Data Principals have rights. The right to access their data. The right to correct inaccuracies. The right to erasure. The right to nominate someone to exercise these rights after death. Your procedures must enable these rights to be exercised effectively within statutory timelines.
The Rights Framework
Section 11 grants Data Principals the right to access a summary of their personal data and processing activities. Section 12 provides the right to correction and erasure. Section 13 establishes the right of nomination for posthumous data management. Rule 8 operationalizes these with a 90-day response requirement.
Request Intake
You need a clear channel through which Data Principals can submit requests. This could be a web form, email address, or other mechanism. But it must be accessible and monitored. Requests buried in general inboxes or requiring physical mail create compliance risk.
- Dedicated request intake channel
- Identity verification procedure
- Request logging and tracking
- Acknowledgment within reasonable timeframe
Identity Verification
Before fulfilling a request, you must verify the requester is the Data Principal or authorized representative. This prevents unauthorized disclosure. But verification should not be so burdensome that it effectively denies the right. Balance security with accessibility.
The 90-Day Window
Rule 8 provides 90 days to respond to Data Principal requests. This is the outer limit, not the target. Faster response demonstrates respect for rights and reduces complaints. Build processes that can respond in days, not months.
Handling Complex Requests
Some requests are straightforward. Others involve data scattered across systems, requiring coordination across departments. Your procedures must account for this complexity while still meeting deadlines. Internal SLAs should be tighter than the statutory window to provide buffer for complications.
Essential Clauses
Request Submission Methods
Rule 8How Data Principals can submit requests
Identity Verification Process
Rule 8Proportionate verification without undue burden
Response Timeline Commitments
Rule 8Internal SLAs ensuring 90-day compliance
Access Request Fulfillment
Section 11What information is provided and in what format
Correction Procedure
Section 12(1)How inaccuracies are investigated and corrected
Erasure Procedure
Section 12(2)How deletion requests are processed
Nomination Registration
Section 13How nominees are registered and verified
Exception Handling
Rule 8Grounds for declining requests and communication process
Implementation Steps
Establish dedicated DSR intake channel with monitoring
Develop identity verification protocol balancing security and accessibility
Create internal workflow routing requests to relevant data custodians
Build tracking system with deadline alerts
Draft response templates for common request types
Train customer-facing teams on DSR handling
Establish escalation path for complex or disputed requests
Implement quality review before response dispatch
Frequently Asked Questions
Need This Document Drafted?
Understanding the requirement is the first step. Having it implemented correctly is what protects your organization. Our team drafts DPDPA-compliant documents tailored to your specific operations.
Get in Touch