income tax law, you may be justified in refusing. But you’ll still need to inform the Data Principal why the erasure cannot proceed. A blank refusal, or worse, no response, is still a breach of DPDP Act 2023 compliance. So, in practice, legal teams need a layered reading and not just of the Act itself, but how it sits with other codes, notifications, and circulars. Otherwise, there’s no way to determine if a request is valid, excessive, or premature.

Cross-Border Applicability and Limits

An often-ignored aspect is the cross-border element. Yes, the DPDP Act has extraterritorial application. That means a company operating outside India but offering goods or services to Indian users can still fall within its scope. In theory, a US-based SaaS provider processing data of Indian residents must respond to data subject requests in India if the law applies to them.

But enforcement challenges remain. The Data Protection Board of India’s reach outside Indian jurisdiction is not yet well-tested. However, this shouldn’t be taken as a loophole. Indian partners, intermediaries, or vendors that contract with foreign controllers may be held liable. So, if you’re a data processor in India acting for a global client, ignoring such requests may invite regulatory heat even if the principal entity is offshore.

That’s why many forward-looking companies are choosing to align with the stricter standard as a default to pre-empt litigation, avoid penalties, and maintain goodwill. Which brings us to the next point: what does the law actually require of companies designated as Data Fiduciaries?

E. Obligations Of Data Fiduciaries In India

It’s not enough to just receive a request. The more critical issue is what the organisation is legally required to do once a request comes in. Under the DPDP regime, this falls primarily on the shoulders of the “Data Fiduciary.” The term is broad, and so are its obligations. This isn’t just a policy document; it’s a compliance action list.

Defining the “Data Fiduciary” Role

As per Section 2(i) of the Act, a “Data Fiduciary” is any person who determines the purpose and means of processing personal data. That includes businesses of all sizes; startups, hospitals, e-commerce companies, aggregators, and even NGOs. If you collect user data and make decisions about it, you’re a fiduciary. Simple as that.

Now, the term sounds technical, but the obligations are practical. You must:

Enable users to exercise their rights (via email, portal, or otherwise)
Respond to requests within a reasonable time
Maintain logs of how the request was processed

And if you’re a significant Data Fiduciary, based on volume, sensitivity, or risk, you’ll also need to appoint a DPO and conduct regular audits. So the bar keeps rising, depending on your profile.

Record-Keeping, Disclosure & Timelines

Let’s get real: the biggest challenge with DPDP Act 2023 compliance isn’t understanding the law. It’s operationalising it.

If someone raises a request today, does your team:

Know who owns that data internally?
Have access to the full data history?
Know whether there are third parties to notify?
Know if there are exemptions that apply?
And how fast can this all happen?

The Act doesn’t fix a hard deadline across all types of requests, but general expectations from other global privacy regimes (like GDPR) suggest acknowledgement within 7 working days and resolution within 30. Companies that delay without justification may be reported to the Data Protection Board, with reputational and financial consequences.

What you’ll need is a structured system, possibly a ticketing or logging mechanism, that allows your team to trace the lifecycle of a data subject request from intake to closure.

Responding to Vexatious or Excessive Requests

One common concern is abuse. What if the same individual keeps asking for the same records? Or demands archival logs that don’t exist anymore?

The Act does allow refusal of “vexatious” or “excessive” requests, but that’s not a free pass. It must be:

Documented with reasons (i.e., repetitive, unjustified);
Communicated in writing; and
Ideally approved by a designated internal officer (e.g., DPO).

You can’t just label a user difficult and ignore the request, nor can you claim something is excessive without baseline SOPs. If the request falls outside your record retention policy, that’s one thing. But if you don’t have a written policy, that defence won’t hold up. Also, companies must remember that even if a request is refused, the right to data correction and the right to access personal data still apply in broader terms. One invalid request doesn’t cancel the entire relationship.

Here’s a simple reference table your compliance or DPO team can maintain:

Request Type	Timeline for Action	Can Refuse?	Notes
Access to personal data	Within 7–30 days	Rarely	Must justify delay with legal or security reasons
Correction or update	Prompt, no fixed day	No, unless false	Burden of proof on Fiduciary for inaction
Erasure request	Case-by-case	Yes, if exempt	Must notify Data Principal with reason
Repeat requests (same data)	Internal discretion	Yes	Must log refusal and track pattern

Standard Operating Procedure For Handling Requests

You’ve read the law. You’ve reviewed your privacy policy. But when an actual data subject request lands in your inbox, what happens next?

