Think about the last time you tried to delete an old online account. Data subject requests like account deletion, data access, or correction have become a central part of modern privacy compliance. You clicked a button, maybe sent an email, and then… crickets. For years, businesses have treated user privacy as a low-priority suggestion rather than a mandate. Well, those days are officially behind us.
With the finalization of the Digital Personal Data Protection (DPDP) Rules in November 2025, the power dynamic in India’s digital economy flipped. Users now hold statutory authority over their personal information. At the very center of this massive shift are data subject requests—the formal mechanism individuals use to demand access to, correction of, or deletion of their digital footprints.
If your organization processes the digital personal data of Indian citizens, treating these user inquiries and data subject requests as an afterthought is no longer just bad customer service. It’s a direct violation of the law. The regulatory clock starts ticking the moment a user hits “submit.” And missing the deadline? That can trigger penalties reaching up to ₹250 crore.
Let’s cut through the legalese and look at exactly how fast you need to resolve these data subject requests, why relying on manual spreadsheets is a disaster waiting to happen, and how you can actually prepare for the May 2027 enforcement deadline.
Unpacking Data Subject Requests: What Exactly Are They?
Before we talk about timelines, we need to clarify what we’re actually dealing with. Under the DPDP Act 2023, individuals (legally termed Data Principals) are granted specific, enforceable rights over their personal data. When a consumer exercises these rights, they submit data subject requests to the business that collected their information (the Data Fiduciary).
Under the finalized DPDP Rules, these requests generally fall into four distinct buckets:
- The Right to Access Users want to know exactly what data you hold about them, a summary of how it’s being processed, and the identities of any third parties you’ve shared it with.
- The Right to Correction If a user’s address, phone number, or other personal details are inaccurate or outdated, they have the right to demand an immediate update.
- The Right to Erasure Often called the “right to be forgotten.” When a user withdraws their consent or when the original purpose for data collection is fulfilled, they can demand that you permanently delete their data.
- Grievance Redressal If a user feels their data is being misused or their previous requests were ignored, they can formally lodge a complaint.
Handling a single request sounds easy enough. But what happens when you receive five hundred of them in a week? That’s where the timelines become terrifying for unprepared IT departments.
The Clock Is Ticking: Official Timeframes You Can’t Ignore
For a long time, the exact turnaround time for a privacy request in India was a grey area. Companies operated on vague concepts of “reasonable timeframes.” The notification of the DPDP Rules 2025 stripped away all that ambiguity, providing much-needed clarity around data subject requests and their resolution timelines.
90 DaysMaximum to resolve access, correction, erasure, or grievance requests
72 HoursTo notify DPBI and affected users after a personal data breach
48 HoursAdvance notice required before erasing a user’s data
The 90-Day Maximum Mandate
According to Rule 14 of the DPDP Rules, Data Fiduciaries are legally required to resolve data subject requests—whether they involve access, correction, erasure, or grievance redressal—within a maximum of 90 days from the date of receipt.
Let’s be incredibly clear: 90 days is a hard statutory ceiling, not a leisurely target. If day 91 arrives and you haven’t fully resolved the user’s inquiry, your organization is in breach of the law.
The 72-Hour Breach Notification Rule
While user-initiated data subject requests give you a 90-day window, security incidents are a completely different animal. If your servers are compromised and a personal data breach occurs, you do not have three months to figure out your PR strategy. The law mandates that you notify both the Data Protection Board of India (DPBI) and the affected users within 72 hours of becoming aware of the breach.
The 48-Hour Deletion Warning
Here’s a nuance that catches many businesses off guard: when you are preparing to erase a user’s data (either because they requested it or because your retention period expired), you can’t just silently wipe the servers. The rules state you must notify the user 48 hours prior to the deletion, giving them a brief window to halt the process if they’ve changed their mind.
Why Waiting Until Day 89 Is a Terrible Strategy
On paper, three months sounds like plenty of time. You might be thinking your team can easily handle a few deletion requests over the course of a fiscal quarter.
Privacy experts fundamentally disagree.
Building a compliance strategy around the 90-day maximum limit is incredibly risky. Most privacy consultants strongly advise organizations to build internal systems capable of resolving data subject requests within 15 to 30 days. Why? Because fulfilling these inquiries is rarely a straight line.
Think about the actual mechanics of an erasure request, one of the most common data subject requests organizations receive. First, you have to verify the person asking for the deletion is actually who they claim to be. (Deleting someone’s account based on a fraudulent request is a massive security failure in itself). Then, you have to hunt down their data. Is it just in your primary CRM? Or is it also sitting in your marketing automation tool, your customer support ticketing system, and the backup servers managed by a third-party Data Processor?
If you wait until day 85 to start this scavenger hunt, you will miss the deadline. Internal delays, vendor pushback, and technical glitches happen. Aiming for a 15-day turnaround gives your compliance and IT teams the necessary buffer to handle edge cases without risking a massive fine.
The Operational Nightmare of Manual Processing
Many mid-sized Indian businesses are currently trying to manage their privacy compliance using a combination of shared email inboxes, Google Sheets, and Slack messages. This might work when you receive one inquiry a month. It completely collapses at scale, especially when the volume of data subject requests begins to grow.
When you attempt to process data subject requests manually, you run into several massive operational walls:
- The Identity Verification Trap: How do you prove the person emailing privacy@yourcompany.com is actually the account holder? Manually requesting ID proofs via email introduces massive friction and ironically forces you to collect more sensitive personal data just to fulfill a privacy request.
- The Data Mapping Maze: Personal data rarely lives in one place. Your sales team uses Salesforce; your marketing team uses Mailchimp; your support team uses Zendesk. Manually pinging department heads to track down a single user’s footprint is an absurd waste of expensive employee hours.
