DPDP Data Retention Policy

The retention and erasure rules every Indian business must follow under the DPDP Act 2023
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

Under DPDP, Keeping Data Forever Is a Violation

For years, Indian businesses treated customer data like an asset you never throw away. The DPDP Act 2023 flips that thinking: storage limitation is a core principle, and DPDP data retention rules now require you to erase personal data once you no longer have a valid reason to hold it.

The DPDP data erasure rules are simple to state: delete personal data when the purpose has been served or when the person withdraws consent. But applying them across every database, backup, spreadsheet, and vendor system takes a proper retention schedule and, ideally, automated deletion.

This page walks through the rules, including the special ones for large platforms, and how to build a retention policy that actually works.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

The DPDP Retention & Erasure Rules at a Glance

RuleWhat It MeansWho It Applies To
Erase when purpose is servedDelete personal data once the reason you collected it no longer existsEvery Data Fiduciary
Erase on consent withdrawalWhen a user withdraws consent, stop processing and erase their dataEvery Data Fiduciary
1-year minimum log retentionKeep security and processing logs for at least 1 year, tamper-resistantEvery Data Fiduciary
3-year retention/erasure ruleErase data of inactive users after the 3-year window under the RulesLarge platforms: e-commerce with 2 Cr+ users, social media, gaming
48-hour pre-erasure noticeNotify the user at least 48 hours before erasing their dataCertain platforms covered by the retention rules

Note the tension by design: user data gets deleted, but logs stay at least 1 year. Your retention schedule has to handle both, and your security safeguards must keep those logs tamper-resistant.

How to Build a DPDP Retention Schedule

A retention policy is only real when it runs on its own. Here is the path from paper to automation.

1. Inventory Your Data

Map every place personal data lives: databases, CRMs, spreadsheets, email lists, backups, and vendor systems. You can't delete what you can't find.

2. Assign a Purpose & Clock

For each data category, record the purpose it serves and the event or period after which that purpose ends, that's your deletion trigger.

3. Check Legal Holds

Some data must be kept longer under tax, labour, or sector laws. Document the exceptions so deletion doesn't break another obligation.

4. Automate Deletion

Manual deletion fails quietly. Set up automated jobs that erase or anonymize data when its clock runs out, including in backups and archives.

5. Cover Your Vendors

Your processors must delete data on the same schedule. Put it in writing through a data processing agreement, you stay legally responsible for them.

6. Prove It Works

Keep deletion logs and evidence. Our free audit checks your retention setup end to end.

Book Free Audit

Special Rules for Large Platforms

The DPDP Rules 2025 add a stricter layer for the biggest data holders. If you run an e-commerce platform with 2 crore or more users, a social media platform, or a gaming platform, the 3-year retention and erasure rule applies: personal data of inactive users must be erased once the retention window closes.

Certain platforms must also give users a 48-hour pre-erasure notice before deletion, a heads-up that lets the user log in or act if they want their data kept. Practically, this means your deletion pipeline needs a notification step built in, not just a cron job that drops rows.

Even if you're nowhere near 2 crore users, the direction of travel is clear: regulators expect deletion to be systematic, evidenced, and automatic. Building it now is far cheaper than retrofitting it later.

Retention Systems Can't Be Built Overnight

Consent rules become mandatory on 13 November 2026, and full enforcement, including retention and erasure duties, begins 13 May 2027. Compliance setup takes 2-6 months, and automated deletion is one of the slower pieces to build.

Want the Complete DPDP Picture?

Retention is one obligation among many. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.

DPDP Data Retention: Frequently Asked Questions

When must personal data be erased under the DPDP Act?

When it's no longer needed: either the purpose it was collected for has been served, or the person has withdrawn consent. Keeping data "just in case" isn't allowed unless a legal obligation requires retention.

Does Your Data Ever Actually Get Deleted?

Our free audit reviews what you store, how long you keep it, and whether your deletion actually happens, with a gap report and roadmap.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.