What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A 2-day DPDP workshop typically includes: understanding the DPDP Act, auditing your tech stack, in-depth data processor agreement (DPA) analysis, consent mechanism design, and a 90-day compliance roadmap with clear guidance.

Explainer•10 min read

DPDP Right to Erasure: Your Guide to Deleting Data & Ensuring Compliance in India

Navigate the complexities of the Right to Erasure under India's DPDP Act, 2023. Learn what Section 13 mandates, understand your obligations as a Data Fiduciary, and implement a robust compliance strategy to protect your business from penalties and reputational damage.

MBS

Meridian Bridge Strategy14 March 2026

When a Customer Demands to Be Forgotten: Navigating Erasure Requests

Imagine 'QuickServe Foods', a popular Indian food delivery startup. One morning, their compliance officer receives a curt email from a long-time customer: "Please delete all my personal data from your systems, effective immediately. I invoke my Right to Erasure." QuickServe, unprepared for such a direct and legally framed request, suddenly faces a daunting task.

Where is this customer's data stored? Is it just the main database, or also marketing CRM, payment gateway logs, customer support transcripts, and third-party analytics tools? What about backups? This scenario isn't hypothetical; it's a rapidly approaching reality for every Indian business handling personal data.

The Digital Personal Data Protection (DPDP) Act, 2023, grants individuals – known as Data Principals – a powerful tool: the Right to Erasure. This isn't just about unsubscribing from emails; it's a fundamental demand for your business to actively delete or cease processing their personal data across all relevant touchpoints.

💡 Key Insight: The Right to Erasure under DPDP signifies a proactive obligation on Data Fiduciaries to manage and, when requested, completely remove personal data, going far beyond simple opt-outs.

What is the Right to Erasure Under DPDP? A Simple Explanation

At its core, the Right to Erasure under the DPDP Act empowers a Data Principal to request that a Data Fiduciary (the entity determining how and why data is processed) delete or cease processing their personal data. Think of it as the individual's right to demand that their digital footprint be removed from your systems, subject to certain conditions.

This right is crucial for individuals to maintain control over their personal information. For businesses, it means establishing clear, efficient, and legally compliant processes to handle such requests.

The erasure isn't just about deleting a record from an active database. It extends to all copies of that data, including those held by Data Processors (third parties processing data on your behalf) and in backup systems, provided the request is valid and no legal exemptions apply.

What the DPDP Act Actually Says About Erasure

The Digital Personal Data Protection Act, 2023, enshrines the Right to Erasure primarily under Section 13(1) (b), which states that a Data Principal shall have the right "to obtain the correction, completion, update, or erasure of his personal data."

While the full rules and specifics regarding the implementation of this right are expected to be elaborated through subsequent regulations, the foundational principle is clear: Data Fiduciaries must be equipped to honour legitimate erasure requests.

Beyond Section 13, other provisions of the Act indirectly support this right, such as the principle of data minimisation (Section 6), which advocates for collecting only necessary data, and data retention limits (Section 7), which mandate erasing data once its purpose has been served. These principles underpin the expectation that data should not be held indefinitely, making erasure a natural progression when retention limits are met or consent is withdrawn.

Section 13(1)(b) of the DPDP Act, 2023: A Data Principal shall have the right to obtain the correction, completion, update, or erasure of his personal data.

Who Does the Right to Erasure Apply To?

The Right to Erasure applies to every individual whose personal data is being processed by a Data Fiduciary in India. This includes:

Indian citizens: Regardless of where their data is processed.
Individuals within India: Even if they are not Indian citizens, their data processed within India falls under the Act.
Data Principals whose data is processed outside India: If the processing is related to offering goods or services to Data Principals in India, or to profiling Data Principals in India.

Essentially, if your business collects, stores, or processes personal data of anyone residing in India or targeting services to Indian residents, you are bound by these obligations.

