Home · Synthesis · cl-data-subject-rights

Data subject / Data Principal rights — operational rights mechanism

DPDPAEU AI ActGDPRISO 27701SOC 2IRDAI 2026ISO 27018

Primary statement

Operational mechanism providing data subjects (DPDPA Data Principals, GDPR data subjects, ISO 27701 PII principals) with rights to access, correction, erasure, grievance redressal. DPDPA Section 11 grants summary of processing + rights mechanism; ISO 27701 + SOC 2 P5.1 + IRDAI extend to PII principal access and inquiries.

Audit-fatigue payoff

A single rights request portal + identity verification + per-right fulfilment workflow satisfies rights requirements across DPDPA, GDPR, ISO 27701, and SOC 2 simultaneously.

Strictness matrix

Scope
Scope: access, correction, erasure, grievance — four core rights minimum. DPDPA Section 11 covers all four. Ceiling source: dpdpa:DPDP.9 Rationale: DPDPA DPDP.9 covers the four core rights enumerated.
Threshold
Threshold: on request from Data Principal, summary of personal data + processing activities + rights mechanism provided. Ceiling source: dpdpa:DPDP.9 Rationale: DPDPA on-request threshold is the operational trigger.
Method
Method: documented procedure + identity verification + per-right fulfilment + grievance redressal + SLA tracking + erasure propagation to processors. Ceiling source: dpdpa:DPDP.9 Rationale: DPDPA method anchors with grievance redressal not in older frameworks.
Frequency
Per request within applicable SLA (DPDPA Rules forthcoming; expect 30-90 days per right). Procedure review annual. Ceiling source: dpdpa:DPDP.9 Rationale: Per-request SLA is the operational cadence.
Evidence
Required evidence: rights request register + identity verification records + per-right fulfilment evidence + grievance redressal records + erasure propagation logs. Ceiling source: dpdpa:DPDP.9 Rationale: DPDPA evidence is the audit-defensible package.

Auditor test pattern

Step 1: Inspect the rights request procedure. Step 2: Sample one request per right type. Step 3: Verify identity verification proportionate. Step 4: Verify grievance redressal mechanism. Step 5: For erasure, verify propagation to processors.

Common findings

Common findings: (1) Identity verification ad-hoc; (2) Erasure not propagated to backups/processors; (3) Grievance redressal not tracked; (4) SLA tracking absent.