Most Indians are familiar with the RTI — the Right to Information Act — which gave citizens the ability to formally ask government bodies what information they hold and how they are using it. The DPDPA 2023 creates something analogous for the private digital world. As a Data Principal, you now have formal, enforceable rights over your personal data — and understanding them is the first step to actually using them.
The rights are straightforward in principle. You can ask any data fiduciary — a bank, a telecom provider, a health app, an e-commerce platform — what personal data of yours they hold and how it is being processed. You can request that they correct inaccurate data. You can ask them to delete data they no longer have a legitimate reason to hold, which the law frames as the fulfilment of purpose — once the reason for collection is over, the data should go. And if you have a grievance about how your data is being handled, you can approach the Data Protection Board, which functions as the adjudicating authority under the Act.
What makes these rights meaningful is that fiduciaries are obligated to respond, not just acknowledge. This is new territory for most Indian companies, many of which have no existing mechanism to field individual data queries at scale. For citizens, the shift required is one of awareness — knowing that these rights exist, and developing the habit of exercising them the same way one would dispute a bank charge or contest an incorrect credit report. Data is an asset. The law now gives you tools to manage it.
