Data Retention & Deletion Under DPDP: India SMB Guide

Under India's Digital Personal Data Protection (DPDP) Act 2023, businesses must erase personal data once its collection purpose is fulfilled — or once the Data Principal withdraws consent. Holding data beyond its useful life is no longer a passive risk; it is a statutory violation. This guide covers the storage-limitation and purpose-limitation principles, the right to erasure, how to build a data retention schedule, how to reconcile DPDP with sectoral laws, and the steps an Indian SMB must take to comply.

What DPDP Says About Storage Limitation

The DPDP Act 2023, notified by MeitY, establishes two intertwined obligations for every Data Fiduciary:

Purpose limitation: Personal data may be processed only for the specific, lawful purpose for which it was collected and for which consent (or a valid deemed-consent ground) was obtained.

Storage limitation: Once that purpose is no longer being served — because it is complete, consent has been withdrawn, or the account has been inactive beyond a threshold — the data must be erased. The Act does not permit indefinite retention "just in case."

One carve-out exists: if a law currently in force requires retention for a specific period, the fiduciary must retain for exactly that period — no longer. Reconciling DPDP deletion duties with sectoral retention mandates is the single most complex practical challenge for Indian businesses.

⚠️

WARNING

Holding personal data you no longer need is not a neutral act under DPDP. Every additional day of over-retention extends your breach-exposure window and your regulatory liability window simultaneously.

The Data Principal's Right to Erasure

The DPDP Act grants Data Principals — your users, customers, employees — the right to withdraw consent. Upon withdrawal, the Data Fiduciary must cease processing and erase the data, subject only to mandatory legal retention obligations. The Act also provides a right to request correction and erasure of personal data (FLAGS: VERIFY exact section number once Rules are notified).

This is not a soft right. A Data Principal whose erasure request is ignored has a path to the Data Protection Board of India (DPBI), which can levy penalties after inquiry. MeitY has signalled a penalty regime substantial enough to deter non-compliance at enterprise scale — the magnitude runs into multiple crores for safeguarding failures.

The practical implication: every product that collects personal data needs a functional erasure workflow, not a checkbox that silently does nothing.

Why Over-Retention Is a Breach Amplifier

Data you do not need is data that can be stolen. Regulators and courts have consistently held that retaining excess data is itself a security failure — not merely a compliance failure.

Consider a fintech that retains KYC scans indefinitely because "the auditors might ask." When that storage is compromised, they have exposed Aadhaar copies and PAN cards that should have been deleted years earlier. Under DPDP, this creates dual liability: the breach itself, and the over-retention that magnified its scope.

73%Indian organisations lack a formal data retention policy (DSCI Data Protection Survey 2024)

ℹ️

INFO

Industry breach investigations consistently show that a significant share of compromised records involve data that had already exceeded its operational purpose. Over-retention directly expands breach scope.

🚨

DANGER

Over-retained data is not just a compliance violation — it is a liability amplifier. A breach of data you were obligated to delete is harder to defend legally and operationally.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Building a Data Retention Schedule

A retention schedule maps every category of personal data to its retention period, legal basis, and deletion trigger. It is the operational backbone of DPDP storage-limitation compliance.

Step 1 — Data Mapping

List every category of personal data you collect, where it is stored (database, backups, third-party processors, logs), who can access it, the legal basis for collection, and the specific documented purpose. You cannot schedule deletion for data you have not catalogued.

Step 2 — Assign Retention Periods

Retention periods must be grounded in either the operational purpose or a legal requirement. Where no legal minimum applies, the shortest period consistent with the business purpose is the right default.

Example Retention Schedule (Illustrative)

Data Category	Typical Retention Basis	Trigger for Deletion
KYC / identity documents	RBI / PMLA (5–10 years)	Account closure + mandatory period elapsed
Payment transaction records	RBI PSP guidelines (up to 5 years)	Transaction settled + mandatory period elapsed
User account profile data	Duration of account + 90 days post-closure	Account deletion request or inactivity threshold
Marketing preferences and campaign data	Consent active	Consent withdrawn or campaign objective met
Customer support tickets	Reasonable operational window (12–24 months)	Issue resolved + window elapsed
Application / server logs	Security / incident investigation (6–12 months)	Log rotation policy elapsed
Employee HR records	Companies Act, Income Tax Act (varies, typically 8 years)	Statutory period after separation
Website cookies and analytics	Consent active	Consent withdrawn or session end (session cookies)

💡

TIP

Err on the side of a shorter retention period for marketing data and behavioural analytics. These categories have the weakest legal justification for long-term retention and the highest DPDP exposure if held without active consent.

