The Act requires every Data Fiduciary to have a procedure for addressing grievances of Data Principals. Typically, this means designating a grievance officer and publishing their contact details. When an individual raises a complaint (e.g., misuse of data or denial of a rights request), the organization should respond and resolve it ideally within the specified timeline (draft rules suggest a resolution within 30 days). If the individual is not satisfied with the outcome, they can escalate the complaint to the Data Protection Board of India (DPB). The DPB is the central regulatory authority established by the Act to oversee compliance with the Act. It has the power to conduct inquiries, summon information, and adjudicate disputes. Importantly, the DPB’s processes will be online and user-friendly, enabling data principals to file complaints digitally. The Board can order organizations to take remedial action and can impose penalties for violations. Its orders can be appealed to a specialized appellate tribunal, and further up to the High Court/Supreme Court if needed, forming a tiered enforcement mechanism. In essence, the grievance redressal system is two-layered: first with the company, and then an independent Data Protection Board for unresolved issues. Organizations should document all complaints and resolutions, as the DPB can demand these records during investigations.