HomeGuidesPrivacy & Data Protection › PDP-09
PDP-09 Privacy & Data Protection 6% of OML score

Is personal data retained only for as long as it is needed?

This question asks: do you delete or destroy customer and employee personal data once you no longer have a business reason to keep it? For example, if a customer hasn't ordered in 3 years, do you still have their address and phone number sitting in your system? The longer you keep data, the bigger the risk if that data gets stolen or misused.

Why This Matters to Your Business

Old customer files, employee records, and supplier information create unnecessary security risk—if your system gets hacked, thieves have access to more people's details than needed. Under India's DPDP Act 2023, you can face penalties if you hold personal data beyond what's required, and customers increasingly ask 'what data do you still have on me?' In a real scenario: a Delhi manufacturing company kept 7 years of supplier contact details 'just in case,' and when their server was breached in 2023, regulators questioned why they retained data far beyond contract terms—leading to compliance notices and customer trust damage. Holding unnecessary data also wastes your storage costs and creates liability during audits.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no documented data retention policy and store data indefinitely—customer records from 10 years ago sit in spreadsheets alongside current ones. You delete data only when storage runs out or someone accidentally removes it.

Level 1
Initial

You have a rough idea that old data should be deleted, but no formal schedule—sometimes IT deletes old files when they remember, other times data stays for years. There's no written rule about how long different types of data should be kept.

Level 2
Developing

You have documented retention rules (e.g., keep customer data for 5 years, employee records for 7 years) and someone is assigned to delete data manually once per year. Not all data types are covered and the deletion process is inconsistent.

Level 3
Defined

You have a complete data retention policy covering all data types (customer, employee, financial, logs) with clear retention periods tied to business needs and legal requirements. Deletions happen on a documented schedule, typically quarterly, and you keep basic records of what was deleted.

Level 4
Managed

Your retention policy is automated—systems delete data automatically when retention periods expire (e.g., log files purged after 90 days, customer records after customer relationship ends plus 2 years). You track deletions in audit logs and periodically review whether retention periods still make sense.

Level 5
Optimised

Your data retention is fully automated with real-time monitoring, your policy is reviewed and updated annually based on legal changes and business requirements, and you can demonstrate on-demand proof to auditors and customers of what data you hold and why. Deletion is cryptographic and irreversible, and you conduct annual retention compliance reviews.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Document a simple one-page data retention policy listing the main data types you collect (customers, employees, suppliers) and write next to each how long you think you need to keep it (e.g., 'customer records: 3 years after last purchase'). Have owner/manager sign it. Owner or IT person 1 day
1 → 2 Expand the policy to cover all data types you actually store (include financial, tax, employment, marketing lists). Assign one person (part-time is fine) to review and manually delete expired data quarterly. Create a simple log file recording what was deleted and when. Owner + designated person (could be accountant or IT) 1 week
2 → 3 Align your retention periods with DPDP Act requirements and your actual business needs—don't just guess. Get your accountant/compliance person to confirm tax and labour law retention needs, then document final policy. Set up quarterly deletion calendar reminders. Create a simple spreadsheet to track what data you hold and deletion dates. Owner + accountant/compliance person + IT 2-3 weeks
3 → 4 Implement automated deletion in your main systems (CRM, email, file storage)—configure systems to auto-purge logs after 90 days, archive old customer records, auto-delete inactive employee files. Test the automation quarterly and keep audit logs of deletions. Brief your team on the new process. IT person + system administrator 4-6 weeks
4 → 5 Review and enhance your policy annually to stay current with new DPDP Act guidance and business changes. Implement real-time monitoring dashboards showing data volumes by type and age. Conduct a formal compliance audit at least once yearly and make results available to customers and auditors on request. Compliance officer/designated person + IT Ongoing (4 hours per quarter minimum)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written data retention policy document, signed and dated, showing retention periods for each data type (customer, employee, financial, logs, marketing, etc.)
  • A data inventory spreadsheet or log listing what personal data you hold, where it's stored, and the planned deletion/retention date for each category
  • Quarterly or annual deletion logs/records showing dates when data was actually deleted, what was deleted, and who authorized it (can be as simple as a dated checklist)
  • Email or calendar reminders showing deletion is scheduled regularly (e.g., 'delete old logs on the 15th of each quarter')
  • A retention schedule document tied to legal requirements (tax retention periods per Indian income tax rules, employment records per labour laws, etc.)
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your written data retention policy—what is the maximum time you keep personal data for each category, and how did you decide on these periods?"
  • "Can you demonstrate that data older than your retention period is actually deleted? Show me deletion records from the past 12 months."
  • "For a customer who hasn't purchased in 4 years, do you still have their contact details? If yes, why? If no, when and how was it deleted?"
  • "Walk me through your process for actually executing data deletion—who decides, who performs it, how do you verify it's gone, and how do you record it?"
  • "Are your retention periods aligned with DPDP Act 2023 requirements and Indian legal obligations (tax, labour, contract law)? Show me the documentation that supports your choices."
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Track and manage which data you hold and when to delete it Simple spreadsheet (Google Sheets or Excel with formulas to calculate deletion dates automatically) OneTrust (data governance platform, ~₹5,00,000/year for SMEs) or TrustArc (~₹3,00,000/year)
Automate deletion of old files and logs in your systems Built-in features in Windows (Group Policy) or Linux (cron jobs) for file deletion; cloud provider native tools (AWS S3 Lifecycle Policies, Google Cloud Storage lifecycle rules) Veritas NetBackup or Commvault for advanced data lifecycle management (~₹10,00,000+/year for enterprise)
Monitor data volumes and generate retention compliance reports Built-in reporting in your CRM or email system (Zoho CRM reports, Microsoft 365 retention reports if you use them) Druva, Veritas, or similar backup/governance tools with reporting dashboards (~₹2,00,000-5,00,000/year)
🛡
How This Makes You More Resilient
When you actively delete data you don't need, the damage from a data breach is automatically smaller—a hacker stealing your server gets 2 years of customer data instead of 10, reducing your liability and the number of people harmed. You're also less likely to face regulatory penalties from NIRDPR audits or customer inquiries about 'why do you still have my data,' which builds trust and reduces legal risk. Simpler data = faster incident response and lower storage costs, meaning your business runs more efficiently even without a breach.
⚠️
Common Pitfalls in India
  • Keeping all data 'just in case' without a business reason—Indian businesses often retain 7-10 years of customer/supplier records because they assume legal requirements are strict, when in fact most contracts only require 3-5 years. Check with your CA/lawyer instead of guessing.
  • Forgetting about backup copies—you delete data from the live system, but old backups from 2020 still exist in your NAS or cloud storage with the same personal information. Your deletion process must include backups, or auditors and customers will question it.
  • Not deleting employee data after they leave—many Indian companies keep complete personnel files (salary, attendance, family details) for years 'in case of disputes.' DPDP Act limits this; best practice is delete after 3 years unless you're defending an active legal case.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 4(6) (purpose limitation and storage limitation principle) and Section 8 (consent requirements for data retention beyond purpose)
CERT-In 2022 Not specifically addressed; falls under general data protection best practice guidelines
ISO 27001:2022 Annex A 5.3.1 (data retention) and A 5.3.3 (information and other assets on removal of access)
NIST CSF 2.0 Govern (GV) - Data Governance: GV.DG-02 Data lifecycle policies and controls are in place and reviewed

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →