Nomination right under the DPDP Act for product teams

A nominee field is not an heirloom cupboard; product teams should not discover it only after something has gone wrong.

The DPDP Act gives a Data Principal the right to nominate another individual who can exercise the Data Principal's rights if the Data Principal dies or becomes incapacitated. For product teams, this is not merely a legal clause to paste into a privacy policy. It is a workflow problem: where the user nominates someone, how that nominee is recorded, what proof is needed later, how the nominee is authenticated, and how the team avoids exposing personal data to the wrong person.

The right matters because privacy rights can outlive ordinary account activity. Access, correction, erasure, grievance and consent-related questions may arise when a user can no longer act for herself. If the product has no nomination path, support and legal teams may end up improvising through emails, bereavement requests, family claims or account recovery tickets. That is a poor place to make sensitive data decisions.

A good nomination workflow should be modest, traceable and proportionate. It should not ask users to provide excessive family details. It should not promise succession, inheritance or account ownership outcomes that belong to other laws or terms. It should simply create a reliable way to record one or more nominated individuals and later assess whether a request is being made through the correct channel.

What to review

Start with the account settings, privacy dashboard, help centre and rights request flow. Check whether a user can find the nomination option without contacting support. If nomination is handled only by email, review whether the instructions are visible, specific and usable.

Review the data fields. The product should usually capture the nominee's name, relationship or description if relevant, contact detail, date of nomination, user identifier, and whether the nomination replaces or adds to an earlier nomination. Avoid collecting identity documents at the initial nomination stage unless there is a clear operational reason and retention rule.

Then review the later-use workflow. The difficult part is not only recording the nominee. It is deciding what happens when someone later claims to act as a nominee. Teams need a method to verify the requester, check the nomination record, assess death or incapacity evidence where applicable, route the request to the correct privacy workflow, and record the decision.

Product teams should also review dependencies. If consent, rights requests, deletion, grievance redressal and account closure all live in separate systems, the nomination record must be visible to the teams that will need it. Otherwise, the field exists but the workflow does not.

Implementation steps

Create a nomination entry point in the privacy or account settings area. Keep the copy plain: the feature allows a Data Principal to nominate one or more individuals who may exercise DPDP rights if the Data Principal dies or becomes incapacitated. Do not describe the nominee as an account owner, legal heir or universal representative.

Define the minimum nomination particulars. The notified DPDP Rules refer to using the means published by the Data Fiduciary and furnishing the particulars required for exercising the right. For most products, the particulars should identify the Data Principal, identify the nominee, record contact information and create a dated audit trail.

Build update and revocation logic. A Data Principal should be able to add, change or remove a nominee through a controlled flow. The product should record the active nomination, retain necessary change history, and make clear whether the latest nomination supersedes earlier entries.

Design the nominee request workflow separately. When a nominee later contacts the organisation, the team should verify the requester's identity, match the requester to the nomination record, collect proportionate evidence of death or incapacity, and then route the specific request to access, correction, erasure or grievance handling.

Add internal guardrails. Sensitive account data should not be disclosed merely because a requester knows the Data Principal's name, email or phone number. Support teams should have escalation triggers for disputed nominations, conflicting family requests, suspected fraud, minors' accounts, high-risk data and requests seeking broad account takeover.

Finally, test the workflow. Run tabletop scenarios: a user adds a nominee, changes the nominee, removes the nominee, a nominee requests access after the user's death, and two people claim authority. These tests reveal whether the product, support and legal teams are using the same decision path.

Common mistakes

1. Treating nomination as a free-text support note instead of a controlled privacy-rights record.
2. Confusing a DPDP nominee with a legal heir, account owner or general power-holder for every product decision.
3. Building the nomination field without a later verification and escalation workflow for nominee requests.

How DataNuance can help

DataNuance helps teams convert the DPDP nomination right into a practical product and operations workflow. We review account settings, rights request flows, identity checks, support playbooks, retention rules and evidence records, then draft a nomination SOP that product, support, privacy and legal teams can use consistently. For implementation support, speak with DataNuance.

FAQs

Does every product need a nominee feature?

Every Data Fiduciary should assess how Data Principals can exercise the nomination right through the published means for rights requests. The exact product implementation can vary, but the organisation should not rely on ad hoc support emails without a defined intake and verification path.

Can a Data Principal nominate more than one person?

The notified DPDP Rules refer to nominating one or more individuals. Product teams should decide whether the interface allows multiple nominees, how priority is recorded, and what happens when later requests conflict.

Should we verify the nominee when the user first adds them?

Usually, initial nomination can be lightweight, but the later request should be verified carefully before any personal data is disclosed or a rights request is processed. The right balance depends on account risk, data sensitivity and the consequences of misuse.

What should happen if a nominee asks for account access?

The request should be treated as a DPDP rights workflow, not automatic account takeover. Verify the nominee, check the nomination record, confirm the triggering event where relevant, identify the specific right being exercised, and escalate high-risk or disputed cases.

Sources

• Ministry of Electronics and Information Technology, Digital Personal Data Protection Act, 2023.
• Ministry of Electronics and Information Technology, Digital Personal Data Protection Rules, 2025.