Updated: 12 May 2026 by Jetico Technical Support
The DPDP Right to Erasure gives people in India the right to have their personal data erased, placing the obligation to carry it out on the organizations that hold it.
On paper, the requirement is clear. In practice, it can be one of the more troublesome regulatory obligations to fulfill as the path to compliance involves locating and removing every copy of a person’s data across databases, backups, endpoints and third-party systems.
The difficulty of complying with similar regulations in Europe suggests that comparable challenges are likely to follow with the DPDP.
In this blog, you can find out what the DPDP says about the Right to Erasure, why invisible data and data remanence make compliance harder than it looks, what auditors expect as evidence, and how you can use data discovery and secure wiping to simplify the process.
DPDP In a Nutshell
What Is DPDP?
India’s Digital Personal Data Protection Act, 2023 (DPDP Act), along with the companion DPDP Rules, 2025, is India’s first comprehensive data protection law. It sets out how organizations may collect, process and retain personal data, as well as what rights individuals have over that data.
When Did the DPDP Come Into Effect?
The Act was passed in August 2023 and its Rules were published in 2025, with enforcement phasing in through 2026. Organizations processing the personal data of individuals in India should already be working to meet its obligations.
Who Does the DPDP Apply To?
The law applies to Data Fiduciaries, meaning any person or organization that decides the purpose and means of processing digital personal data. It covers organizations based in India, and it also applies extraterritorially to any entity offering goods or services to individuals in India. Size isn’t a factor: startups and large corporations all fall under its scope.
What Does the DPDP Say About the Right to Erasure?
The Right to Erasure is set out across multiple sections of the DPDP Act and its Rules:
| DPDP Provision | What It Says | What It Means in Practice |
| Section 12(1) | Data Principals have the right to correction, completion, updating and erasure of personal data | Individuals can request erasure of any personal data they previously consented to being processed |
| Section 12(3) | Data Fiduciaries must erase personal data on request unless retention is required by law or for a specified purpose | Erasure is the default. The burden is on the organization to justify keeping the data, not on the individual to justify removing it |
| Section 8(7) | Personal data must be erased when consent is withdrawn, or the specified purpose is no longer being served | Erasure isn’t only triggered by a request. Organizations must also erase data proactively when consent is withdrawn or the purpose is fulfilled |
| Rule 13, DPDP Rules | Describes the manner in which erasure requests must be submitted and handled | Organizations need a defined process for receiving and responding to requests, not just the technical ability to erase |
The legal obligation is clear. What the law doesn’t do is tell organizations how to find every copy of the data they are supposed to erase.
What Does GDPR Tell Us About DPDP Erasure?
The requirement behind the DPDP Right to Erasure isn’t new. GDPR has included an equivalent right under Article 17 since 2018, and in that time the EU has learned how difficult it is to implement in practice.
In February 2026, the European Data Protection Board published the results of a coordinated enforcement action on GDPR’s Right to Be Forgotten involving 32 data protection authorities and 764 controllers across Europe. The findings identified 7 recurring challenges, including a lack of internal procedures to handle erasure requests, inconsistent practices and difficulties deleting personal data from backups. A decade after GDPR was created, erasure remains an operational problem the EU hasn’t solved. It’s reasonable to expect that organizations in India will face similar challenges under the DPDP.
What’s the Difference Between Deleting & Erasing?
Before going further, let’s clear up an important distinction between deleting by normal means and securely erasing:
| Deleting | Erasing | |
| What Happens? | Reference to the file is removed | Actual data is overwritten on the drive |
| Is the Data Still There? | Yes: recoverable with widely available tools | No: removed beyond forensic recovery |
| Meets DPDP Erasure Requirements? | No | Yes |
How Much of Your Data Is Invisible?
Before you erase someone’s data, you first have to locate all copies of every file. In practice, this is where many organizations discover how little of their own data they are actually aware of.
A substantial portion of personal data exists outside of what organizations actively track or manage. It can be estimated that only 10-25% of information is visible, with a greater amount existing as invisible data and data remanence.
Both states can hold the same person’s data at the same time. A customer’s email address can end up in a temporary file as invisible data or linger in the free space of a drive where the export used to be as data remanence. In both cases, the CRM record is long gone, but the data is not. The result is erasure that is partial and non-verifiable.
How Can Organizations Comply with the DPDP Right to Erasure?
Compliance is less about responding well to individual erasure requests and more about building the internal capability that makes responding well routine. That capability needs to cover three things: discovering where personal data actually lives across the environment, erasing it securely and generating audit-ready evidence throughout the process.
What Evidence Do Auditors Expect for DPDP Erasure?
In my experience, auditors look for 4 things when evaluating an erasure request: proof of execution, proof of completeness, proof of method, and proof of governance.
