The storage-limitation principle
Personal data should not be retained indefinitely. Define, for each data category and purpose, how long it is genuinely needed, and what happens at the end of that period.
Setting defensible retention periods
- Tie retention to purpose and to any sectoral legal requirement (e.g. RBI/SEBI/IRDAI records)
- Document the basis for each retention period
- Separate active retention from archival, and both from deletion
Enforcing deletion
- Flag data approaching its retention limit
- Support deletion, anonymisation or pseudonymisation as appropriate
- Run destructive actions with a dry-run and an audit trail
- Propagate deletion when consent is withdrawn
Watch for ROT and orphaned data
Redundant, obsolete and trivial (ROT) data and personal data with no consent or RoPA entry are common sources of risk. Surfacing and clearing them reduces both your breach blast-radius and your compliance burden.
This guide is educational and general in nature — it is not legal advice. Confirm specific obligations against the DPDP Act, 2023, the DPDP Rules, 2025 and any sectoral regulations that apply to you.