Common Misconceptions About the Right to Erasure

Many businesses hold incorrect assumptions about the scope and implementation of this critical right. Clearing these up is vital for effective compliance:

Myth 1: Erasure means only deleting data from my active customer database.
Correction: The right extends much further. It includes all instances of personal data, such as backups, archives, logs, analytics tools, CRM systems, and data held by third-party Data Processors. A truly compliant erasure means addressing all these touchpoints.
Myth 2: I must always delete data immediately upon request.
Correction: While prompt action is necessary, immediate deletion isn't always feasible or legally required. There are legitimate grounds for refusing erasure, such as when data is needed to comply with a legal obligation (e.g., financial records, tax laws, AML/KYC regulations), for the establishment, exercise, or defence of legal claims, or for public interest purposes.
Myth 3: Opting out of marketing emails constitutes an erasure request.
Correction: An opt-out typically means ceasing marketing communications, not a complete deletion of all personal data. An erasure request, under DPDP, is a distinct and more comprehensive demand to remove all identifiable personal data, subject to lawful exceptions.
Myth 4: It's a 'fire and forget' action; once deleted, it's done.
Correction: Compliance requires an audit trail. You must be able to demonstrate that the data was indeed erased, communicate the successful erasure to the Data Principal, and have a clear process for handling potential follow-ups or disputes.

⚠️ Warning: Misinterpreting the scope of the Right to Erasure can lead to incomplete data deletion, leaving your business vulnerable to non-compliance penalties of up to ₹100 Lakh for failing to adhere to Data Principal rights.

Real-World Implications for Indian Businesses

The Right to Erasure is not just a theoretical concept; it has profound operational and legal implications across various industries.

Example 1: E-commerce Platform (Startup Scale)

An Indian fashion e-commerce startup, 'StyleHub', processes customer names, addresses, purchase history, and payment details. A customer, after closing their account, invokes their Right to Erasure. StyleHub must:

Identify all systems storing this data: website database, CRM, email marketing platform, logistics partners (if data is still active), and analytics tools.
Coordinate with third-party payment gateways to anonymise or cease processing historical transaction data linked to the individual, where permissible by law.
Ensure that data in backups is eventually overwritten or rendered irretrievable within a reasonable timeframe, without impacting system integrity.

If StyleHub merely deactivates the account without truly erasing the data across all these systems, they risk significant penalties and a loss of customer trust.

Example 2: Healthcare Provider (Mid-size Clinic Chain)

A chain of diagnostic clinics, 'MediScan', holds sensitive patient data: medical history, diagnostic reports, biometric identifiers. A patient requests the erasure of their records. While DPDP grants the Right to Erasure, healthcare data often has specific statutory retention requirements (e.g., under clinical establishment acts or medical council regulations).

MediScan would need to:

Assess if the data falls under a legal retention obligation.
If so, inform the Data Principal about the specific legal basis for retaining the data and the duration.
If no such obligation exists, or after the retention period expires, process the erasure request diligently.

The challenge here lies in balancing individual rights with public health and legal mandates. Erroneously deleting legally mandated records can lead to other compliance breaches.

Example 3: FinTech Company (Large Enterprise)

'WealthBridge', a digital lending platform, collects extensive KYC data, transaction history, credit scores, and biometric authentication details. A former user, having repaid their loan, requests erasure.

WealthBridge faces stringent regulations from the RBI and other financial authorities, requiring retention of transaction records, KYC documents, and audit trails for several years to combat fraud, money laundering, and for tax purposes.

WealthBridge must clearly communicate the legal obligations (e.g., AML/KYC norms) that necessitate the retention of certain data elements, even after an erasure request.
They would need to erase any data not subject to these legal holds, such as marketing preferences, browsing history, or optional demographic information.
This requires granular data segregation and sophisticated data lifecycle management.

The cost of getting this wrong for a large FinTech could be immense, not just in fines (potentially exceeding ₹100 Lakh for non-compliance with data principal rights), but also in regulatory investigations and a severe blow to reputation, leading to customer churn and operational disruption.

Step-by-Step Compliance Guide for the Right to Erasure

Implementing a robust Right to Erasure process is critical. Here's a structured approach:

