Data Subject Rights are a core obligation under DPDP compliance in India. Organisations must enable individuals to exercise control over their personal data through structured, time-bound processes. These rights are enforceable and require operational readiness across systems and teams
What are Data Subject Rights under DPDP
DPDP grants individuals the right to
• Access information about their personal data
• Request correction and updating
• Request erasure of personal data
• Raise grievances
• Nominate another individual (as applicable)
These rights require organisations to move from policy statements to executable workflows
Why Data Subject Rights are a High-Risk Area
Common challenges
• Data spread across multiple systems
• No central tracking of requests
• Manual handling leading to delays
• Inability to verify identity
Risk scenarios
| Situation | Risk |
| Incomplete response | Regulatory exposure |
| Delayed response | Complaint escalation |
| Data not found | Loss of trust |
| Inconsistent handling | Audit failure |
Data Subject Rights Lifecycle
| Stage | Key Actions | Evidence |
| Request intake | Capture request through defined channel | Request logs |
| Identity verification | Validate requester identity | Verification records |
| Data discovery | Locate data across systems | Data mapping output |
| Action | Correct / delete / provide access | Execution logs |
| Response | Communicate outcome | Response records |
| Closure | Record completion and timeline | Audit trail |
Request Handling Framework
Organisations must define
• Channels for request submission (portal, email, support)
• Identity verification process
• Classification of request type
• SLA and response timelines
• Escalation and grievance handling
Automation is recommended for scale
Linkage with Consent and Retention
Consent
• Withdrawal of consent may trigger deletion
Refer: Consent Management under DPDP
Retention
• Erasure may be denied if retention is legally required
Refer: Data Retention under DPD
This creates a dependency between rights, consent and retention controls
Technology and System Requirements
Required capabilities
• Central request tracking system
• Data discovery and mapping integration
• Workflow automation
• Audit logs
Advanced
• API-based data retrieval
• Unified privacy dashboard
Common Failures Observed
• No defined workflow
• Identity verification not implemented
• Requests handled outside system
• No linkage to data inventory
• No audit trail
These gaps weaken DPDP compliance defensibility
Executive View
Data Subject Rights are a direct interface between organisation and individual
They impact
• Regulatory compliance
• Customer trust
• Operational efficiency
Failure in rights management often leads to complaints and enforcement action
FAQs
What are Data Subject Rights under DPDP
Rights provided to individuals to access, correct, erase and control their personal data
Can erasure be denied
Yes if retention is required under law
How should requests be handled
Through defined workflows with tracking and audit trail
Are timelines defined
Timelines are expected to be reasonable and prescribed as applicable
Also Read