India's DPDP Act 2023 Explained — And How AI Handles Data Principal Requests at Scale

This post is for informational purposes only and does not constitute legal advice. The DPDP Act 2023 and its implementing Rules 2025 are relatively new — requirements may evolve through further notifications or guidance. Verify the current position with a qualified data protection lawyer before making compliance decisions.

Your company just received this email:

"I would like to know all personal data your organisation holds about me. This is a formal request under the DPDP Act."

It lands in a shared privacy@yourcompany.com inbox. Someone reads it. Forwards it to legal. Legal forwards it to engineering. Engineering says they need to check three databases. Nobody notes the date it arrived. Three weeks pass. When someone finally circles back, there are nine days left on the 30-day window the DPDP Rules require. Not enough time to locate the data, get legal sign-off, draft a response in the right language, and send it.

On day 32, you're in violation.

India's DPDP Act 2023 Explained — And How AI Handles Data Principal Requests at Scale

Other newsrooms on this story

Related reading

Digital Personal Data Protection Act notified after two years, RTI Act amended

Other newsrooms on this story

Related reading

Digital Personal Data Protection Act notified after two years, RTI Act amended

Supreme Court to look into what constitutes ‘personal data’ in DPDP laws

Certain clauses of Data Act lend themselves to ‘weaponisation’: PCI

Does the Data Act dilute the Right to Information Act? | Explained

Supreme Court refers to Constitution Bench on whether DPDP law uses privacy to…

Draft data protection rules have received almost 7,000 comments: IT Ministry