Establish a Clear Data Principal Request Mechanism:
Create easily accessible channels (e.g., a dedicated email address, an online portal, or a contact form) for Data Principals to submit erasure requests. Clearly communicate how individuals can exercise this right in your privacy policy.
✅ Pro Tip: Ensure your privacy policy, easily accessible on your website, clearly outlines the Data Principal's Right to Erasure and the process for invoking it, including contact details.
Verify the Data Principal's Identity:
Before acting on any request, implement a robust process to verify the identity of the Data Principal. This prevents malicious third parties from requesting the erasure of someone else's data. This could involve multi-factor authentication, email verification, or asking for specific account details.
Assess the Validity of the Request and Identify Legal Exceptions:
Upon receiving a request, immediately assess if any legal or operational exemptions apply. Common reasons for refusing or limiting erasure include statutory retention periods (e.g., financial, healthcare, employment records), public interest, or the establishment/defence of legal claims. Document your assessment thoroughly.
Map Data & Identify All Processing Systems:
This is where comprehensive data mapping and inventory becomes indispensable. You need to know exactly where the Data Principal's personal data is stored, including active databases, backups, logs, CRM, marketing automation tools, and particularly, with all third-party Data Processors.
Coordinate Erasure with Data Processors:
If you share personal data with third-party Data Processors (e.g., cloud providers, marketing agencies, payment processors), you must instruct them to erase the data they hold on your behalf. Your data processing agreements (DPAs) should already stipulate this obligation.
Implement Technical Erasure Procedures:
Execute the deletion across all identified systems. This often involves specific technical steps:
- Hard deletion from active databases.
- Anonymisation or pseudonymisation where full deletion is not immediately possible (e.g., in analytics data that needs historical context but can be de-identified).
- Ensuring data in backups is scheduled for eventual secure overwriting or deletion according to your retention policy.
- Clearing data from caches and temporary files.
Confirm Erasure and Maintain Audit Trails:
Once the erasure is complete, inform the Data Principal. Maintain a detailed record of the request, the steps taken, the date of erasure, and any communication with the Data Principal. This audit trail is crucial for demonstrating compliance to the Data Protection Board of India.

Step	Description	Tools/Templates	Estimated Timeline (Post-Request)
1. Request Receipt & Logging	Acknowledge request, log details, begin internal tracking.	Request Intake Form, CRM/Ticketing System	Immediate to 24 hours
2. Identity Verification	Confirm the Data Principal's identity securely.	Verification Protocol, ID Check Templates	1-3 business days
3. Validity Assessment	Determine if legal exceptions apply (e.g., statutory retention).	Legal Review Checklist, Exception Log	2-5 business days
4. Data Mapping & Location	Identify all systems and Data Processors holding the data.	Data Inventory Register, Data Flow Diagrams	3-7 business days
5. Processor Coordination	Instruct third-party Data Processors to erase data.	Standardised Erasure Request Template for Processors	5-10 business days
6. Technical Erasure	Execute deletion across all internal systems and backups.	Erasure Scripts, Data Deletion Logs	7-15 business days
7. Confirmation & Audit Trail	Notify Data Principal, maintain detailed records of actions.	Confirmation Email Template, Compliance Audit Log	Within 30 days (as per GDPR benchmark, DPDP timelines pending)

While the DPDP Act currently does not specify a precise timeline for fulfilling erasure requests, it mandates that Data Fiduciaries respond to Data Principal requests "without unreasonable delay." It's prudent to benchmark against global best practices like GDPR's 30-day (extendable to 90 days in complex cases) requirement.

How the Right to Erasure Connects to Other DPDP Obligations

The Right to Erasure doesn't exist in isolation; it's deeply interwoven with other foundational principles of the DPDP Act:

Consent Requirements (dpdp-consent-requirements): If personal data was processed solely based on consent, the withdrawal of that consent (another Data Principal right) often triggers the Right to Erasure, unless other legitimate uses apply.
Data Minimisation: The principle that Data Fiduciaries should only collect and process personal data that is necessary for the stated purpose makes erasure of superfluous data a logical extension.
Data Retention: Businesses must define clear retention periods. Once data has served its purpose and no legal obligation requires its retention, it should be erased. This proactive erasure aligns with the spirit of the Right to Erasure, even without an explicit request.
Data Fiduciary and Processor Responsibilities (what-is-data-fiduciary, what-is-data-processor): Data Fiduciaries are ultimately responsible for ensuring erasure, even if the data is held by their Data Processors. This necessitates robust contracts and oversight over third parties.
Data Protection Impact Assessments (DPIAs): Conducting DPIAs helps identify where personal data is stored, how it flows, and potential risks, which is essential for developing an effective erasure strategy.

