How DPOs Should Handle Data Subject Rights Requests

Section 11 grants access rights. Data principals can request confirmation of processing and obtain information about their personal data. Section 12 grants correction and erasure rights. Data principals can require you to correct inaccurate data and erase data no longer necessary.

Section 13 creates grievance redressal obligations. You must provide mechanisms for complaints with resolution within prescribed timelines. Section 14 creates nomination rights. Data principals can designate representatives to exercise rights in case of death or incapacity.

Each right creates operational requirement. You must have intake mechanisms to receive requests. You must have verification procedures to confirm requestor identity. You must have processing workflows to locate and act on relevant data. You must have response templates ensuring legally compliant communications.

Requests arrive through multiple channels. Email to published addresses. Website contact forms. Social media messages. In person at physical locations. Phone calls to customer service.

The DPO must ensure all channels funnel to single processing workflow. A request received through social media cannot languish while email requests receive timely processing. Channel consolidation requires technical integration and staff training across all customer facing functions.

Identity verification presents particular challenge. You must confirm the requestor is the data principal or authorised representative. Insufficient verification creates risk of disclosing personal data to unauthorised parties. Excessive verification creates friction that effectively denies rights. Balance requires defined verification standards appropriate to request sensitivity.

Access requests require data location and compilation. Where does personal data about this individual reside? Systems, databases, documents, vendor systems, backup archives. Organisations often discover their data landscape is more fragmented than they understood when attempting to respond to access requests.

Erasure requests require assured deletion. Can you actually delete data from production systems, backup systems, vendor systems and disaster recovery archives? Many organisations discover their deletion capabilities are more limited than they assumed. DPDPA requires deletion capability not merely deletion policy.

Correction requests require data modification across systems. Correcting data in one system while incorrect data persists in others violates the right. Synchronisation capabilities become compliance requirements.

Section 13 creates 90 day grievance resolution timeline. This timeline is not aspirational guidance. It is statutory requirement. Failure to resolve within 90 days creates regulatory exposure and provides data principal with basis for escalation to Data Protection Board.

The DPO must implement timeline tracking from request receipt. Workflow systems should flag requests approaching threshold. Escalation procedures should trigger when resolution appears unlikely within timeline. Response templates should acknowledge receipt with expected resolution timeframe.

Complex requests may require timeline extension communication. The organisation should proactively communicate with data principals when standard timelines cannot be met. This communication does not eliminate timeline obligation but demonstrates good faith effort regulators will consider.