This is the part many companies are underprepared for, not because they don’t want to comply, but because they haven’t built a system for doing it properly. One-off emails or Excel sheets don’t cut it anymore. Under the DPDP Act 2023 compliance framework, the expectation isn’t just that you acknowledge a request. You must be able to demonstrate a clear, documented, traceable process that was followed from start to end.

Internal Workflow Design (Receipt, Routing, Closure)

The first thing every organisation needs is a flow. Not a fancy app (though that helps), but a defined process: What happens when a request comes in?

A good internal workflow generally has five stages:

Request Receipt: Whether through email, online portal, or offline letter.
Initial Validation: Is this from a verified Data Principal?
Routing: Forward to the appropriate business unit or DPO.
Substantive Review: Pull records, verify scope, check exemptions.
Closure: Fulfill, refuse, or explain why further steps are needed.

Ideally, your IT and legal teams should jointly maintain this map. If you don’t have a routing system, requests can end up in generic mailboxes or with people not trained in how to handle data requests. That’s where errors and violations start.

Identity & Consent Verification Protocols

Many businesses forget this step, but verifying identity isn’t optional. Before you release or erase someone’s personal data, you have to know you’re dealing with the right person. This is particularly critical when fulfilling the right to access personal data.

Here’s what usually works:

If a request is made online: Email OTP linked to registered account, plus screenshot of user dashboard (if applicable).
If the request is offline: Photo ID matching data records + signed declaration.
If made by nominee/representative: Death certificate or proof of disability + nomination letter or guardianship order.

If you skip this step and release data to the wrong person, you’ve just created a separate data breach. So, as part of your workflow, build in identity checks before any action is taken.

Timelines and Format of Response

The law doesn’t give a uniform deadline, but general practice (and implied expectations) suggest the following:

Acknowledgement: Within 7 working days;
Full response or closure: Within 15–30 days, depending on complexity; and
Delays beyond 30 days: Must be explained and logged.

Your response should not be vague. For the right to data correction, for instance, don’t just say “updated”, specify what was corrected, and when. And for erasure, confirm whether data has been deleted, anonymised, or retained under an exemption.

Where possible, responses should be sent in the same channel through which the request was received—unless the Data Principal asks otherwise.

Language, Accessibility, and Logging

Under data fiduciary obligations in India, there is a baseline expectation of accessibility. If you serve multilingual users, offer templates in at least English and one other Indian language.

Also, make sure your team keeps a log. Every request, whether fulfilled, denied, or delayed, should be recorded with:

Date of receipt;
Identity proof received.
Action taken and by whom; and
Final response sent (with copy).

This forms your defence file in case of any dispute. If a complaint is filed with the Data Protection Board, you’ll need this trail to prove that you acted in good faith, followed procedure, and respected the DPDP Act 2023 compliance standards.

Here’s a sample table you can adapt for internal tracking:

Stage	Responsible Team	Document/Action Required	Timeline
Request Intake	Customer Support / DPO	Email receipt or form log	Day 0
Identity Verification	DPO / Legal	ID proof, guardianship, nomination docs	Within 2 days
Internal Routing	Ops / IT / HR	Fetch records, confirm processing scope	Day 2–5
Response Drafting	Legal / Data Owner	Factual disclosure or justified refusal	Day 5–20
Final Closure	DPO / Legal	Send written response, archive records	Day 7–30

F. Exemptions & Grounds For Refusal

Now, let’s be clear. Not every data subject request must be accepted blindly. The DPDP Act recognises situations where data must be retained even against a user’s wishes, or where responding to a request would harm public interest, national security, or legal investigation.

This is where nuance comes in. You can’t claim exemptions casually, but you also don’t have to comply when you’re not legally required to. The key is knowing where those boundaries lie and how to document your reasoning when you push back.

