How long can organisations retain personal data under the DPDP Act? The DPDP Act 2023 requires Data Fiduciaries to retain personal data only for as long as necessary to fulfil the purpose for which it was collected. Once the purpose is served — or the data principal withdraws consent and there is no other legal basis for retention — the data must be erased. Organisations should maintain a formal Data Retention Schedule that specifies retention periods for each data category, the legal or business justification for that period, and the deletion mechanism.
DPDP Section 8(7) requires you to delete personal data when it's no longer needed. Generate a complete retention schedule for your organisation in 3 minutes.
Click any cell to edit. All changes are saved in your browser session.
| Data Category | Retention Period | Legal Basis | Deletion Method | Review Frequency |
|---|
Relative retention periods across your selected data categories (scale: 10 years max).
Get this schedule sent to your inbox along with a free Data Retention Policy template you can customise for your organisation.
Need a legally reviewed Data Retention Policy signed off by a qualified DPDP consultant? Our team can produce a board-ready retention policy document with evidence of review.
Book a Consultation with Niti Bharat →