Under the Digital Personal Data Protection Act 2023, every borrower has the right to know what personal data a lender holds about them, how it is being used, and with whom it has been shared. They have the right to correct inaccurate data and to request erasure. These requests must be fulfilled within 72 hours. For a lender managing hundreds of thousands of borrower records across a dozen systems, that SLA is operationally impossible without automation. The DPO AI makes it structurally guaranteed.
What the DPDP Act Requires Lenders to Do
The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection legislation, and it creates a specific set of rights for data principals — the individuals whose personal data is processed. For lending institutions, every borrower is a data principal, and every piece of data collected during the loan lifecycle — from Aadhaar-based KYC to credit bureau pulls, from income documentation to repayment behaviour — falls under the Act's scope.
The rights that generate operational obligations are four in particular. The right of access — a borrower can request a summary of all personal data the institution holds about them and the purposes for which it is processed. The right to correction — inaccurate or outdated personal data must be corrected upon request. The right to erasure — personal data that is no longer necessary for the purpose for which it was collected must be erased upon request, subject to legal retention requirements. And the right to grievance redressal — a structured complaints mechanism with defined timelines.
Each of these rights, exercised by a borrower, creates a workflow that spans multiple systems, multiple teams, and multiple data custodians across the institution. Without automation, the 72-hour SLA is not a compliance target — it is a compliance fiction.
The Four Data Principal Rights — And the DPO AI's Response to Each
Right of Access & Information
Borrower requests a summary of all personal data held and processing purposes. DPO AI queries all connected systems, compiles a unified personal data inventory, maps each data element to its processing purpose and lawful basis, and generates a structured disclosure document.
SLA: Delivered within 48 hours · Zero manual interventionRight to Correction & Completion
Borrower requests correction of inaccurate data (e.g., wrong address, incorrect income figure). DPO AI identifies the data across all systems, routes the correction to each data custodian, tracks completion, and confirms the update to the borrower with a correction certificate.
SLA: Correction confirmed within 72 hours · Custodian SLA enforcedRight to Erasure
Borrower requests deletion of data no longer necessary for the original purpose. DPO AI assesses each data element against legal retention obligations (RBI record-keeping, PMLA requirements), erases what is legally permissible, retains what is legally mandated with explanation, and provides a disposal certificate.
SLA: Erasure decision within 72 hours · Legal holds auto-appliedRight to Grievance Redressal
Borrower raises a data protection complaint. DPO AI logs the complaint, classifies it by type and severity, routes it to the appropriate team with context, tracks resolution timelines, and ensures the borrower receives a substantive response — not an acknowledgement — within the Act's prescribed timeline.
SLA: Substantive response within 30 days · Escalation auto-triggered at Day 25The 72-Hour Pipeline: How a Request Becomes a Response
Request Ingestion & Identity Verification
Request arrives via borrower portal, email, WhatsApp, or branch. DPO AI captures it, classifies the right being exercised, and triggers identity verification — the Act requires the fiduciary to verify the requester is the data principal before disclosure. Aadhaar OTP or registered mobile verification is used. The 72-hour clock starts from verified receipt.
Cross-System Personal Data Discovery
DPO AI queries every connected data system in parallel: core banking, LMS, CRM, KYC repository, bureau pull logs, collection system, marketing database, and any third-party processor data shares. Every data element associated with the verified borrower identity is catalogued with system source, data category, collection date, and processing purpose.
Legal Basis & Retention Mapping
Each discovered data element is mapped to its lawful processing basis under DPDP — consent, contractual necessity, legitimate interest, or legal obligation. For erasure requests, each element is assessed against RBI, PMLA, and Income Tax retention requirements. Data that must be retained is flagged with the applicable legal basis and minimum retention period.
Personal Data Summary Document Generated
A structured disclosure document is assembled: categories of data held, systems where each category resides, processing purposes, data sharing with third parties (bureaus, LSPs, co-lenders), retention periods, and the borrower's remaining rights. The document is formatted for a non-technical borrower — plain language, not legal boilerplate.
DPO Review for Complex or Sensitive Cases
For access requests involving sensitive personal data (health, financial distress indicators, collection notes), the compiled response is routed to the human DPO for a 30-minute review before dispatch. Routine access requests with no sensitive data flags are dispatched automatically after an internal quality check.
Secure Delivery & Audit Trail Closure
The response is delivered to the borrower via their registered channel — encrypted email, secure portal download, or in-app notification. Delivery is logged with timestamp, recipient confirmation, and document hash. The complete request lifecycle — from receipt to delivery — is archived in the DPDP compliance register with all intermediate steps preserved for regulatory inspection.
The Live Request Tracker
Every data principal request — regardless of type — is tracked in a live dashboard accessible to the DPO and compliance team. No request can fall through the gap. No SLA can be missed without triggering an escalation. The tracker shows request volume, type distribution, current stage, SLA countdown, and completion rate — updated in real time.
| Request ID | Borrower (Masked) | Right Exercised | Received | Current Stage | SLA Remaining | Status |
|---|---|---|---|---|---|---|
| DPR-2847 | R***a S***a · LA24-8821 | Access | Nov 14, 09:12 | Data compilation | 36 hrs left | On Track |
| DPR-2846 | M***l K***r · HL22-4417 | Correction | Nov 14, 11:34 | Custodian routing | 44 hrs left | On Track |
| DPR-2841 | P***i N***r · LA23-1188 | Erasure | Nov 13, 16:20 | Legal hold assessment | 18 hrs left | Watch |
| DPR-2839 | A***h V***a · SM24-9934 | Access | Nov 13, 08:55 | DPO review | 8 hrs left | Urgent |
| DPR-2831 | S***a G***i · HE21-0072 | Grievance | Oct 18, 14:00 | Response delivered | Closed | Completed |
The 72-Hour SLA Is Not the Target — It Is the Floor
Most lenders treating 72 hours as an aspiration will find it impossible to meet consistently at scale. The DPO AI treats it as the absolute floor — the worst-case outcome — and targets 48 hours for access requests as the standard. The borrower who receives their data summary in 48 hours is not just a compliance outcome. They are a trust signal to every borrower who will eventually hear about it.