If you keep data forever, hackers have more old information to steal, your storage costs grow needlessly, and you risk regulatory fines under the DPDP Act 2023 which says you must delete personal data when no longer needed. Imagine a Delhi-based garment exporter gets hacked and the attacker finds 10 years of customer credit card data that should have been deleted after 2 years—the company faces a ₹15 crore+ penalty, loses customer trust, and their insurance claim is rejected because they violated data retention rules. Without a clear retention schedule, you also fail GST audits and IT audits because auditors cannot verify you're complying with record-keeping laws.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no written policy about how long to keep data. Files and databases just accumulate—nobody deletes anything because there's no rule saying when it's safe to do so.
Initial
You have a vague understanding that old data should be deleted eventually, but there's no written document listing which data types stay for how long. Deletion happens randomly or only when storage is full.
Developing
You have created a simple one-page data retention schedule that lists a few key data types (invoices, employee records, customer details) with rough retention periods (e.g., 7 years for invoices). The IT person knows about it but it's not enforced or monitored.
Defined
You have a formal written data retention policy covering all important data types with specific retention periods based on legal requirements (GST law, Companies Act, DPDP Act). The policy is documented, shared with staff, and the IT person follows it when deleting files.
Managed
Your retention policy is integrated into your IT systems—for example, databases auto-delete old records after the retention period, backup systems respect retention rules, and you have a log showing what was deleted and when. The policy is reviewed annually and updated when laws change.
Optimised
You have an automated, continuously monitored data lifecycle management system where retention rules are enforced across all systems (email, databases, file servers, cloud storage). You have quarterly audits of deletion logs, staff training happens every 6 months, and the policy is updated immediately when regulations change. Compliance is measured and reported to management.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Sit down with the IT person and owner to list the top 10 types of data your business keeps (invoices, customer records, employee files, bank statements, etc.). Write down rough guesses for how long each should be kept based on common sense and what you think the law requires. | Business owner and IT person | 1 day |
| 1 → 2 | Convert the list into a one-page simple table with column headers: Data Type | How Long to Keep | Why | Who Deletes It. Research actual legal requirements for your industry (e.g., 6 years for GST records, 3 years for employee records). Get the table reviewed by your accountant or a compliance consultant. | IT person with guidance from accountant or compliance expert | 1 week |
| 2 → 3 | Create a formal Data Retention and Deletion Policy document (3-5 pages) that lists all data types, retention periods with legal justification, who is responsible for deletion, how deletion is done (secure deletion, not just empty recycle bin), and what records are kept. Have it reviewed by your legal advisor or compliance consultant, then get the owner to sign and date it. | Compliance person or IT manager with legal/accounting review | 2-4 weeks |
| 3 → 4 | Work with your IT person or systems administrator to implement automated deletion in your main systems: set up email retention rules (e.g., delete emails older than 3 years), configure database scripts to delete old transactional records, set archive and deletion policies in cloud storage (Google Drive, OneDrive, etc.), and create a monthly deletion log. Test the automation with non-critical data first. | IT manager or systems administrator | 1-2 months |
| 4 → 5 | Establish a quarterly review process: audit deletion logs to confirm deletions are happening on schedule, gather feedback from business teams about any data they need to retain longer, update the policy if laws change (set a calendar reminder for January each year), conduct annual staff training on the retention policy, and report compliance metrics to management. Document all reviews and training attendance. | Compliance officer or IT manager with quarterly review meetings involving owner and team leads | Ongoing (4-6 hours per quarter) |
Documents and records that prove your maturity level.
- Signed and dated Data Retention and Deletion Policy document that lists all data types, retention periods, legal justification, and deletion procedures
- Retention Schedule table showing each data category, how many years/months to keep, the business or legal reason, and the owner responsible
- Monthly or quarterly deletion logs showing what data was deleted, when, how (secure deletion method), and who approved it
- Email retention rule configuration screenshots from your email system (Outlook, Gmail, etc.) showing automatic deletion settings are active
- Annual review record showing the policy was reviewed, any changes made, and sign-off by owner or compliance lead (e.g., a meeting note dated and initialed)
Prepare for these questions from customers or third-party reviewers.
- "Show me your data retention policy. How is it documented and where is it stored so employees can access it?"
- "For a sample of 5 data types (e.g., customer invoices, employee records, vendor contracts), tell me exactly how long you keep each and show me the legal or business reason."
- "How do you ensure data is actually deleted when the retention period ends? Do you have logs or reports proving deletions happened?"
- "What happens if someone asks to keep data longer than your policy allows, or if the law changes? How do you update the policy?"
- "Walk me through your email retention rules. How long do you keep old emails and is this enforced automatically or manually?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and manage the retention policy document | Google Docs (included in free Google Workspace) or Microsoft Word | Microsoft 365 (₹499–999/year per user for small business) includes compliance templates |
| Track and log what data is deleted and when | Google Sheets or Excel spreadsheet with deletion checklist | Veritas NetBackup or Commvault (enterprise backup tools with retention automation, ₹3–10 lakhs+ per year) or Cohesity (mid-market, ₹20–50 lakhs+) |
| Automate email retention and deletion in Microsoft 365 or Google Workspace | Built-in features in Gmail and Outlook (Retention Policies are free in Microsoft 365 and Google Workspace) | Advanced archival: Proofpoint Archive (₹2–5 lakhs+/year) or Druva (₹50–150 per user/year) |
| Securely erase data from hard drives and servers | DBAN (Darik's Boot and Nuke) for manual wiping; built-in OS tools (Cipher on Windows, shred on Linux) | Eraser Pro or WipeDrive (₹2,000–5,000 one-time) or Blancco (enterprise, ₹20–50 lakhs+) |
| Monitor and audit file deletion across networks | Windows Event Viewer logs (limited, requires manual review) | Varonis DatAlert (₹10–30 lakhs+/year) or Forcepoint DLP (₹5–20 lakhs+/year) |
- Retaining data 'just in case' without legal justification—Indian businesses often keep employee records and customer data forever out of fear, creating unnecessary liability. Set retention periods based on GST (6 years), Companies Act (8–10 years), and DPDP Act (only as long as needed), not forever.
- Backup and archive files are forgotten—many companies delete active data but forget that old data still lives in backups and cloud archives (OneDrive, Google Drive, offline tapes). Your retention policy must cover backups too, and backups older than the retention period must be deleted or overwritten.
- No distinction between different data types—treating all data the same way. Customer credit card data should be deleted within 90 days after transaction completion (PCI DSS), invoices kept 6 years (GST law), employee records 3 years after separation (labor law), and marketing lists kept only 2 years (DPDP Act). One retention period does not fit all.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 4 (Storage Limitation principle): Personal data shall be kept in a form which permits identification for only as long as is necessary |
| CERT-In Guidelines 2022 | Recommended Practice: Organizations should implement a data lifecycle policy including retention and secure deletion schedules |
| ISO 27001:2022 | Annex A 5.3 (Separation of Duties) and A 8.2 (Information and Asset Management); A 8.3 (Media Handling) require documented handling of information including disposal |
| NIST CSF 2.0 | GOVERN > GV.PO-01 (Organizational Context) and GOVERN > GV.RK-01 (Risk Assessment): Retention policies support data inventory and risk management |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →