Article -> Article Details
| Title | Understanding Data Retention in Compliance with DPDPA and Draft DPDP Rules |
|---|---|
| Category | Business --> Advertising and Marketing |
| Meta Keywords | Tsaaro consulting |
| Owner | Tsaaro Consulting |
| Description | |
| In today’s fast-paced, data-driven world, businesses collect large amounts of data and store such information regularly. This data is extremely important for growth, customer insights and innovation to boost the business. However, it also carries significant legal and ethical risks if not handled appropriately in accordance with data privacy regulations as well as accepted industry practices. Improper handling of personal data can lead to breach of privacy, loss of customer trust and legal repercussions. One of the key pillars of effective data management is having a comprehensive and dynamic data retention policy in place. The Digital Personal Data Protection Act (DPDPA) enacted in August 2023 is the cornerstone of India’s evolving data privacy and protection landscape. Following its enactment, on January 3rd 2025, to supplement and provide clarity to the DPDPA, the Ministry of Electronics and Information Technology (MeiTY) released the Draft Digital Personal Data Protection Rules, 2025 (Draft DPDP Rules) for public feedback, open until February 18th 2025 on the MyGov Portal. The DPDPA and Draft DPDP Rules, together establish a comprehensive framework for data retention in India. What is Data Retention? The term data retention essentially refers to the practice of storing certain collected data for a specified period of time or until the purpose for which the data is collected is fulfilled. In the case of data protection regulations, rules and procedures around how long an organisation can retain and store data are generally outlined for different types of data. The general principle of storage limitation mandates that data must be stored only for as long as is required for its intended purpose and once the purpose is fulfilled, it is either completely deleted. In case the business is legally required to further retain the data or securely archive it, the same must be adhered to. Section 8(7) specifically imposes an obligation on data fiduciaries to erase personal data, stored by them or their data processors, upon the withdrawal of consent by a data principal or as soon as it is determined that the specified purpose for which the data was collected is no longer being served. However, in cases where the data fiduciary is, by law, required to retain the data or if retention is required for the specified purpose, they are required to do so. Retention Periods The draft DPDP Rules provide for specific data retention periods based on the purpose for which the data is being collected and processed. Rule 8 outlines the conditions under which a data fiduciary must erase personal data, specifically focusing on when the data is deemed to no longer serve the specified purpose for which it was collected. The Rule which must be read with the 3rd Schedule of the Draft DPDP Rules,which specifically states that any data fiduciary belonging to a specific class and processing data for a specific purpose as mentioned in the schedule is expected to erase data under the following conditions unless its retention is necessary under for compliance with any relevant law:
The 3rd Schedule specifically sets a data retention period of 3 years from the Data Principal’s last interaction with the Data Fiduciary for the specified purpose or exercise of rights or date of Commencement of The DPDP Rules (whichever is later) for three types of data fiduciaries:
This specified data retention period applies to data collected and processed for all purposes except for enabling the data principal’s access to a user account and a usable virtual token issued by or on behalf of the Data Fiduciary, stored on the Fiduciary’s digital platform. Read Original Article Here > Understanding Data Retention in Compliance with DPDPA and Draft DPDP Rules | |