Step 3 — Implement Automated Deletion

A schedule on paper is not compliance. You need scheduled jobs that delete records past their retention date, backup hygiene procedures (deleted live records must also be removed from backups or cryptographically segregated), log purge policies aligned to your schedule, and Data Processing Agreements that bind third-party processors to the same deletion timelines.

Secure Deletion: Logical vs Cryptographic Erasure

Not all deletion is equal. A DELETE SQL statement typically marks rows as deleted but does not overwrite underlying storage. For sensitive personal data, choose the right method:

Logical deletion marks data as deleted in the application layer but bytes may persist on disk until overwritten. Acceptable for low-sensitivity operational data where backup cycles eventually overwrite the blocks.

Cryptographic erasure encrypts data with a unique key per record. When the retention period ends, the key is destroyed — the data becomes inaccessible even if physical blocks persist. This is the recommended approach for biometrics, health data, and financial records in cloud environments.

Backups and third-party processors are the most overlooked vector. Organisations delete live data but leave the same record in daily backups, audit logs, and data-warehouse snapshots. Your deletion process must cover backup sweeps or key destruction, and Data Processing Agreements must bind processors to the same timelines. "We deleted it from our DB" is not sufficient if the data persists with a vendor.

Data Lifecycle and Retention Decision Flow

graph TD
    A[Personal Data Collected for Purpose]:::normal --> B{Purpose Still Active?}:::normal
    B -->|Yes| C[Continue Processing - Retain Data]:::success
    B -->|No - Purpose Served| D{Consent Withdrawn?}:::normal
    C --> B
    D -->|Consent Still Active| C
    D -->|Consent Withdrawn or Purpose Complete| E{Law Requires Retention?}:::normal
    E -->|Yes - Legal Mandate| F[Retain for Legally Required Period Only]:::normal
    F --> G[Delete Securely After Mandatory Period]:::success
    E -->|No Legal Mandate| H[Delete Securely Without Delay]:::success
    H --> I[Confirm Deletion from Backups and Processors]:::success
    G --> I

    classDef normal fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    classDef danger fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    classDef success fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

Reconciling DPDP Deletion with Sectoral Retention Laws

This is the most nuanced area of DPDP compliance. Multiple sector-specific laws impose mandatory minimum retention periods that may exceed what DPDP's storage-limitation principle would prefer.

Key sectoral mandates (illustrative — always verify with your legal counsel):

PMLA 2002 and RBI KYC Master Direction: Financial intermediaries must retain KYC records and transaction records for a prescribed period after the business relationship ends.
Companies Act 2013: Certain books of account must be retained for a minimum period after the relevant financial year.
Income Tax Act 1961: Financial records must be retained for a period sufficient to cover potential scrutiny windows.
IT Act 2000 and CERT-In Directions 2022: Logs and incident records must be retained for a minimum period. (Commonly cited as 180 days for CERT-In — FLAGS: VERIFY specific period against current Directions.)

The DPDP Act resolves this conflict with a clear hierarchy: statutory retention obligations override the deletion duty for their duration. Once the statutory period expires, the DPDP deletion obligation reasserts immediately. The error most businesses make is treating statutory minimums as indefinite permission to retain — a mandatory retention period is a ceiling as much as a floor. Document the specific legal citation in your retention schedule and trigger deletion on the day it expires.

