DPDP Compliance Hub

Data Retention & Deletion under the DPDP Act

The DPDP Act expects you to keep personal data only as long as necessary for the stated purpose. Once the purpose is served — or consent is withdrawn — data should be deleted or anonymised. Retention is where compliance meets data hygiene.

6 min read

The storage-limitation principle

Personal data should not be retained indefinitely. Define, for each data category and purpose, how long it is genuinely needed, and what happens at the end of that period.

Setting defensible retention periods

  • Tie retention to purpose and to any sectoral legal requirement (e.g. RBI/SEBI/IRDAI records)
  • Document the basis for each retention period
  • Separate active retention from archival, and both from deletion

Enforcing deletion

  • Flag data approaching its retention limit
  • Support deletion, anonymisation or pseudonymisation as appropriate
  • Run destructive actions with a dry-run and an audit trail
  • Propagate deletion when consent is withdrawn

Watch for ROT and orphaned data

Redundant, obsolete and trivial (ROT) data and personal data with no consent or RoPA entry are common sources of risk. Surfacing and clearing them reduces both your breach blast-radius and your compliance burden.

This guide is educational and general in nature — it is not legal advice. Confirm specific obligations against the DPDP Act, 2023, the DPDP Rules, 2025 and any sectoral regulations that apply to you.

See how dpflo implements this

Discovery, consent, rights, retention and breach — one sovereign platform, deployable where your data lives.