
A deletion request is one of the clearest tests of whether your business is actually DPDP-compliant. Here's what you're required to do, by when, and where businesses get it wrong.
Sooner or later, a customer is going to email you and say: delete my data.
It's a short message. It feels simple. And it is one of the sharpest tests of whether your business is genuinely DPDP-compliant — because honouring it properly requires you to know things most businesses haven't worked out, and to do them inside a deadline most businesses aren't tracking.
Here's what actually has to happen.
The right is real, and it's the customer's
Under DPDP, a Data Principal — your customer — has the right to ask you to erase their personal data. This isn't a courtesy you may grant. It's a right you're obliged to honour, subject to specific exceptions. When the request comes in, you don't get to ignore it, and you don't get to take as long as you like.
The clock starts when the request arrives
The moment a valid deletion request lands, a deadline begins. You're expected to act within a defined period — and "we were busy" or "it got lost in the inbox" is not a defence. If the request sits unactioned past the deadline, you've failed an obligation, with a penalty attached.
This is the first place businesses fall down: there's no process to receive the request, no clock tracking it, and no owner accountable for closing it. The request arrives, gets half-noticed, and quietly expires.
"Delete" means more than your database
Here's the part that catches people. When you erase a customer's data, you have to erase it everywhere it lives — not just the row in your primary database. That includes:
- Your CRM
- Your email/marketing platform
- Your support tooling
- Backups and exports
- Any vendor (Processor) holding that data on your behalf
If you can't account for every place a customer's data sits, you can't actually complete the deletion — and a partial deletion is an incomplete obligation. This is why a clear data map matters: without knowing where the data is, "delete my data" is a request you literally cannot fulfil correctly.
But not everything always gets deleted
There's nuance here that trips up businesses going the other way — deleting too much, too fast. DPDP's erasure right operates within limits: where you have a legal obligation to retain certain data (tax records, regulatory requirements), or where the data is needed for a permitted purpose, you may be required or entitled to keep specific items even after a deletion request.
So the correct response to "delete my data" isn't always "delete everything." It's: erase what must be erased, retain what the law requires you to retain, and be able to explain the difference. Getting that judgment right is exactly where general instinct fails and specific knowledge of the law matters.
Where businesses get it wrong — a checklist
In practice, deletion requests fail for predictable reasons:
- No intake. No defined way for the request to reach the right person.
- No clock. Nobody tracking the deadline; the request expires unnoticed.
- Database-only deletion. The primary record is removed; the CRM, email tool, and vendors still hold the person.
- Over-deletion. Erasing data that legally had to be retained, creating a different compliance problem.
- No record of completion. The deletion happens, but there's nothing to prove it happened, on time, correctly.
That last one matters more than it looks. Compliance isn't just doing the right thing — it's being able to show you did it. If a complaint or inquiry follows, your defence is the record.
Doing this reliably, every time
A single deletion request, handled carefully by hand, is manageable. The problem is doing it correctly and provably, every time, across all your systems and vendors, within the deadline, while making the right retain-or-erase judgments — as a busy business, indefinitely.
That's the operating discipline we built Pramaan to carry. When a request comes in, we capture it, start its clock, assemble exactly what's required — which data, which systems, which vendors, by when — and tell you what to do. You stay in control of your systems; we make sure the obligation is clear, tracked, and nothing slips.
This article is general information, not legal advice. Erasure scope, retention exceptions, and timelines depend on your specific circumstances and should be confirmed with a qualified advisor. To pressure-test how your business handles deletion requests, book a free compliance review.