DSR Automation
Handle access, correction, erasure, and grievance requests without spreadsheets or missed deadlines.
The problem
Under the DPDP Act, every individual whose personal data you process has four rights: access (what data do you hold about me?), correction (fix what's wrong), erasure (delete my data), and nomination (let someone else exercise my rights on my behalf). They also have the right to file a grievance with your organisation, and if unsatisfied, escalate to the DPBI.
The operational challenge is not understanding these rights - it is fulfilling them at scale, within the legally prescribed timelines. Erasure requests where processing has no ongoing lawful basis must be completed within 7 days. That means locating the person's data across every system - your primary database, CRM, email marketing tool, analytics platform, payment processor, customer support tool, and backups - and deleting it from all of them, with proof, in under a week.
Most companies today handle this manually: a request arrives via email, someone in legal or IT triages it, engineers query multiple databases, deletion happens system by system over days or weeks, and there is no centralised log of what was done, when, or by whom. This works for one request per month. It collapses at five per week.
The DPBI will not ask whether you intended to comply. It will ask whether you can demonstrate that you did - with timestamps, evidence of deletion across systems, and proof that you met the deadline.
What ComplyDP does
Self-service intake portal
A branded, embeddable request form where Data Principals submit access, correction, erasure, or nomination requests. Identity verification built in. Drops into your site or app without engineering work.
Automated routing and SLA tracking
Each request is automatically classified by type, assigned to the right team member, and placed on a countdown timer matching the Act's prescribed timeline. Escalation alerts fire before deadlines, not after.
Multi-system data discovery
When an access request arrives, ComplyDP helps you compile a response by mapping where that person's data lives across your systems. The output is an exportable data package you can provide to the requestor.
Erasure workflow with proof
For deletion requests, the platform generates a deletion task list across every system that holds the person's data. As each system confirms deletion, the platform logs the confirmation. The result is an audit-ready deletion certificate with timestamps.
Grievance management
A structured workflow for handling grievances - from intake to investigation to resolution. Every step is logged. If the Data Principal escalates to the DPBI, you have a complete record of how you handled the complaint.
How it works
- 1
Data Principal submits a request
Through your embedded portal, email, or any intake channel. The system verifies identity and classifies the request type.
- 2
Request is triaged and assigned
Automatically routed to the right team with a deadline timer. You see all active requests in one dashboard with SLA status.
- 3
Fulfil across systems
For access: compile data from all mapped systems. For erasure: execute deletion across each system and collect confirmations. For correction: update records and log the change.
- 4
Close with evidence
Send the response to the Data Principal. The platform stores the complete record - request, verification, actions taken, response sent, and timestamps - as your audit trail.
What the Act requires
| Section | Requirement |
|---|---|
| Section 11 | Right to access - Data Principal can request a summary of processing activities and personal data held |
| Section 12 | Right to correction and erasure - Data Principal can demand correction of inaccurate data and deletion of data no longer necessary |
| Section 13 | Right to grievance redressal - Data Fiduciary must provide a mechanism for grievances |
| Section 14 | Right to nomination - Data Principal can nominate another person to exercise rights on their behalf |
| Section 8(6) | Erasure must be completed within prescribed timelines (7 days where no ongoing lawful basis) |
Frequently asked questions
Do we have to provide a 'download my data' feature?▼
The Act grants the right to obtain a summary of personal data and processing activities. While a full data export feature is best practice, the minimum requirement is to provide the Data Principal with information about what data you hold, why, and who it has been shared with - in a readable format, within the prescribed timeline.
What is the right to correction/erasure?▼
Data Principals can request correction of inaccurate or incomplete data, and erasure of data that is no longer necessary for the purpose it was collected. Erasure must be executed within 7 days where processing has no ongoing lawful basis. Correction must be carried out and the corrected data propagated to any third parties it was shared with.
Can users complain if we ignore them?▼
Yes. If a Data Principal is unsatisfied with your response (or non-response), they can file a complaint with the Data Protection Board of India. The DPBI can investigate, issue directions, and impose penalties up to ₹250 crore. Having a documented grievance workflow is your first line of defence.
What is 'nomination' under DPDP?▼
A Data Principal can nominate another individual to exercise their data rights on their behalf - particularly relevant for elderly individuals, persons with disabilities, or for post-death data management. Your rights portal must support nomination requests and verify the nominee's authority.
Find out where you stand
10-minute diagnostic. 43 controls. No demo call required.