Skip to content

Understanding Data Retention in Compliance with DPDPA and Draft DPDP Rules

Article by Tsaaro

7 min read

In today’s fast-paced, data-driven world, businesses collect large amounts of data and store such information regularly. This data is extremely important for growth, customer insights and innovation to boost the business. However, it also carries significant legal and ethical risks if not handled appropriately in accordance with data privacy regulations as well as accepted industry practices. Improper handling of personal data can lead to breach of privacy, loss of customer trust and legal repercussions. One of the key pillars of effective data management is having a comprehensive and dynamic data retention policy in place. 

The Digital Personal Data Protection Act (DPDPA) enacted in August 2023 is the cornerstone of India’s evolving data privacy and protection landscape. Following its enactment, on January 3rd 2025, to supplement and provide clarity to the DPDPA, the Ministry of Electronics and Information Technology (MeiTY) released the Draft Digital Personal Data Protection Rules, 2025 (Draft DPDP Rules) for public feedback, open until February 18th 2025 on the MyGov Portal. The DPDPA and Draft DPDP Rules, together establish a comprehensive framework for data retention in India. 

What is Data Retention?

The term data retention essentially refers to the practice of storing certain collected data for a specified period of time or until the purpose for which the data is collected is fulfilled. In the case of data protection regulations, rules and procedures around how long an organisation can retain and store data are generally outlined for different types of data. The general principle of storage limitation mandates that data must be stored only for as long as is required for its intended purpose and once the purpose is fulfilled, it is either completely deleted. In case the business is legally required to further retain the data or securely archive it, the same must be adhered to. 

Section 8(7) specifically imposes an obligation on data fiduciaries to erase personal data, stored by them or their data processors, upon the withdrawal of consent by a data principal or as soon as it is determined that the specified purpose for which the data was collected is no longer being served. However, in cases where the data fiduciary is, by law, required to retain the data or if retention is required for the specified purpose, they are required to do so.

Retention Periods

The draft DPDP Rules provide for specific data retention periods based on the purpose for which the data is being collected and processed. Rule 8 outlines the conditions under which a data fiduciary must erase personal data, specifically focusing on when the data is deemed to no longer serve the specified purpose for which it was collected.

The Rule which must be read with the 3rd Schedule of the Draft DPDP Rules,which specifically states that any data fiduciary belonging to a specific class and processing data for a specific purpose as mentioned in the schedule is expected to erase data under the following conditions unless its retention is necessary under for compliance with any relevant law:

  • Upon the completion of the specified time period
  • If the Data Principal has neither used the service, approached the data fiduciary for the performance of the specific purpose nor exercised their rights during the specified retention period.

The 3rd Schedule specifically sets a data retention period of 3 years from the Data Principal’s last interaction with the Data Fiduciary for the specified purpose or exercise of rights or date of Commencement of The DPDP Rules (whichever is later) for three types of data fiduciaries:

  • E-commerce entity with at least 2 crore registered users in India.
  • Online gaming intermediary with at least 50 lakh registered users in India.
  • Social Media Intermediary with at least 2 crore registered users in India.

This specified data retention period applies to data collected and processed for all purposes except for enabling the data principal’s access to a user account and a usable virtual token issued by or on behalf of the Data Fiduciary, stored on the Fiduciary’s digital platform.

Additionally, Rule 8(2) states that the Data Fiduciary has the obligation to inform the Data Principal at least 48 hours before the end of the specified retention periods. The notice must also inform the data principal that:

  • Their personal data will be erased unless they log in to their user account or interact with the Data Fiduciary to continue using the service for the specified purpose.
  • Alternatively, the Data Principal can exercise their rights in relation to the data to prevent erasure. 

Consequence of Non-Compliance with Data Retention Requirements

Failure to comply with data retention requirements under the DPDPA and Draft DPDP rules can result in not only monetary penalties up to INR 50 crores but also cause reputational damages and attack other incidental or related penalties and consequences like data breach, unnecessary resource consumption and significant reduction in operational efficiency.

Best Practices for Data Retention Compliance

  • Conduct a data mapping: Data Mapping allow organizations to clearly understand and identify the types of personal data that they collect, process and store. This allows organisations to categorise, prioritise and ensure that they only retain or hold such data as is necessary and for a minimum required time period only.

  • Develop a clear data retention policy: A data retention policy that classifies the collected data, specifies the retention period for each category of data and defines the method of data disposal or deletion is crucial in ensuring compliance with data retention requirements.

  • Develop a retention schedule: Along with the general data retention policy,developing a retention schedule is crucial in defining the duration for which different categories of data should be retained. This schedule should be regularly updated to reflect changes in laws, business processes, or technological advancements.

  • Regular audit requirement: Periodic audits of the data retention policy as well as the organisation’s stored data allow the organisation to ensure the efficiency of the policy and delete unnecessary data. Audits help identify gaps, improve practices, and maintain alignment with business and legal requirements.

Conclusion

Data retention is a crucial aspect of responsible data handling and compliance with the DPDPA and the Draft DPDP Rules. As businesses increasingly collect and process personal data, they must navigate the complexities of data retention to ensure compliance with legal, regulatory, and ethical standards. Businesses must ensure that personal data is retained only for the necessary period and is deleted or anonymized once it is no longer required for its intended purpose. Businesses must ensure that the specified data retention periods are adhered to and must proactively take measures to create a clear and comprehensive data retention policy as a part of their overarching privacy policy. This not only helps an organisation comply with the DPDP framework but also builds trust with consumers and prevents risks.

Tsaaro Consulting

Introduction: Data protection laws worldwide empower individuals, referred to as ‘Data Subjects’ under the GDPR or ‘Data Principals’ under India’s …

Tsaaro Consulting

In today’s fast-paced, data-driven world, businesses collect large amounts of data and store such information regularly. This data is extremely …

Tsaaro Consulting

In an increasingly digital world, society today is growing around technology that tends to collect and process a large amount …

Tsaaro Consulting

Introduction  It was the Personal Data Protection Bill, 2019 that introduced the concept of “Consent Manager”. In the 2019 Bill, …

Tsaaro Consulting

Introduction In 2023, a significant milestone was achieved with the enactment of India’s long-awaited data protection law, the Digital Personal …

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.