Exemptions Under Section 17

Section 17 of the Act provides explicit carve-outs where data rights may be restricted. These include situations where:

Disclosure would prejudice the national security, sovereignty, or integrity of India;
The data is processed for the prevention, detection, investigation, or prosecution of any offence or breach of law;
The data is necessary for enforcing legal rights or claims; and
The processing is mandated by law (e.g., tax filings, banking KYC, SEBI/RBI obligations).

If your company is served with a request to delete or share data that is legally required to be retained, for instance, a record mandated under the Companies Act, you may lawfully refuse. That said, refusal must be proportionate and reasoned. You’re expected to explain the legal ground for refusal to the Data Principal. Simply citing “internal policy” or “business discretion” won’t hold.

Sectoral Carve-outs (Law Enforcement, Tax, National Security)

In certain sectors, businesses are routinely required to retain personal data for statutory timeframes. Here are some practical examples:

Sector	Law/Regulation	Mandatory Data Retention Requirement
Banking	RBI Master Directions	5–10 years for KYC & transaction data
E-Commerce	Income Tax Act + GST laws	6 years for billing, user identity
Healthcare	Clinical Establishments Act, state rules	3–7 years for patient records
Telecom	DoT License conditions	CDRs retained for 1 year minimum
Securities	SEBI Circulars	Client data for minimum 5 years

So even if a user requests erasure under their right to data correction or deletion, you may still be required to keep the data intact. But again, your refusal must cite the relevant statute and be documented internally.

Grounds for Lawful Delay or Rejection

Sometimes the issue is not exemption, but feasibility. A request may be lawful in theory but not possible in practice due to technical or operational limitations.

Here are common (and acceptable) reasons for delay or refusal:

Identity mismatch (ID doesn’t match stored records);
The request is vague or lacks necessary detail.
Request is repetitive or abusive (e.g., 20 emails in 3 days);
Data has already been erased or anonymised; or
Retention required under another Indian law.

What doesn’t qualify:

Lack of manpower;
Backend vendor is not responsive, and
Statements like “We’re still building our compliance team”.

These are not grounds for denial. Under data fiduciary obligations in India, companies must prepare ahead, not use under-preparedness as an excuse.

At a minimum, any refusal must:

Be communicated in writing;
Specify the statutory or operational reason; and
Offer a grievance path (e.g., DPO contact or redressal portal)

Even if you’re denying the request, your duty to inform and explain continues. Transparency is not optional; it’s part of baseline DPDP Act 2023 compliance.

G. Penalties & Regulatory Enforcement

Even with the best of intentions, there are moments when things slip, timelines are missed, requests get overlooked, internal routing fails, or someone simply doesn’t know what’s expected of them. The DPDP Act, 2023, anticipates this. But it also makes one thing clear: excuses are not a defence. The law introduces a regulatory framework that isn’t just reactive, but enforceable in real terms. So if your business is still treating data subject requests in India as an IT ticket or informal favour to the user, it’s time to reframe that thinking.

Financial Penalties under Schedule I

The Schedule appended to the Act sets out specific penalty amounts for different types of contraventions. These are not nominal. They’ve been pegged in crores for more serious breaches, and even first-time violations may trigger formal action.

Here’s a snapshot of potential liabilities linked directly to request mishandling:

Nature of Non-Compliance	Maximum Penalty Prescribed
Failure to respond to a valid request	₹50 crore
Delay or neglect in grievance redressal	₹25 crore
Non-fulfilment of erasure/correction obligations	₹10 crore
Lack of reasonable security safeguards (resulting in breach)	₹250 crore
Non-compliance with Board directions	₹150 crore

Not all breaches will attract the ceiling amount, but this table should give you a sense of how the legislature intends to enforce DPDP Act 2023 compliance in practice. The key variable here is “gravity”, the more intentional or negligent your conduct, the higher the exposure.

Role of the Data Protection Board of India (DPBI)

The DPBI is not a passive adjudicator. It’s been set up with quasi-judicial powers to initiate inquiries, summon documents, pass orders, and even recommend audits. If a Data Principal raises a complaint that their right to access personal data was denied or delayed, the Board can take suo moto cognisance.

Here’s what usually happens post-complaint:

A notice is issued to the company to explain non-compliance.
The entity is required to submit logs, correspondence, and internal SOPs.
The DPBI may hold oral hearings or examine whether there was wilful default.
A penalty order is passed, or in some cases, remedial directions are issued.

