Data Retention and Storage Obligations under the DPDP Act, 2023: The Principle of Storage Limitation

Posted On - 29 September, 2025 • By - Jidesh Kumar

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDP Act) introduces the principle of storage limitation, requiring that personal data be retained only as long as necessary for the purpose for which it was collected or for legal compliance. Once the purpose is served, or consent withdrawn, data fiduciaries are obligated to erase the data or ensure that it is anonymised in a manner that irreversibly prevents re-identification.

Introduction: Retention as a Privacy Risk

Data retention is often overlooked in privacy programs. Businesses tend to store more data for longer than required, driven by the view that data may be valuable in the future. However, excessive retention creates significant risks:

  • Higher cybersecurity vulnerabilities (more data = bigger target).
  • Greater liability in case of breaches.
  • Higher storage costs with little business value.
  • Potential misuse of data beyond its intended purpose.

The DPDP Act, by embedding the storage limitation principle, seeks to counter these risks and compel organizations to adopt disciplined data lifecycle management.

Statutory Basis under the DPDP Act

  • Personal data must be retained only for as long as necessary for the purpose of processing.
  • Once the purpose is served, or consent is withdrawn, data fiduciaries must erase personal data unless required to retain it by law.
  • Fiduciaries must ensure processors also comply with retention and deletion requirements.
  • Anonymisation, if irreversible, may serve as an alternative to deletion.
  • In effect, data fiduciaries carry end-to-end responsibility for ensuring that personal data does not linger indefinitely in systems.

The Principle of Storage Limitation

“Storage limitation” means:

1. Purpose-bound retention – Data should be retained only as long as necessary to fulfil the purpose for which it was collected.

2. Consent-bound retention – If consent is withdrawn, data must be deleted unless there is another legal basis.

3. Law-bound retention – Certain laws require minimum retention (e.g., income tax, corporate law, medical record laws).

 4. Deletion or anonymisation – At the end of retention, data must either be securely erased or irreversibly anonymised.

Example: A bank may retain loan documents until the loan is repaid and for the statutory limitation period. Keeping those records indefinitely for unrelated analytics would violate storage limitation.

Improper Retention Practices: Illustrative Risks

  • Banking: Retaining KYC documents indefinitely even after customer exits.
  • Healthcare: Hospitals storing patient records indefinitely without anonymisation protocols.
  • E-Commerce: Retaining credit card details of customers without purpose justification.
  • Employment: Companies keeping rejected candidates’ resumes indefinitely for “future opportunities.”
  • Government: State agencies storing beneficiary data without erasure policies post scheme expiry.
  • These practices expand exposure in case of breaches and could attract regulatory scrutiny under the DPDP Act.

Sectoral Implications

1. Banking and Fintech: Banks are required by RBI to maintain certain records (e.g., KYC, transaction records) for defined periods. However, they often exceed these requirements. The DPDP Act compels banks to adopt precise retention schedules aligned with regulatory mandates. Fintech companies collecting alternative data for credit scoring must delete it once the purpose is served.

2. Healthcare and Health-Tech: Hospitals, clinics, and telemedicine platforms must retain patient records for treatment and statutory obligations, but beyond that, records must be anonymised. Retaining diagnostic data for research requires fresh consent unless anonymised.

3. E-Commerce and Retail: Customer addresses, purchase histories, and payment data must be erased once the transaction and warranty periods are over, unless retention is mandated by consumer protection or tax laws. Loyalty program data requires regular purging to avoid indefinite storage.

 4. HR and Employment: Employers may retain employee data for payroll, benefits, and compliance with labour laws. Once an employee leaves, data must be deleted except for statutory retention. Resumes of rejected candidates must be erased unless explicit consent for future consideration is obtained.

5.Government Data Processing: Government agencies handling massive citizen datasets (welfare, Aadhaar-linked services, tax filings) face the greatest retention challenges. Storage limitation requires periodic review of databases and either erasure or anonymisation once schemes conclude.

Anonymisation and Pseudonymisation as Alternatives

The Act recognises anonymisation as a lawful alternative to deletion, provided it is irreversible. Anonymisation allows data to be used for analytics, research, and innovation without retaining identifiable elements.

  • Anonymisation: Removing identifiers so data cannot be re-linked to individuals (e.g., stripping names, Aadhaar numbers).
  • Pseudonymisation: Replacing identifiers with artificial tags (e.g., customer ID numbers), but still reversible
  • Only true anonymisation satisfies DPDP requirements. Pseudonymised data is still personal data and subject to retention limits.
  • Businesses should adopt strong anonymisation standards to continue deriving value from datasets while reducing privacy risks.

Comparison with Global Frameworks

GDPR (EU): Requires storage limitation and mandates erasure when data is no longer needed. Allows anonymisation or aggregation as alternatives. Provides stronger rights such as the “right to be forgotten.”

LGPD (Brazil): Similar storage limitation principles. Allows retention for regulatory, research, and legal defense purposes.

PDPA (Singapore): Data must be destroyed when no longer necessary. Allows anonymisation for business continuity.

CCPA (California): Requires disclosure of retention periods at the time of collection. Stronger focus on consumer transparency than India’s framework.

India aligns broadly with these models but lacks explicit obligations to disclose retention periods upfront, which may evolve through future regulations.

Implementation Challenges in India

  • Legacy IT Systems
  • Older databases may lack built-in deletion protocols, making erasure complex.
  • Vendor Ecosystems: Outsourced processors (cloud providers, BPOs) may store data longer than agreed. Fiduciaries must contractually enforce retention obligations.
  • Cross-Border Transfers: Foreign affiliates may have longer retention practices. Ensuring alignment across jurisdictions is a compliance hurdle.
  • Cultural Attitudes: Indian businesses often view data as an asset to be kept indefinitely “just in case.” Changing this mindset requires awareness and accountability.

Compliance Strategies for Businesses

1. Data Mapping – Identify where personal data resides, who holds it, and why.

2. Retention Schedules – Define maximum retention periods based on legal, contractual, and business needs.

3. Automated Deletion Protocols – Implement system triggers for erasure after expiry.

 4. Anonymisation Standards – Develop robust anonymisation protocols for analytics and research.

5. Vendor Contracts – Impose retention/deletion obligations on processors and conduct audits.

6. Employee Training – Sensitise staff on risks of over-retention.

7. Audit Trails – Maintain logs of erasure and anonymisation actions for accountability.

Risks of Non-Compliance

  • Financial Penalties: Up to ₹250 crore for breaches.
  • Cybersecurity Risks: Larger databases create attractive breach targets.
  • Reputational Harm: Negative publicity if outdated data is leaked.
  • Contractual Liability: Non-compliance may breach B2B obligations, especially with global partners.

Conclusion & Key Takeaways

The DPDP Act embeds storage limitation as a cornerstone of data protection. Organizations must:

  • Retain data only as long as necessary.
  • Erase or anonymise data once purposes are fulfilled or consent is withdrawn.
  • Implement structured retention schedules and deletion protocols.
  • Use anonymisation to preserve business value while mitigating risks.

Over-retention is no longer a neutral choice; it is a compliance risk. Businesses that adopt disciplined data lifecycle management will not only avoid penalties but also enhance consumer trust in India’s digital economy.

Contributed by – Aurelia Menezes