Every person whose data you hold has legal rights over it. Under the DPDP Act, 2023, you must build the technology that makes those rights exercisable — within 90 days of your grievance redressal system going live.

This is not a customer service enhancement. It is a statutory obligation with a technology architecture behind it.

This is Episode 8 of our series on Technology & DPDP Compliance.

What rights does the DPDP Act grant every Data Principal?

The Act grants four distinct, enforceable rights to every individual whose personal data is being processed:

📋 Right to Access — Section 11 A Data Principal may request a summary of all personal data being processed about her, the identities of every Data Fiduciary and Data Processor with whom that data has been shared, and a description of what was shared. Your portal must authenticate the request, query across all data stores, aggregate the results, and present them in an accessible, comprehensible format — for every user who asks.

✏️ Right to Correction, Completion, Updating and Erasure — Section 12 On receiving a correction or update request, the Data Fiduciary must correct inaccurate data, complete incomplete data, and update outdated data. On receiving an erasure request, it must erase unless retention is legally required. These are not manual tasks at scale. The portal must accept the request, route it to the relevant data systems, execute the correction or deletion across all records — including those held by Data Processors — and confirm completion to the Data Principal with an audit trail.

🔔 Right to Grievance Redressal — Section 13 and Rule 14(3) Every Data Fiduciary must provide readily available means of grievance redressal. Rule 14(3) requires the grievance redressal system to be prominently published on the website or app within 90 days — with appropriate technical and organisational measures to ensure it responds within the prescribed period. The Data Principal must exhaust this mechanism before approaching the Data Protection Board. Your portal is therefore the mandatory first stop for every data-related complaint — and it must function reliably under that load.

👤 Right to Nominate — Section 14 A Data Principal may nominate one or more individuals to exercise her rights in the event of her death or incapacity. The portal must support a nomination workflow — registration, authentication, and rights-delegation to the nominee — with appropriate identity verification.

⚙️ What the technology must actually deliver — Rule 14

Rule 14(1) requires every Data Fiduciary to prominently publish on its website or app the details of the means by which a Data Principal may make a request, and the identifiers required to identify her under its terms of service. Rule 9 further requires every response to a Data Principal communication to include the business contact information of the Data Protection Officer or the designated contact person.

This means the portal architecture must include: authenticated request intake using the Data Principal’s registered identifier (customer ID, email, mobile number, enrolment ID); routed workflows that reach every system holding that individual’s data; response tracking with defined SLA timers that reflect the prescribed response period; documented audit trails for every request, response, and action taken; a DPO or designated contact visible in every communication; and a nomination and delegation module for incapacity and death scenarios.

⚠️ The consequences of not building it

Section 13(3) requires the Data Principal to exhaust the grievance mechanism before approaching the Board. An organisation whose grievance portal is non-functional, unaccessible, or unresponsive has effectively fast-tracked every complaint directly to the Data Protection Board — bypassing any opportunity to resolve it internally. Penalties under the DPDP Act Schedule for failure to comply with provisions can extend to ₹250 crore.

A Data Principal Rights Portal is not a checkbox on a compliance list. It is the public-facing interface of your entire DPDP architecture — and its quality will determine whether your compliance posture is defensible when it matters.

Episode 8 of 9 | Technology & DPDP Compliance series Follow DSK Sustainability Tech LLP for the full series.

In association with our knowledge partners — Karthik & Sunil, Chartered Accountants.

Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.