- Downstream Vendor Chaos: Under the DPDP Act, you (the Data Fiduciary) are entirely responsible for the data, even if a third-party vendor (the Data Processor) is holding it. If a user demands deletion, you have to ensure every single vendor you work with also deletes that data. Managing this via manual emails is practically impossible.
- Zero Audit Trails: If the Data Protection Board audits your company, they won’t just take your word that you deleted the data. You need immutable, timestamped logs proving exactly when a request was received, verified, processed, and closed. Spreadsheets do not hold up well in regulatory audits.
Transforming Compliance from Burden to Advantage with RuleExpert
The reality is that modern data architecture is too complex for manual privacy management. As the May 2027 enforcement deadline for the 18-month phased implementation approaches, forward-thinking companies are abandoning spreadsheets and adopting automation to efficiently manage data subject requests and broader privacy compliance obligations.
This is exactly where DPDP automation software like RuleExpert changes the game. Instead of treating privacy compliance as a frantic, manual fire drill, RuleExpert turns it into a quiet, automated background process.
Here’s how automating your data subject requests actually looks in practice:
- A Branded, Self-Serve Privacy Portal Instead of hiding a generic email address in your privacy policy, you provide users with a secure, centralized dashboard. They log in, verify their identity automatically (sometimes using government-authorized tools like DigiLocker), and submit their requests with a few clicks.
- Instant Data Discovery RuleExpert integrates directly into your tech stack. When an access request comes in, the software automatically queries your CRM, marketing platforms, and databases, mapping the user’s footprint instantly.
- Automated Vendor Synchronization If an erasure request is approved, the software doesn’t just delete the data on your local servers. It sends automated commands via APIs to your third-party Data Processors, ensuring the deletion cascades across your entire vendor ecosystem.
- Bulletproof Audit Logs Every action—from the moment the user submits the form to the final 48-hour pre-deletion notification—is automatically logged and timestamped. If the regulator ever knocks on your door, you generate a comprehensive compliance report in seconds.
Getting Ready for May 2027: The Road Ahead
The era of unchecked data collection and indefinite retention in India is over. The DPDP Rules 2025 have laid out a structured, unforgiving framework. You have an 18-month runway to get your house in order before the May 13, 2027 deadline hits.
Treating this 90-day timeline as a mere administrative chore is a mistake. Consumers are becoming incredibly aware of their digital rights. A company that honors a privacy request swiftly and transparently builds immense brand loyalty. Conversely, a company that ignores these requests will quickly find itself facing angry customers, viral social media complaints, and severe regulatory fines.
Don’t wait for your first massive wave of data subject requests to realize your internal systems are broken. Start mapping your data, streamline your intake channels, and explore automation tools such as RuleExpert today. Compliance isn’t just about avoiding penalties; it’s about proving to your customers that you actually respect them.
Author Bio
Nitin Ray is a Compliance Manager at RuleExpert with expertise in DPDP compliance, data privacy, consent management, and governance. He helps organizations implement practical compliance frameworks and automation strategies to meet the requirements of India’s Digital Personal Data Protection Act, 2023.
Frequently Asked Questions (FAQs)
1. What happens if we fail to respond to data subject requests within 90 days?
Failing to meet the 90-day statutory deadline is a direct violation of the DPDP Rules 2025. The Data Protection Board of India (DPBI) has the authority to investigate the failure and can levy severe financial penalties, which can go up to ₹250 crore depending on the severity and scale of the non-compliance.
2. Does the 90-day rule apply to all types of businesses?
Yes. The 90-day maximum limit applies to all Data Fiduciaries, regardless of their size, revenue, or sector. Whether you are a local startup with a mobile app or a massive e-commerce enterprise, the timeline for resolving consumer privacy requests remains the same.
3. Can we ask for more time if a request is highly complex?
Under the current framework of the DPDP Rules, the 90-day limit is a hard ceiling for Data Fiduciaries handling standard requests. The law doesn’t explicitly provide “extensions” for businesses just because their internal data architecture is messy. This is why adopting automation software early is so critical.
4. Are we required to delete data if a sectoral law requires us to keep it?
No. The DPDP Rules 2025 explicitly clarify that sector-specific data retention laws override the DPDP Act’s erasure requirements. For example, if financial regulations require you to keep transaction logs for five years, you must retain that specific data even if the user submits an erasure request. However, you must clearly communicate this legal exception to the user.
5. Do we have to notify the user before we actually delete their data?
Yes. A crucial operational requirement in the new rules is that Data Fiduciaries must notify the Data Principal at least 48 hours prior to the actual erasure of their personal data. This gives the user a brief window to stop the deletion if they made a mistake or wish to reactivate their account.
6. What is the difference between a Data Fiduciary and a Data Processor?
A Data Fiduciary is the business that decides why and how personal data is collected (e.g., an online clothing store). A Data Processor is a third-party company that processes that data on behalf of the Fiduciary (e.g., the cloud server hosting the store’s database). The Fiduciary is ultimately legally responsible for ensuring the Processor complies with any user requests.
7. Do we need to build a specialized portal for these requests?
While the law doesn’t strictly mandate a “portal,” it requires businesses to provide clear, accessible channels for users to exercise their rights. Relying purely on email makes identity verification and tracking incredibly difficult. Implementing a self-service portal via tools like RuleExpert is considered the industry best practice.
8. If a data breach happens, does the 90-day rule apply?
Absolutely not. Data breaches are handled with extreme urgency. If a personal data breach occurs, you must notify the Data Protection Board of India and the affected users within 72 hours of becoming aware of the incident. The 90-day rule only applies to standard user-initiated inquiries, not security compromises.