Data Retention Periods by Category — Relative Overview

pie title Relative Retention Horizon by Data Category
    "KYC and Financial Records" : 35
    "HR and Payroll" : 25
    "Operational Logs" : 15
    "Marketing and Analytics" : 10
    "Support Tickets" : 10
    "Session and Cookies" : 5

Practical Steps for an Indian SMB

Compliance does not require a large legal team. A focused action plan:

Step	Action	Owner	Timeline
1	Complete a data-flow map covering all systems	CTO / DPO	Week 1–2
2	Draft a Data Retention Schedule with legal citations	Legal + CTO	Week 2–4
3	Implement automated deletion jobs per schedule	Engineering	Month 2
4	Add erasure workflow to user account settings	Engineering	Month 2
5	Update DPAs with all third-party processors	Legal	Month 2–3
6	Add backup sweep / cryptographic erasure to deletion flow	Engineering	Month 3
7	Train staff on retention obligations and escalation path	HR / DPO	Month 3
8	Quarterly review of schedule against any new laws	DPO	Ongoing

ℹ️

INFO

Businesses classified as Significant Data Fiduciaries under DPDP will have stricter obligations, including mandatory Data Protection Impact Assessments and a Data Protection Officer. Even if you do not expect to be designated, building the retention infrastructure now reduces future remediation cost.

Security Infrastructure and DPDP Compliance

Good data security and DPDP compliance share the same technical foundation: encryption-at-rest underpins cryptographic erasure, access-control logging falls within your retention scope, and vulnerability management reduces the risk that over-retained data is exposed — mutually reinforcing, not separate workstreams.

Bachao.AI — built by Dhisattva AI Pvt Ltd — provides automated VAPT scanning that surfaces misconfigurations in storage systems, access controls, and logging infrastructure. A free VAPT scan is the right starting point before finalising your retention controls.

For the full framework — consent management, privacy notices, and grievance workflows — see our DPDP compliance guide.

Authoritative Sources:

MeitY DPDP Act 2023: https://www.meity.gov.in/data-protection-framework
DSCI Data Protection Resources: https://www.dsci.in/data-protection

🎯Key Takeaway

Under DPDP, data you don't need is data you aren't allowed to keep. Every personal data category must have a documented purpose, a defined retention period, a deletion trigger, and a verified deletion process that covers live databases, backups, logs, and third-party processors. Over-retention is simultaneously a compliance failure and a security failure — it expands your breach surface while extending your regulatory exposure.

Frequently Asked Questions

What does the DPDP Act 2023 say about data retention?

The DPDP Act requires Data Fiduciaries to erase personal data once the purpose for which it was collected is no longer being served, or when the Data Principal withdraws consent. The only exception is where a law currently in force mandates retention for a specific period — in that case, data must be retained for exactly that period and deleted promptly once it expires.

Does the right to erasure under DPDP override RBI or tax record requirements?

No. Where a sectoral law (such as RBI KYC directions, PMLA, the Companies Act, or the Income Tax Act) mandates a minimum retention period, that requirement overrides the DPDP erasure obligation for the duration of the mandate. Once the statutory period expires, the DPDP deletion obligation applies immediately. Businesses must document both the legal basis for retention and the specific expiry date.

What is the difference between logical deletion and cryptographic erasure?

Logical deletion marks records as deleted in the application layer but the underlying bytes may persist in storage until overwritten. Cryptographic erasure encrypts data with a per-record key and destroys the key when deletion is required — making the data inaccessible even if the physical storage blocks remain. For sensitive personal data in cloud environments, cryptographic erasure is the more reliable approach.

How do backups and third-party processors factor into DPDP deletion obligations?

Deletion must extend to all locations where personal data exists — including backup copies, log archives, data warehouses, and systems operated by third-party processors. Data Processing Agreements with processors must include explicit deletion timelines and confirmation mechanisms. Deleting data from your live database while it persists in backup or with a vendor does not satisfy the DPDP storage-limitation obligation.

What happens if a business ignores a Data Principal's erasure request under DPDP?

The Data Principal can raise a complaint with the Data Protection Board of India. After inquiry, the Board can impose penalties on the Data Fiduciary. MeitY has structured the penalty regime to be significant enough to create real deterrence, including for larger organisations. Repeated or systematic failures attract higher penalties.

How should an SMB start building a data retention schedule?

Start with a data-flow map — list every category of personal data you collect, where it is stored, who can access it, and the documented purpose. Then assign a retention period to each category based on either the operational purpose (shortest consistent period) or a specific legal mandate (cite the exact provision). Automate deletion at the retention boundary, and include backup sweeps and processor deletion instructions in the process.

Data Retention & Deletion Under DPDP: India SMB Guide

Get cybersecurity insights for Indian SMBs

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.