Data Retention, Deletion, and Log Management Under the DPDP Act, 2023 and DPDP Rules, 2025: Navigating Operational Complexities and Building Compliance-Ready Data Architectures

Posted On - 17 November, 2025 • By - Jidesh Kumar

Introduction

One of the most consequential and underestimated aspects of the Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules, 2025 is the legal framework governing data retention, deletion, and log management. While global privacy discussions often focus on consent, notice, and cross-border transfers, the true operational burden for companies lies in how long data is kept, why it is retained, how it is deleted, and how logs are preserved.

Rule 8 of the DPDP Rules creates a detailed and prescriptive system for managing retention and deletion, while the Third Schedule introduces sector-specific and volume-based requirements, making this area one of the most technically challenging for compliance.

Retention and deletion were once primarily IT housekeeping tasks; under the DPDP regime, they are now legal obligations, enforceable through large penalties, DPB investigations, and potential platform-blocking orders. Companies must redesign their data architectures, workflows, and documentation practices to comply especially Indian and multinational enterprises handling high-volume user data across cloud, SaaS, hybrid, and multi-region architectures.

1. Section 8 (Duties of Data Fiduciaries)

  • erase personal data as soon as it is reasonable to assume that the purpose for which it was collected is no longer being served,
  • unless retention is required by law.
  • This is a major shift from legacy IT practices where data was often retained indefinitely “just in case.” Under the DPDP Act, indefinite retention is unlawful unless supported by statutory obligation.

2. Section 8(7): Duty to Maintain Accuracy

  •  Data Fiduciaries must ensure personal data is accurate and updated, making prolonged retention without purpose incompatible with compliance.

3. Section 8(8): Processor Accountability

  • Processors must adhere to the Data Fiduciary’s retention and deletion instructions, making contractual control essential.

4. Penalty Exposure

  • Improper retention or deletion practices can lead to penalties up to ₹50 crore or higher where breaches are involved.

Rule 8 of the DPDP Rules: The Operational Backbone of Retention & Deletion

Rule 8 transforms statutory obligations into a concrete operational framework.

1. Purpose-Based Retention Obligation: Data may only be retained for:

  • the time required to fulfil the original purpose, OR
  • the time mandated by law (RBI, SEBI, GST, Income Tax, MCA, etc.).
  • No other justification is acceptable under DPDP.

2. Mandatory 48-Hour Deletion Notice

  • Before deleting personal data, Data Fiduciaries must notify the Data Principal at least 48 hours in advance.
  • This requirement is unique to India and introduces significant operational complexity.

Implications:

  • Automated deletion workflows must be linked with a notification engine.
  • Companies must track Data Principal contact details continuously.
  • Bounced messages or undelivered notifications must be logged.

3. Obligation to Delete Data Across Processors: Deletion must propagate to all-

  • cloud vendors,
  • SaaS providers,
  • analytics engines,
  • back-end processors,
  • disaster recovery zones,
  • data warehouses.
  • This requires robust deletion orchestration and processor contracts.

4. Mandatory One-Year Log Retention

Rule 8 mandates that Data Fiduciaries and Processors retain logs for at least one year, even when deletion of personal data is requested.

Logs must document:

  • access events,
  • modification events,
  • consent withdrawals,
  • deletion triggers,
  • security incidents.

This requirement sits at the intersection of cybersecurity, privacy, and forensic readiness.

The Third Schedule: When High-Volume Entities Must Retain Data Longer

The Third Schedule introduces special retention requirements for high-volume Data Fiduciaries such as:

  • social media platforms,
  • e-commerce companies,
  • gaming platforms,
  • OTT platforms,
  • gig economy platforms,
  • fintech and payments companies.

These entities may be mandated to retain data for longer periods due to:

  •  fraud detection,
  • dispute resolution,
  • regulatory audit,
  • systemic risk mitigation.

Thus, companies must monitor whether the Government designates them as entities under the Third Schedule.

Why Retention and Deletion Are More Complex Than They Appear

1. The Distributed Nature of Modern Data Architectures: Companies today store data across multiple cloud regions, microservices, logs, backups, CDNs, collaborative tools, analytics pipelines, and multi-tenant SaaS systems. Deletion in one system does not guarantee deletion everywhere.

2. Conflicting Laws: Sectoral laws impose retention requirements

  • RBI: 5–10 years
  • SEBI: 8 years
  • Companies Act: 8 years
  • Income Tax: 6–7 years
  • GST: 72 months

Companies must create a retention matrix mapping DPDP rules against sectoral laws.

3. Cross-Border Retention: Under Rule 15, offshore processors must comply with Indian deletion timelines requiring precise contractual controls.

4. Backups and Disaster Recovery: DPDP rules require deletion from live systems, but do not require immediate erasure from immutable backups if backups are encrypted, not reachable through normal access, overwritten on the next backup cycle.

This is consistent with global norms but must be documented.

