How Long Can You Keep Data? Understanding DPDP Act’s Retention Rules for 2026

Retaining Data Responsibly in a DPDP World

The age of indefinite data storage is over.

Under India’s Digital Personal Data Protection Act (DPDPA), 2023, and the DPDP Rules, 2025, businesses must define how long they keep personal data and more importantly, why. Whether you're an e-commerce giant, fintech startup, or marketing platform, data retention without purpose is now a compliance risk.

The Act enforces a clear principle: keep data only for as long as necessary for the purpose it was collected. Beyond that, you must delete or anonymise it.

In this blog, we’ll decode:

• What the DPDP Act and Rules say about data retention

• What the 3-year rule means

• Penalties for non-compliance

• How to build a compliant data retention policy in 2026

What the DPDP Act Says About Data Retention

Section 8(7) of the DPDP Act, 2023:

"A Data Fiduciary shall not retain any personal data beyond the period necessary for the purpose for which it is processed, and shall delete the data once the purpose is no longer served or retention is no longer necessary."

This clause is foundational. If you don’t define a purpose, you cannot justify retention. If the purpose is served, you must initiate deletion or anonymisation.

Rule 13 of DPDP Rules, 2025:

The Rules introduce a presumptive period of three years. If a business has had no interaction with the Data Principal for three continuous years, it is presumed that the data must be erased, unless:

• Required by law

• Justified under a contractual or regulatory purpose

• Specifically consented to by the user

This shifts the burden of justification onto businesses.

Who Must Comply?

Every Data Fiduciary from app developers to banks must:

• Track when each user interaction occurred

• Set retention schedules based on purpose

• Implement periodic erasure workflows

• Ensure processors/vendors follow the same timelines

You’re responsible not just for your data, but also for what your partners retain.

Common Pitfalls in Data Retention

1. Retaining old customer records without purpose
   E.g., keeping phone numbers and Aadhaar data from KYC beyond 3 years after account closure.

2. Failing to define retention timelines in privacy policies
   Vague terms like “we retain data as long as needed” are non-compliant.

3. No automated deletion mechanism
   If you can’t prove erasure happened when needed, you’re exposed to enforcement.

4. Not updating vendor contracts
   If your CRM or analytics partner retains deleted user data, you’re still liable.

What Happens If You Don’t Erase Data on Time?

Under Section 33(g) of the Act:

• You may face penalties up to ₹200 crore per breach

• You risk audits and investigation by the Data Protection Board of India

• Your users may file grievances if their data isn’t deleted on request

• You damage long-term brand trust

The cost of ignoring data retention is far higher than setting it up right.

5 Steps to Stay DPDP-Compliant on Retention

1. Map Your Data Purpose
   Classify all personal data by collection purpose (KYC, marketing, transaction, etc.).

2. Define Retention Windows
   Set timeframes aligned with purpose e.g., 6 months for abandoned carts, 3 years for inactive customers.

3. Automate Data Erasure
   Set up workflows to delete or anonymise records after expiry, with audit trails.

4. Update Your Privacy Notice
   Clearly mention the duration for which different data types are stored.

5. Log and Justify Exceptions
   If you retain data beyond 3 years, ensure legal or regulatory documentation is recorded.

Retention Isn’t Storage, It’s Strategy

Data retention is no longer an IT decision it’s a legal obligation and a trust signal.

With the DPDP Act now enforceable, every Indian business must rethink their data lifecycle. Holding on to data “just in case” can now lead to real-world penalties.

Start with a clear retention policy. Automate erasure. Respect inactivity. And above all, empower your users to reclaim their data.

Blutic helps simplify compliance with features like erasure workflows, data lifecycle logs, and retention-based alerts making it easier to protect what matters most: trust.

‍