USERS’ DPDP RIGHTS: HOW FIDUCIARIES MUST PREPARE BEFORE THE RS. 250 CR PENALTY WINDOW OPENS

The Ministry of Electronics and Information Technology (“MeitY”), on 13^th November 2025, notified the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) and the immediate response from the industry unsurprisingly followed a familiar pattern. Most founders skimmed quick online summaries, noted the reference to an 18-month transition window, and promptly returned to their fundraising tasks, product sprints, and year end operational closures.

A smaller group of founders took a different approach, as they opened their calendars and marked 31^st May 2027 in bold red. That date is not a mere administrative milestone, but it is the last day of MeitY’s formal grace period. From 1^st June 2027 onwards, any organization that fails to address a Data Principal’s statutory request for access, correction, erasure, or closure of a grievance, within the prescribed timeline may invite a penalty up to Rs. 250 Crore.

This Article does not attempt to reproduce yet another academic summary of the Digital Personal Data Protection Act, 2023 (“DPDPA”) as the internet already has abundance of such material. Rather, the intent is to provide a guide for founders and senior managers, with a focus on operational timelines, governance obligations, and implementation steps for every Data Fiduciary.

1. The four rights and when they become enforceable:

A. Right to access information about personal data: As per Section 11 of the DPDPA, a Data Principal has the right to obtain a summary of their personal data which is being processed, the purposes of processing, details of the processing activities, the identities of all other Data Fiduciaries and Data Processors with whom personal data has been shared and any additional information prescribed by the DPDP Rules. This right is new and the Data Fiduciaries from May 2027 onwards will be required to provide a structured and timely response in the prescribed manner.

B. Right to correction and erasure of personal data: Moving forward, Section 12 of the DPDPA grants a Data Principal the right to request correction, completion or updating of personal data, as well as the right to request for its erasure. Under the earlier SPDI Rules, organisations were required to correct inaccurate sensitive personal data, but there was no corresponding statutory right to erasure and no prescribed timeline for responding to such requests. 

The DPDPA significantly expands these obligations by applying them to all personal data and by introducing a mandatory time-bound response requirement, which becomes enforceable from May 2027.

C. Right of grievance redressal: Section 13 of the DPDPA requires every Data Fiduciary and Consent Manager to provide an accessible grievance redressal mechanism and to respond within the time prescribed by the DPDP Rules. Right to nominate: Section 14 of the DPDPA, introduces a new right that did not exist under the SPDI Rules. Under the DPDPA, Data Fiduciaries are required to ensure that every Data Principal must be permitted to nominate an individual who may exercise their rights under the DPDPA, in the event of their death or incapacity.

While the right to grievance redressal may be relatively easy to comply with given that a similar one-month resolution requirement already existed under Rule 5(9) of the SPDI Rules, other rights will require far more effort, as Data Fiduciaries must implement structured, auditable, and technology-enabled workflows to handle correction, erasure, and access requests in full compliance with the statutory framework before May 2027. Organisations should also plan for the inclusion of nomination workflows within user interfaces, and account settings, so that they are prepared when this provision becomes operational.

2. Building the infrastructure to operationalise data principal rights during the 18-month transition window:

The DPDP Rules provides Data Fiduciaries with an 18-month transition period from the date of publication to prepare for full enforceability of the Data Principal rights set out in Section 11 to 14 of the DPDPA. Although the DPDP Rules does not prescribe a specific method by which organizations must implement these rights, but they do require that Data Fiduciaries be capable of receiving, authenticating, processing, and responding to the requests in the manner prescribed, once the relevant rules come into force.

This preparation necessarily involves establishing the technical and organizational infrastructure to fulfill rights-based obligations at large.

A. Creating and maintaining internal data inventories: A Data Fiduciary cannot comply with access, correction, completion, updating or erasure requirements unless it is able to identify where personal data is stored, the purposes for which it is processed and the parties with whom it has been shared. While the DPDPA does not contain an explicit obligation comparable to a GDPR-style record of processing activities, the ability to fulfil statutory rights presupposes accurate and current internal records. During the transition period, organisations should therefore develop internal data inventories that record the systems in which personal data resides, the categories of data processed and relevant retention attributes. These inventories will form the basis for timely responses once the rights become fully enforceable.

B. Establishing verification and response workflows: The DPDPA requires Data Fiduciaries to respond to Data Principal requests in the manner prescribed. The DPDP Rules set out procedural requirements for authentication, receipt of requests, mode of response and maintenance of records. To meet these requirements, organisations should design and document internal workflows that address the following elements:

1. authentication of the Data Principal or nominee;
2. verification of the scope and nature of the request;
3. execution of actions across all relevant systems;
4. generation of a compliant response in the prescribed form; and
5. maintenance of logs that demonstrate how the request was handled.

These workflows ensure that when the DPDP Rules become operative, the organisation is already capable of meeting procedural and evidentiary expectations.

C. Aligning contractual obligations with data processors: The DPDPA places responsibility on the Data Fiduciary even when the processing activity is carried out through a Data Processor therefore the Data Fiduciaries shall ensure that Data Processors are contractually bound to assist in fulfilling Data Principal rights in accordance with the DPDPA and the DPDP Rules. During the transition period, Data Fiduciaries should review and update their processor agreements to include obligations relating to cooperation, timeliness of response, record-keeping, and technical assistance, as without such alignment, a Data Fiduciary may be unable to comply with its statutory obligations once the DPDP Rules become fully effective.

D. Creating accessible mechanisms for submitting requests: The DPDPA requires Data Fiduciaries and Consent Managers to provide “readily available means” for Data Principals to submit grievances and statutory requests, therefore the Data Fiduciaries should prepare user-facing mechanisms such as dedicated request portals, authenticated dashboards, electronic forms, or integrated account-level features through which Data Principals can exercise their rights once operational. These mechanisms will need to be aligned with the procedural requirements prescribed under the DPDP Rules that come into force after the eighteen-month period.

E. External support and vendor ecosystem: Although neither the DPDPA nor the DPDP Rules require Data Fiduciaries to use any specific technology or service provider, a growing market of privacy-tech and data-governance tools has emerged in India and globally to support compliance with rights-based frameworks. These solutions typically address discrete components of the rights-fulfilment process and can be deployed individually or in combination with internal systems.

The following are the common category of such solutions:

1. Consent and preference-management systems that assist in recording, updating, and withdrawing consent in a manner consistent with statutory requirements;
2. Data discovery and mapping tools that help Data Fiduciaries identify the systems in which personal data resides and the way it flows across internal and external environments;
3. Identity and request - verification services that enable Data Fiduciaries to authenticate Data Principals or nominees before processing statutory requests:
4. Rights-request orchestration modules that route access, correction, completion, updating and erasure requests to the appropriate internal teams or systems for execution; and
5. Grievance-management platforms that help maintain auditable logs, timelines, and responses for statutory grievances.

These tools although are not a substitute for internal governance, but they can materially assist Data Fiduciaries in establishing a scalable and reliable infrastructure during the transition period. 

3. Conclusion:

The DPDPA and the DPDP Rules mark a clear shift in India’s data protection framework and over the next 18 months, every Data Fiduciary must move from general privacy awareness to a rights-based compliance model. Data Fiduciaries should treat this implementation timeframe window as an opportunity to modernize their data management practices to meet regulatory expectations and maintain its customer trust.

Author: Vishwas Chitwar, Senior Associate