Many smaller firms assume they won’t be scrutinised because they’re not “big players”. That assumption is dangerous. Complaints can be initiated against any entity, so long as the individual shows that their data fiduciary obligations in India were ignored.

Illustrative Scenarios of Breach or Delay

Let’s walk through a few examples that typically fall into the risk zone:

Scenario 1:
A startup receives an erasure request from a former user but doesn’t act on it. Three months later, marketing emails are still being sent to the same user. The individual files a complaint. The Board finds that no action was taken due to a lack of process. Result: Show cause notice + ₹5–₹10 crore penalty.

Scenario 2:
An e-commerce platform refuses access to personal purchase history without offering any justification. The team had assumed data can’t be shared due to “backend constraints”. The DPBI holds that technical incapacity is not a lawful defence under the right to access personal data.

Scenario 3:
A hospital deletes patient data on receiving an erasure request, even though the Clinical Establishments Act requires it to be retained for 3 years. The deletion is found to be illegal. Penalty not just for wrongful erasure, but also for breach of medical record-keeping norms.

G. Role of Data Protection Officer (DPO)

A lot has been said about systems, SOPs, and compliance logs. But someone has to actually run that engine, and that’s where the DPO comes in. While the DPDP Act does not mandate a DPO for all entities, those classified as Significant Data Fiduciaries are required to appoint one. And even smaller companies are now starting to voluntarily assign this role to avoid downstream risks.

Legal Mandate and Delegated Responsibility

The DPO is not just a technical role. It’s a statutory officer expected to:

Serve as the primary point of contact for Data Principals.
Coordinate internal data access, correction, and grievance workflows.
Liaise with the Board in case of complaints or investigations.
Ensure that DPDP Act 2023 compliance is not just a policy; it’s practised.

Under Section 10(2) of the Act, the DPO must be based in India, must report to the Board of the company (not just the CTO or Head of Ops), and must not have conflicts of interest. That last point is key. Your DPO cannot be someone whose incentives are tied to suppressing data risks.

Interfacing with the Data Principal and DPBI

Think of the DPO as a bridge. On one end is the user raising a request for deletion, correction, or access. On the other hand, your tech, legal, ops, and vendor stack. The DPO’s role is to make that bridge walkable.

This includes:

Sending acknowledgement of data subject requests in India;
Reviewing internal logs and identifying where the data resides;
Determining whether there’s any exemption that justifies refusal; and
Drafting or approving the final response sent to the user.

If a complaint escalates to the Board, the DPO is also the one who responds, appears, and defends the company’s action or inaction. This is why the DPO cannot be a token appointment. If you want real compliance, not checkbox policies, you need someone with both legal fluency and operational authority.

Documentation, Audit Trails, and Reporting Structures

Finally, let’s talk paper trail. The DPO should maintain a centralised register of:

Requests received (with date, channel, and nature);
Identity verification steps completed.
Action taken (with timestamp, team involved, and format of disclosure);
Exceptions invoked and legal grounds cited; and
Any grievance escalation and outcome.

This record should be audit-ready. It’s your legal defence file, should the Board—or a court—ask for evidence that you fulfilled your data fiduciary obligations in India.

Also, it’s good practice to generate internal reports, monthly or quarterly, on:

Volume of requests received;
Time taken to resolve.
Number of denials with reasons; and
Pending cases, if any.

These reports should go to senior management or the Board to ensure top-level visibility. After all, data governance is no longer just an IT issue. It’s a business risk.

Technical And Organizational Measures For Compliance

Reading the law is one thing. Operationalising it inside a business is a whole other matter. The DPDP Act, 2023, doesn’t just require companies to “respect” the rights of individuals; it expects them to build the machinery to support it.

And here’s where most compliance strategies fall short: they focus too much on policies, and too little on infrastructure. You can have the best-written privacy notice in the world, but if your backend can’t locate, correct, or delete personal data, you’re still in violation. That’s the reality of the modern DPDP Act 2023, compliance.

Request Management Portals

Let’s begin with the obvious: if you’re serious about handling data subject requests in India, you need a system, not an inbox.

