Without this process, you face regulatory fines under the Digital Personal Data Protection Act 2023 (up to ₹5 crore for certain violations), angry customers who spread complaints on social media and review sites, and disputes that turn into legal cases. For example, a Delhi e-commerce MSME stored wrong bank details for 200 customers and had no way to let them correct it—resulting in payment failures, customer complaints to the banking ombudsman, and an RBI direction audit. You also lose customer trust permanently: once someone realizes their data is stuck in your system with no way to fix it, they won't buy from you again.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal process at all. When a customer emails asking what data you have, there's no standard reply or procedure—someone might ignore it, or the owner handles it ad-hoc from memory.
Initial
You have a single email address or contact person where data requests *can* land, but there's no documented timeline, no template response, and no tracking of whether requests were actually answered. Some requests get lost.
Developing
You have a documented data access request form (online or PDF), a 30-day response timeframe written down, and a single person responsible for collecting and sending back data. You're tracking requests in a spreadsheet but sometimes miss deadlines.
Defined
You have a formal written policy on your website, a dedicated request process (email or form), responses tracked in a shared log, and you're meeting 90% of requests within 30 days. Requests for corrections are acknowledged and documented, though the correction process itself isn't fully automated.
Managed
You have a published Data Subject Rights Policy, a web form that auto-logs requests with timestamps, a clear SLA (e.g., 20 days), and a process to verify the requester's identity. Data corrections are tracked, approved, and logged. You have a person or team assigned with clear accountability.
Optimised
You have a fully documented, auditable end-to-end process; a dedicated portal or system (custom or third-party) that automates request intake, verification, data retrieval, correction workflows, and response; regular training for staff; and annual third-party verification that you're compliant. Turnaround is under 15 days, and you proactively inform data subjects of their rights.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Designate one person (owner, HR manager, or office assistant) as the 'Data Request Owner' and create a single email address (e.g., datarights@company.com) where requests land. Write down a simple one-page process: receive email → acknowledge within 3 days → collect data → send back. Pin this email on your website and customer invoices. | Business owner or office manager | 1 day |
| 1 → 2 | Create a one-page PDF form titled 'Data Access & Correction Request' with fields for name, ID, what data they want, and what they want corrected. Set a clear 30-day deadline in writing. Start a simple Excel sheet to log: request date, requester name, response date, status. Share the form link on your website and email signature. | Business owner or designated HR/admin person | 3 days |
| 2 → 3 | Write a one-page 'Data Subject Rights Policy' (in English and local language if needed) explaining how to request, timelines, and how corrections work. Get it approved by owner. Post it on your website and in your office. Create a monthly reminder calendar entry so the Data Request Owner reviews the log and meets deadlines. Train all customer-facing staff (2 hours) on how to direct requests. | Data Request Owner + business owner | 2 weeks |
| 3 → 4 | Move from spreadsheet to a simple database or low-cost form tool (Google Forms + Sheets, or Typeform). Set up auto-acknowledgment emails. Create an identity verification step (photo ID match for sensitive data). Document the correction approval process: who decides if a correction is valid, how it's recorded, and how the corrected data is communicated back. Brief the team once. | Data Request Owner + IT person (if available) or external freelancer | 4-6 weeks |
| 4 → 5 | Conduct a gap analysis with an external compliance consultant or audit firm (₹30,000–₹75,000). Implement missing pieces: automated workflows, verification protocols, audit logs, and staff training on data handling. Schedule annual third-party reviews of your process. Document all process changes and maintain a continuous improvement log. | Business owner + external consultant + Data Request Owner | Ongoing (quarterly reviews, annual audit) |
Documents and records that prove your maturity level.
- Written Data Subject Rights Policy or Data Access/Correction Procedure document, signed and dated by owner
- Data access request form (digital or PDF) with a link or instructions on how to submit it, visible on your website or in customer communications
- Log or register (spreadsheet, database, or form tool output) showing: request date, requester name/ID, type of request, response date, status (completed/rejected), and notes; at least 3–5 examples of completed requests in the last 12 months
- Sample response email or letter showing you sent back data or corrected records, with date and requester verification
- Email or internal communication showing staff have been informed about the data subject rights process and their role in it (e.g., training notes, email to team)
Prepare for these questions from customers or third-party reviewers.
- "Show me your process for handling a customer who asks to see what personal data you have about them. How long does it take, and who handles it?"
- "If a customer says their phone number or address is wrong in your system, how do they report it and how do you fix it? Do you have proof that you've actually corrected records when asked?"
- "Where on your website or in your communications do you tell people they have the right to access and correct their data? Can you show me?"
- "Do you track data access and correction requests? Show me your log for the past year—how many requests did you get, and how many did you answer on time?"
- "Has anyone on your team received training on handling data subject rights requests? Do you have documentation of that training?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and manage data access request forms; log responses and track deadlines | Google Forms + Google Sheets (basic, no cost; suitable for small volume); Microsoft Forms + Excel (if you use Microsoft 365) | Typeform (₹2,500–₹5,000/year for basic plan); Jotform (₹3,000–₹8,000/year); Zoho Forms (part of Zoho suite, ₹1,500–₹5,000/month) |
| Publish your Data Subject Rights policy and make it discoverable on your website | Your existing website (add a 'Privacy' or 'Data Rights' page); WordPress plugin for privacy pages | Website builder add-ons (usually free if you already have a site); Wix Privacy Policy template (included in plan) |
| Set up automated acknowledgment emails and reminders for the Data Request Owner to meet deadlines | Gmail filters and labels; Google Calendar with reminders; Zapier free tier (limited) | Zapier (₹500–₹2,000/month for automation); Pabbly Connect (₹500–₹1,500/month) |
| Secure storage and retrieval of personal data for responding to subject access requests | Encrypted folder (BitLocker on Windows, FileVault on Mac); Tresorit free tier (limited storage) | Tresorit (₹2,000–₹5,000/year); Sync.com (₹3,000–₹8,000/year); Microsoft OneDrive encrypted (part of Microsoft 365, ₹2,000–₹5,000/year) |
| Template and workflow for data access/correction requests and responses | Templates on NASSCOM or DSCI websites; DataSecure or CERT-In guidance documents (free downloads) | Custom legal template from lawyer (₹5,000–₹15,000 one-time); Privacy compliance software platform (₹10,000–₹50,000/year for small businesses) |
- Treating data subject requests as optional or 'nice to have' instead of a legal right. Many Indian MSMEs ignore emails asking for data access or correction, assuming it's a nuisance. Under the DPDP Act, this is a violation and can result in penalties.
- Not verifying the identity of the person making the request, leading to accidental disclosure of one customer's data to someone else. Always ask for proof of identity (PAN, Aadhaar, driver's license, or a signed email from their registered email) before sending any personal data.
- Ignoring requests because you're not sure what data you have. Start by doing a simple data inventory: write down all the places where you store customer or employee data (Excel sheets, CRM, email, WhatsApp, bank statements, hard copies, etc.), then you can actually respond to requests instead of staying silent.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Right to access personal data), Section 9 (Right to correction or completion), Section 10 (Right to erasure) |
| CERT-In 2022 | Direction 2 (Reporting of incidents within 6 hours) and Direction 4 (Grievance redressal and data subject rights) implicitly require processes to handle data subject requests |
| ISO 27001:2022 | Annex A 5.3 (Segregation of duties), Annex A 5.16 (Rights and obligations), Annex A 8.2 (Employee responsibilities and awareness) |
| NIST CSF 2.0 | Govern (GV.ST-3 and GV.ST-4) on stakeholder rights and responsibilities; Protect (PR.DS-1) on data management and access control |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →