Question: Are procedures in place to manage data-subject rights (access, correction, deletion, portability, objection)?
Why This Matters
Responding efficiently to data-subject requests demonstrates accountability and avoids penalties under DPDP and GDPR.
Maturity
0 — Unaware
No process for rights requests.
No process for rights requests.
1 — Ad Hoc
Email-based handling; no tracking.
Email-based handling; no tracking.
2 — Defined
SOP documented with timelines and approval matrix.
SOP documented with timelines and approval matrix.
3 — Managed
Central register and acknowledgment workflow.
Central register and acknowledgment workflow.
4 — Integrated
Identity verification and system integration automated.
Identity verification and system integration automated.
5 — Optimized
Self-service portal with analytics on SLA compliance.
Self-service portal with analytics on SLA compliance.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Publish contact for privacy requests. |
| 1 → 2 | Create SOP with acknowledge/response timelines. |
| 2 → 3 | Maintain register of requests and outcomes. |
| 3 → 4 | Automate identity verification and logging. |
| 4 → 5 | Deploy portal for real-time tracking and metrics. |
Enablers
- People: DPO, Customer Support, Legal
- Process: Intake → verify → respond → close
- Technology: Ticket system, CRM integration
Evidence
- Request register
- Acknowledgment emails and closure records
- Verification procedure
KPIs
- Number of requests received per quarter
- Percentage closed within SLA
- Average response time
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Ticketing | Odoo Helpdesk / TheHive | Track requests |
| Portal | WordPress Form + Database | Public submission |
| Automation | n8n | Auto acknowledge and closure |
Common Pitfalls
- No verification before responding
- Missed statutory deadlines
- Requests not logged
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27701 | 7.6 (Data-subject rights) |
| DPDP Act 2023 | Sec 12 (Rights of Data Principals) |
| GDPR | Art. 15–22 |
| NIST CSF 2.0 | PR.DS-08 / GV.PO |
| NIRMATA Mapping | PD-Q08 operationalizes individual rights management. |