Understanding these interdependencies is key to building a holistic DPDP compliance framework that handles erasure requests effectively and legally. Proactive planning, rather than reactive scrambling, will define compliant businesses under DPDP.

Frequently Asked Questions

How does the Right to Erasure interact with statutory data retention obligations (e.g., financial records, AML/KYC, healthcare data) for Indian businesses under DPDP?

The Right to Erasure is not absolute. The DPDP Act acknowledges that other laws may require businesses to retain certain data for specific periods. For instance, financial institutions must retain KYC and transaction records for several years under RBI regulations, and healthcare providers have obligations under various medical acts. In such cases, a Data Fiduciary must first identify the specific statutory obligation that mandates retention. They are then required to inform the Data Principal about the legal basis for retaining the data and the duration. Only data not subject to these legal holds, or data whose retention period has expired, must be erased. This requires a robust data retention policy that harmonizes DPDP with sectoral laws, allowing for granular data management where some data elements may be erased while others are retained for legitimate, legally mandated purposes.

What are the technical complexities involved in ensuring 'complete' erasure across distributed systems, backups, and third-party processors, and how can businesses overcome them?

Achieving 'complete' erasure is technically challenging, especially in modern IT environments. Data is often replicated across distributed databases, cached in various systems, stored in multiple backup cycles, and shared with numerous third-party Data Processors. Key complexities include: 1. **Data Identification:** Locating all instances of a Data Principal's data across disparate systems. 2. **Backup Erasure:** Deleting data from backups without corrupting the entire backup set or requiring a full system restore. 3. **Third-Party Coordination:** Ensuring all Data Processors comply with erasure instructions, which depends on robust Data Processing Agreements and technical capabilities. 4. **Immutability:** Certain systems (e.g., blockchain) are inherently designed for immutability, posing unique erasure challenges. <br><br>Businesses can overcome these by: 1. **Robust Data Mapping:** Maintaining a comprehensive, up-to-date data inventory. 2. **Automated Erasure Tools:** Implementing scripts and systems that can search and erase data across multiple platforms. 3. **Data Lifecycle Management:** Designing systems to automatically age out and securely delete data after retention periods. 4. **Strong DPAs:** Ensuring contracts with Data Processors clearly define erasure obligations and audit rights. 5. **Anonymisation/Pseudonymisation:** Where full deletion isn't immediately feasible (e.g., for historical analytics in backups), anonymising data to render it no longer personal data is a viable interim step.

Beyond direct requests, are there scenarios where a Data Fiduciary is implicitly obligated to erase data even without an explicit Data Principal request under DPDP?

Yes, the DPDP Act's principles imply scenarios where a Data Fiduciary is obligated to erase data even without an explicit request from the Data Principal. Primarily, this stems from the principle of **data retention limitation** (Section 7). Data Fiduciaries are obligated to cease retention of personal data once the purpose for which it was collected has been served, and there is no longer a legal basis to retain it. This means if the consent has expired or been withdrawn, and no other legitimate use or legal obligation exists, the data should be erased proactively as part of routine data lifecycle management. Additionally, if a Data Fiduciary discovers that data was collected unlawfully (e.g., without proper consent or for an undisclosed purpose), they would be implicitly obligated to erase it to rectify the non-compliance, irrespective of a Data Principal's request. This proactive approach to data deletion is a cornerstone of responsible data governance under DPDP.

Related Guides

Data Fiduciary Under DPDP Act: Your Ultimate Guide to Compliance & Responsibility

Unpack the core concept of a 'Data Fiduciary' under India's DPDP Act, understand your responsibilities, and learn how to ensure compliance to avoid significant penalties.

DPDP Penalty Structure: Navigating Non-Compliance Risks for Indian Businesses

Understand the severe financial and operational consequences of failing DPDP compliance. This deep dive explains penalties, who they apply to, and how to mitigate risks under the Digital Personal Data Protection Act, 2023.

DPDP Consent Requirements: Your Definitive Guide for Indian Businesses

Navigate the intricacies of consent under India's Digital Personal Data Protection (DPDP) Act, 2023. This comprehensive guide details explicit consent, demonstrable compliance, and real-world implications for Indian founders, CXOs, and compliance officers.

Get Expert Guidance

Our 2-day workshop covers this and 20+ other critical DPDP concepts in depth.

Learn More About the Workshop →