Data Retention Schedule
Plain English Translation
Under Section 8(7) of the Act, you cannot hold onto user data indefinitely. You must enforce strict personal data storage limitation by erasing data as soon as the specific purpose for which it was collected is no longer being served, or immediately upon the user withdrawing consent. To comply, organizations must create a clear data retention policy India framework that defines exactly how long different types of data are kept. Adhering to DPDP data retention requirements means you must actively monitor your data lifecycle and purge records that are no longer legally required or operationally necessary, rather than letting them accumulate.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Create a Data Management Policy and Data Retention Schedule using the WatchDog Policy Management template (or an equivalent controlled policy system).
- Manually run SQL scripts quarterly to purge inactive user data.
- Ensure backups are overwritten periodically.
Required Actions (scaleup)
- Automate identifying data retention periods using a data governance tool.
- Implement 'soft delete' with a strict 30-day hard delete purge cycle.
- Map retaining personal data India laws (like Tax/AML) to specific database columns.
Required Actions (enterprise)
- Deploy an automated data lifecycle management India platform to orchestrate deletion across distributed systems.
- Real-time enforcement of legal hold data retention to prevent deletion during active investigations.
- Immutable audit logs of all automated data purging activities.
Data can be retained only as long as the specified purpose is being served or until the Data Principal withdraws consent, whichever is earlier, unless retention is required by another law (Section 8(7)).
The obligation is triggered when the Data Principal withdraws consent or when it is reasonable to assume the specified purpose is no longer being served (Section 8(7)(a)).
Yes, Section 8(7) explicitly states that the erasure obligation applies "unless retention is necessary for compliance with any law for the time being in force".
Map each category of personal data to its processing purpose. Determine if a specific law (like Tax or AML) mandates a retention period (e.g., 8 years for tax records). If not, define the operational time needed to fulfill the purpose and set that as the limit.
Upon withdrawal of consent, the Data Fiduciary must erase the personal data and cause its Data Processors to erase it, provided retention is not required by another law (Section 8(7)).
Yes, Section 8(7) requires erasure of personal data. This implies removing it from all storage locations, including active databases and backups, to ensure it is no longer "in its possession or under its control".
Failure to erase data as required by Section 8(7) is a breach of the Act. Penalties for breaching provisions can extend up to INR 50 crore under the Schedule for "Breach of any other provision".
Section 8(7) gives precedence to other laws requiring retention. If a law (like the Income Tax Act) mandates keeping data for a specific period, you must retain it for that period despite a user's withdrawal of consent.
WatchDog Policy Management includes a Data Management Policy template with a structured retention schedule section. Teams can define retention by data category and purpose, track approvals and version history, and maintain audit-ready evidence that the schedule is defined, published, and reviewed.
"A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— (a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and (b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