- Can you prove it happened? Auditors want logs tied to the specific request, with timestamps and details of the systems and devices involved. A policy document is not enough. Instead, they want a record showing that erasure actually occurred.
- Can you prove it was complete? Auditors want evidence that every location holding the data was identified and addressed. If an organization can’t show how it found the data, then it can’t credibly claim it found all of it.
- Can you prove it was done properly? Confirmation is needed that the method used prevents recovery. Deleting without secure erasure isn’t enough.
- Can you prove it was controlled? Auditors want to see defined policies, repeatable processes and named owners. This provides evidence that future erasure requests will be handled in the same way.
A certificate of erasure is a good first step, but a truly audit-ready approach requires more. It needs to show not just that a wipe happened, but that every copy was found and that the process is repeatable.
One last, important point here. If an organization is only thinking about the questions listed above when an auditor arrives, they are already behind. Being able to answer those questions should be a byproduct of how personal data is handled day to day, not assembled under pressure when the audit notice lands. The organizations that will cope well under DPDP enforcement are the ones that audit themselves before anyone else does.
Using BCWipe & Search to Comply with DPDP
Taking Jetico’s tools as an example, here’s what building the capability to successfully respond to erasure requests can look like in practice.
- Find it with Search. Search is a sensitive data discovery tool built into the Enterprise Edition of BCWipe. When an erasure request arrives, an administrator can use Search to select the relevant data format templates, run a scan across all connected endpoints and see exactly where that individual’s data resides. This gives auditors and regulators evidence that the discovery process was thorough and that no copies were missed.
- Erase it with BCWipe. BCWipe is Jetico’s selective wiping tool, trusted by the U.S. Department of Defense for over 20 years. Once all copies of data have been located, admins can use BCWipe to wipe those specific files beyond forensic recovery.
- Erase it at end-of-life with BCWipe Total WipeOut. BCWipe Total WipeOut is a full-disk wiping solution for devices being decommissioned or repurposed. Before a laptop or server leaves the organization, an admin can use BCWipe Total WipeOut to wipe the entire drive, ensuring no personal data leaves with the hardware.
- Prove it with logs and certificates of erasure. Both BCWipe and BCWipe Total WipeOut can generate detailed logs and a certificate for every wipe action. By linking these records back to the original erasure request, admins are able to build the audit trail that ties discovery, erasure and evidence together in a single documented process.
Doing It Isn’t Enough. You Have to Prove It
The most underestimated aspect of the DPDP Act, in my view, is the shift it represents. The Act does not just require Data Fiduciaries to erase personal data. It effectively requires them to be able to show where the data existed, how it was erased and what evidence confirms that no recoverable traces remain. As enforcement matures, I expect regulatory attention to focus on traceability, completeness and audit-ready records rather than on stated intent.
Under DPDP, compliance is no longer just about doing the right thing. It is about being able to prove it. The organizations that will struggle with the DPDP Right to Erasure are not the ones that refuse to comply. They are the ones that can’t see what they are supposed to erase and can’t demonstrate what they did.
Frequently Asked Questions (FAQs)
Section 12 of India’s DPDP Act gives individuals the right to have their personal data erased. Data Fiduciaries, the organizations holding the data, must comply unless retention is required for the original purpose or by law. In practice, this covers most personal data an organization holds, since the right applies to anything the individual previously consented to being processed.
The DPDP Act sets out two triggers for erasure. Under Section 12, an individual can submit an erasure request at any time, and the organization must comply. Section 8(7) goes further: it requires Data Fiduciaries to erase personal data proactively when consent is withdrawn or when the specified purpose for processing is no longer being served. Organizations therefore need internal processes that detect both situations and act on them — not just response procedures for incoming requests.
Invisible data is personal information an organization doesn’t realize it holds — typical examples include temporary files, application caches, log files and forgotten copies in collaboration tools. Data remanence is something different: the trace of data that remains on a storage device after deletion by normal means. Both create the same problem for the DPDP Right to Erasure.
Auditors typically look for proof that erasure happened, that it was complete across all systems, that the method used prevents recovery and that the process is governed and repeatable.
Normal deletion only removes the reference to a file, the operating system’s pointer that says “this file lives here.” The file’s data continues to exist on the drive until that storage location happens to be overwritten by something else, which may not occur for a long time, if at all. In that window, anyone with widely available recovery tools can retrieve the data. Secure erasure overwrites the data itself, removing it beyond forensic recovery and producing a verifiable record.
The Data Protection Board of India imposes financial penalties tiered by violation type. The highest band is ₹250 crore (approximately USD 30 million), for security safeguard failures under Section 8(5) that lead to a personal data breach. Failure to notify a breach or to meet children’s data obligations each carry separate bands of up to ₹200 crore. Other violations, including Right to Erasure failures under Section 12, fall under a catch-all band of up to ₹50 crore per violation.