Log Management: India’s New Compliance Pillar

Logs are central to DPDP’s enforcement strategy.

1. What Logs Must Capture: Access logs, Authentication logs, Modification logs, Processor activity logs, consent updates, Breach detection logs, Deletion events and System anomalies

2. Why One-Year Log Retention Matters: The DPB may audit logs during investigations, request logs under Rule 23, verify whether deletion, access, or security obligations were met, validate breach response compliance. Thus, logs become legal evidence.

3. Challenges: high log volumes, log storage costs, log security. Managing logs across multi-region cloud systems. Integrating SIEM, SOC, and archival systems. Companies must adopt industrial-grade log retention and archival architecture.

The 48-Hour Deletion Notice: A Unique Indian Requirement

This requirement is ambitious and globally unprecedented.

 Business Challenges

  • Maintaining user contact accuracy
  • Handling undelivered notifications
  • Managing large volumes of messages
  • User confusion about deletion triggers
  • Regulator expectations of documentation
  • Use multi-channel notifications (SMS + email + in-app)
  • Build automated re-try mechanisms
  • Store proof of notification with timestamps
  • Allow easy user responses or clarifications

This requirement forces companies to rethink both data architectures and user communication design.

Deletion Workflows: What Companies Must Implement

 1. Automated Deletion Engines: deletion must be automated, provable, and synchronised across systems.

 2. Erasure Policies: Companies must define default retention periods per category, deletion triggers, legal hold workflows, exceptions policy.

3. Processor Coordination: SaaS and cloud vendors must purge data within DPDP timelines, provide proof of deletion, integrate through APIs.

4. Data Subject Rights Integration: Deletion requests must feed into customer support, back-end processing, cloud systems, partner integrations and audit logs.

Handling Backups, DR Systems, and Replicated Data

DPDP recognises the practical challenge of deleting data immediately from backups. Acceptable practice:

  • retain backups,
  • encrypt data,
  • ensure data is inaccessible in normal business flows,
  • allow overwrite on the next backup cycle,
  • log restoration activities.

Unacceptable practice:

  • restoring or using old backups unnecessarily
  • failing to log restoration events
  • maintaining long-term backups without rotation

Technical Architecture for Retention & Deletion Compliance

1. Data Mapping Tools: To identify where data resides, how it flows, and which processors have copies.

2. Master Data Retention Engine: A central engine that manages retention clocks, triggers deletion, and propagates updates.

3. Consent & Retention Alignment: Retention must honour withdrawal of consent, purpose fulfilment timelines, and sectoral retention laws.

4. SIEM & SOC Integration: Logs must flow into SIEM systems, security operations centres.

5. Immutable Audit Trails: For DPB inquiries and legal defence.

Special Implications for High-Volume Industries

  • E-commerce: massive user data + rapid churn = high deletion activity + high security risk.
  • Social Media: Complexity due to posts, messages, images, metadata, logs.
  • Fintech: high retention requirements under RBI laws + DPDP obligations.
  • Healthcare: Sensitive data + long-term medical retention obligations.
  • SaaS: Multi-tenant challenges + shared databases + processor obligations.

Enforcement Risks and Penalties

Under the DPDP Act penalty schedule:

  • Failure to delete data: up to ₹50 crore
  • Failure to fulfil security safeguards during retention: up to ₹250 crore
  • Failure to notify the DPB of breaches: up to ₹200 crore

DPB may also:

  • issue directions,
  • impose corrective measures,
  • initiate inquiries,
  • recommend platform blocking (Section 37).
  • Log management failures can lead to severe adverse inferences during investigations.

Compliance Roadmap for the Next 18 Months

Phase 1: Audit & Mapping (Months 1–4)

  • Data mapping
  • Processor mapping
  • Retention matrix
  • Gap analysis

Phase 2: Architecture & Integration (Months 4–10)

  • Automated deletion workflows
  • Log management system
  • Backup and DR policy updates
  • Vendor contract updates

Phase 3: Operational Readiness (Months 10–15)

  • Testing deletion flows
  • Validating 48-hour notice systems
  • SIEM integration
  • Documentation and SOPs

Phase 4: Compliance & Governance (Months 15–18)

  • Internal audit
  • DPIAs (for SDFs)
  • Training across teams
  • Preparing regulatory reporting mechanisms

Conclusion

Rule 8 of the DPDP Rules and the Third Schedule introduce a sophisticated, forward-looking, and operationally demanding retention and deletion regime. This framework requires companies to rethink how data is stored, how long it is maintained, how it is deleted, and how logs are preserved.

For Indian and multinational companies, compliance is not simply about adding a policy, it is about re-engineering systems, upgrading data architecture, strengthening contractual controls, and embedding governance discipline across the enterprise.

Organisations that take a proactive, structured approach will not only avoid regulatory exposure but also gain operational efficiency, reduce data liabilities, and build user trust in an era where privacy and security define competitive advantage.

Contributed by – Aurelia Menezes