What works well in practice is a dedicated Request Portal. This may be:

A standalone form on your privacy or help page;
A dashboard feature within the user’s account; or
A chatbot-enabled intake with predefined options.

At a minimum, the portal should:

Accept requests for access, correction, erasure, or grievance ;
Collect ID documentation securely.
Auto-tag the request type for backend routing; and
Generate a reference number and email acknowledgment

Without this structure, you’ll soon find your legal and ops teams drowning in vague emails and without audit-ready evidence of how to handle data requests.

Data Mapping and Classification Systems

Here’s the thing no one likes to admit: you can’t fulfil a request if you don’t know where the data lives. This is why data mapping is no longer a GDPR-only exercise. Even under data fiduciary obligations in India, businesses must know:

What categories of personal data do they hold?
Where that data resides (servers, cloud, SaaS tools).
Who owns each dataset internally?
Who they’ve shared it with (vendors, affiliates, processors).

Tools like RoPA (Record of Processing Activities), tagging software, and data lineage reports can all support this. You don’t need to over-engineer it—but you do need a spreadsheet or system that shows, for instance, which department controls mobile numbers and who manages consent logs.

Logging, Escalation, and Internal Controls

Most data request mishandling occurs not from malice, but from slippage. A request gets routed incorrectly. Someone forgets to verify identity. An exemption is misapplied. These aren’t legal errors—they’re control failures.

Which is why you need an internal system that:

Logs each request with time stamps;
Escalates complex cases to the DPO or legal;
Locks down high-risk fields from accidental deletion; and
Flags delays that exceed defined thresholds.

Here’s a basic format you can adapt:

Request ID	Type	Received On	Escalated?	Resolved On	Notes / Exceptions
#5471	Access	03-Apr-2025	No	07-Apr-2025	Disclosed summary only
#5493	Erasure	05-Apr-2025	Yes	22-Apr-2025	Partial refusal (tax data)
#5521	Update	08-Apr-2025	No	09-Apr-2025	Address corrected

Audit teams and the DPO should be able to review this log without digging through emails or Slack messages. That’s how mature compliance looks.

Use of Consent Managers and Third-Party Processors

This part often gets missed. Not all data lives within your direct control. In many setups, consent is collected by one party, processed by another, and stored by a third.

So, if you receive a user request, how do you coordinate all of that?

That’s where consent managers and processor agreements come in. You need to:

Ensure your Consent Manager APIs (if applicable) can withdraw or update consent in real time;
Include data subject rights fulfilment clauses in your processor contracts.
Notify vendors when access, correction, or erasure is requested; and
Get written confirmation from processors when deletion is executed.

You are still accountable even when a processor does the actual work. That’s the legal expectation baked into data fiduciary obligations in India.

H. Best Practices & Checklist For Businesses

By now, it’s probably clear. Compliance isn’t something you “install”. It’s a posture. And the difference between a business that survives scrutiny and one that gets penalised usually lies in the small things like documentation, awareness, speed, and consistency. This section outlines practical, real-world steps your team can adopt to go beyond mere formality.

7-Step Checklist for Readiness

Appoint a Data Request Coordinator or DPO, even if not required statutorily.
Create a Data Request SOP (internal document) with timelines, samples, and an escalation matrix.
Set up a centralised request intake method, form, email, portal, or dashboard feature.
Build a data map with owners assigned to each data type.
Train customer-facing teams on what not to say (“We can’t help you” ≠ compliant).
Maintain a request-response log with fields for ID, date, action taken, and exemption.
Prepare template replies for the most common request types—access, update, erasure, refusal.

Following this list won’t guarantee zero penalties, but it will definitely give you a strong legal defence when tested.

Model Format for Subject Request Response

Here’s a human-readable sample you can adapt. It works well for an access request and can be modified for other use cases.

Subject: Response to Your Personal Data Request (Mention the Reference Number)

Dear [Name],

We acknowledge receipt of your request dated [DD/MM/YYYY] under the DPDP Act, 2023, seeking access to your personal data.

After verifying your identity, we have located the following data associated with your account:

Name: [Full Name]
Mobile Number: [Redacted]
Email: [Redacted]
Transactions: [List or summary]
Data shared with: [Vendor 1, Vendor 2, etc.]

