The DPDP Act empowers Indian citizens with a set of enforceable rights over their personal data. These rights shift the balance of power from organisations that collect data to the individuals who own it. For the first time in Indian law, individuals have a clear, statutory mechanism to control how their data is used.
These are not theoretical rights. Organisations must implement systems, processes, and workflows to fulfil them within defined timelines. Failure to do so can result in penalties and complaints to the DPBI.
The Five Core Rights
Right to Access: Data Principals can request a summary of their personal data being processed, the processing activities undertaken, and the identities of all Data Fiduciaries and Processors with whom the data has been shared.
Right to Consent and Withdrawal: Individuals can give or withdraw consent at any time. Upon withdrawal, the Data Fiduciary must cease processing within a reasonable time, unless processing without consent is authorised by law.
Right to Correction and Erasure: Data Principals can request correction of inaccurate data and erasure of data that is no longer necessary for the specified purpose.
Right to Nominate: Individuals can nominate one or more persons to exercise their rights in case of death or incapacity. This is a forward-thinking provision that addresses the increasingly common question of digital legacy.
Right to Grievance Redressal: Every Data Fiduciary must establish a grievance redressal system and respond to complaints within ninety days. If unsatisfied, the individual can escalate to the DPBI.
Operationalising Rights Management
Fulfilling these rights requires more than a dedicated email inbox. Organisations need automated rights management workflows that can receive requests, verify the identity of the requester, locate relevant data across all systems, execute the requested action, and generate an auditable record.
Data discovery and classification capabilities are essential. You cannot provide an accurate summary of someone’s data if you do not know where it resides across your databases, file servers, cloud storage, email systems, and endpoints. Data profiling and stitching technologies can automatically create unified profiles of Data Principals by connecting their PII across multiple data sources. Every response must include the contact details of the Data Protection Officer (if applicable) or a designated person authorised to answer queries about processing. These details must be prominently published on the organisation’s website or app.