What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Quick Answer•3 min read

DPDP: Can Indian Customers Demand Data Deletion?

Expert insights from Sushant Pasumarty on DPDP's Right to Erasure for Indian businesses. Learn how to prepare for data deletion requests.

Sushant Pasumarty18 May 2026

DPDP: Can Indian Customers Demand Data Deletion?

Yes, under India's Digital Personal Data Protection Act (DPDP Act), Indian customers (referred to as 'Data Principals') can demand the deletion of their personal data. This is enshrined in Section 13(1) of the Act, which grants Data Principals the 'Right to Erasure'. Businesses (referred to as 'Data Fiduciaries') must acknowledge and act on these requests, provided certain conditions are met.

Sushant Pasumarty, founder of Meridian Bridge Strategy (MBS), emphasizes that this right is not absolute. Data Fiduciaries can deny deletion requests if the data is necessary for a legal obligation, for exercising a legal claim, or for specific public interest purposes. Understanding these nuances is critical for compliance.

Current Enforcement Reality: What to Expect Now

While the DPDP Act is enacted, the specific rules and regulations for its implementation are still being formulated. This means that while the right to data deletion exists on paper, the exact mechanisms for making and enforcing these requests are not yet fully operational. The government has indicated a phased rollout.

Despite the lack of immediate strict enforcement, businesses should proactively prepare. Establishing internal processes for data deletion requests now will position your organization for smoother compliance when the rules are finalized. Sushant Pasumarty recommends preparing for the eventual full enforcement.

Tip from Sushant: Don't wait for explicit enforcement notices. Proactive compliance builds trust and reduces future remedial costs.

What Your Business Must Do to Prepare for Data Deletion Requests

Preparing for the Right to Erasure involves several key steps:

Identify Personal Data: Map out every instance where your business collects, stores, processes, or shares personal data. This forms the foundation for managing deletion requests.
Establish Deletion Protocols: Develop clear internal policies and procedures for receiving, verifying, and fulfilling data deletion requests. This includes timelines for response.
Implement Technical Capabilities: Ensure your IT systems and databases can actually delete data effectively and comprehensively across all storage locations. This often requires significant technical work.
Train Your Teams: Educate customer service, HR, IT, and legal teams on the DPDP Act's requirements, specifically regarding data principal rights and how to handle such requests.
Review Third-Party Agreements: If you share personal data with third-party vendors or processors, ensure your contracts obligate them to comply with deletion requests you receive.

Cost of DPDP Compliance: MBS Productized Services

Meridian Bridge Strategy (MBS) offers structured services to help Indian businesses achieve DPDP compliance, including readiness for data deletion requests. Here's a breakdown of the typical costs:

Tier	Includes	Price	Duration
Data Mapping	Map every personal data flow	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Audit + Recommendations + 90-day roadmap	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation + DPO + Readiness Opinion	₹7L – ₹12L	3-6 months

Full DPDP Consulting: Our most comprehensive service, including implementation support and a readiness opinion from Sushant Pasumarty, ensuring your business is fully equipped for all DPDP provisions.

When Should Your Business Start DPDP Preparation?

The time to start preparing for DPDP compliance, including the Right to Erasure, is now. While full enforcement rules are pending, proactive measures allow businesses to integrate compliance into their operational fabric rather than reacting under pressure. Delaying preparation can lead to higher costs, operational disruption, and potential penalties once the Act is fully implemented.

Sushant Pasumarty recommends initiating a DPDP Readiness Audit within the next 3-6 months to accurately gauge your organization's current standing and identify critical gaps.

Next Step: Assess Your DPDP Readiness

Understanding the Right to Erasure is one piece of the DPDP puzzle. To ensure comprehensive compliance, your business needs a holistic strategy. Begin by understanding your current data landscape and identifying where personal data resides. MBS offers initial consultations to help Indian business founders, CXOs, CTOs, HR heads, and compliance officers understand their specific DPDP requirements.

Frequently Asked Questions

What is the Right to Erasure under DPDP?

The Right to Erasure (Section 13(1)) allows Indian customers (Data Principals) to demand that businesses (Data Fiduciaries) delete their personal data. This right is subject to certain conditions and exceptions, such as data required for legal obligations.

Can a business refuse a data deletion request under DPDP?

Yes, a business can refuse a deletion request if the data is necessary for a legal obligation, for exercising a legal claim, or for specific public interest purposes. Accurate record-keeping of personal data uses is crucial for justifying any refusal.

What happens if a business doesn't comply with a valid deletion request?

While the specific penalties and enforcement mechanisms are still being finalized under DPDP, non-compliance with the Act's provisions, including data principal rights, could lead to significant financial penalties. Proactive compliance is key to avoiding these risks.

How long does it take to become DPDP compliant for data deletion?

The time required varies significantly based on an organization's size, data complexity, and existing infrastructure. MBS's services range from 1-2 weeks for Data Mapping to 3-6 months for Full DPDP Consulting, which includes implementation for rights like data deletion.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →

DPDP: Can Indian Customers Demand Data Deletion?

DPDP: Can Indian Customers Demand Data Deletion?

Current Enforcement Reality: What to Expect Now

What Your Business Must Do to Prepare for Data Deletion Requests

Cost of DPDP Compliance: MBS Productized Services

When Should Your Business Start DPDP Preparation?

Next Step: Assess Your DPDP Readiness

Frequently Asked Questions

Related Guides

DPDP Compliance: Mandatory for Indian Startups?

DPDP Fines for Small Businesses: What You Need to Know

DPDP Act: Foreign Companies in India – Guide by MBS

Check Your DPDP Cost