You may request correction or erasure by replying to this email.

Regards,
Data Protection Officer
[Company Name]

Staff Training and Internal SOP Templates

Lastly, the human factor. Most data subject requests in India will first hit your support or helpdesk team. If they don’t know what to do, you lose critical time.

So run live training, not just recorded modules. Include:

Red-flag words (“urgent”, “legal”, “request under DPDP”);
How to escalate to the DPO;
What not to commit in writing; and
Where to find internal response templates.

Your SOP manual should also include:

A triage matrix (access/correction/erasure/grievance);
FAQ for internal teams (Can we charge a fee? What if it’s anonymous?); and
Language templates in English + 1 regional language.

These are your front-line defences. The best policies fail if your staff fumbles the basics.

Conclusion

Complying with the DPDP Act 2023 isn’t about printing a privacy policy and hoping for the best. With the law now in force and enforcement bodies in place, organisations, big or small, must treat personal data governance with the same seriousness as tax filings or legal disclosures.

Summary of Key Takeaways

The rights under the DPDP Act are enforceable—not aspirational.
Any business that processes personal data in India must honour the right to access personal data, correction, erasure, and redress.
These requests are now procedural—timelines, documentation, and verification are critical.
Ignoring a valid request or handling it casually can attract financial penalties as high as ₹50 crore.
Whether you’re a startup or an MNC, your internal playbook on how to handle data requests must be ready and testable.
Data mapping, request portals, DPO reporting, and audit logs are no longer “best practices.” They’re table stakes for staying compliant.

Importance of Preventive Compliance

The companies that will survive the next wave of enforcement are not those with the slickest websites. They’re the ones that build compliance into their operations:

Teams that know what the law expects
Systems that can locate and act on a request in 7–10 days
DPOs who are empowered to say “no” to shortcuts
Logs that stand up to scrutiny when the Board comes knocking

That’s the difference between reactive firefighting and preventive compliance.

Final Legal Perspective for 2025 & Beyond

In 2025, enforcement under the DPDP Act won’t be theoretical. Complaints will rise. Notices will be issued. Some companies will be made examples of, not out of hostility, but as a warning that privacy laws have teeth now.

So here’s the bottom line. If your company touches user data, even for something as basic as an email newsletter, you owe those individuals certain rights. Respecting those rights is no longer a nice-to-have; it’s the price of admission into India’s digital economy. And when in doubt? Don’t wait for the penalty. Fix the process first.

About Us

Corrida Legal is a boutique corporate & employment law firm serving as a strategic partner to businesses by helping them navigate transactions, fundraising-investor readiness, operational contracts, workforce management, data privacy, and disputes. The firm provides specialized and end-to-end corporate & employment law solutions, thereby eliminating the need for multiple law firm engagements. We are actively working on transactional drafting & advisory, operational & employment-related contracts, POSH, HR & data privacy-related compliances and audits, India-entry strategy & incorporation, statutory and labour law-related licenses, and registrations, and we defend our clients before all Indian courts to ensure seamless operations.

We keep our client’s future-ready by ensuring compliance with the upcoming Indian Labour codes on Wages, Industrial Relations, Social Security, Occupational Safety, Health, and Working Conditions – and the Digital Personal Data Protection Act, 2023. With offices across India including Gurgaon, Mumbai and Delhi coupled with global partnerships with international law firms in Dubai, Singapore, the United Kingdom, and the USA, we are the preferred law firm for India entry and international business setups. Reach out to us on LinkedIn or contact us at contact@corridalegal.com/+91-9211410147 in case you require any legal assistance. Visit our publications page for detailed articles on contemporary legal issues and updates.

Legal Consultation

In addition to our core corporate and employment law services, Corrida Legal also offers comprehensive legal consultation to individuals, startups, and established businesses. Our consultations are designed to provide practical, solution-oriented advice on complex legal issues, whether related to contracts, compliance, workforce matters, or disputes.

Through our Legal Consultation Services, clients can book dedicated sessions with our lawyers to address their specific concerns. We provide flexible consultation options, including virtual meetings, to ensure ease of access for businesses across India and abroad. This helps our clients make informed decisions, mitigate risks, and remain compliant with ever-evolving regulatory requirements.