If you keep personal data longer than necessary and a breach occurs, you face regulatory fines under the Digital Personal Data Protection (DPDP) Act 2023, loss of customer trust, and potential legal liability. For example, a Delhi-based export company that kept employee PAN and bank details for three years after employment ended had a server hacked; they were fined ₹50 lakhs and lost two major clients who switched to competitors citing poor data hygiene. Customers and auditors increasingly ask 'Where is my data deleted?' and if you cannot prove secure deletion, you fail compliance checks and lose contracts. Undeleted data also wastes storage costs and creates operational clutter.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You keep all files indefinitely on shared drives or old laptops. When asked about deleted data, you say 'I think we deleted it' but have no records, deletion logs, or process for removing sensitive information.
Initial
You have a rough list of what data should be deleted and occasionally ask people to 'clean up old files,' but deletion happens manually without documentation. No one tracks what was actually deleted or how it was removed.
Developing
You have a written data retention policy that says how long to keep customer and employee data, and IT deletes files when the retention period ends. However, deletion is simple file removal without secure wiping, and there is no audit trail of what was deleted.
Defined
Your retention policy is documented, shared with staff, and deletion uses secure methods like file shredding tools. You keep basic records showing what was deleted and when, and you review the policy annually.
Managed
You use secure deletion tools across all systems (servers, PCs, mobile devices), maintain detailed logs of every deletion event with timestamps and approvals, and conduct quarterly audits. Staff are trained on the deletion process and understand why it matters.
Optimised
Secure deletion is automated based on your retention policy; tools continuously monitor and securely erase data on schedule. You have audited third-party confirmation of deletion, regularly test that deleted data cannot be recovered, and continuously improve your process based on industry standards and audits.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a one-page Data Retention & Deletion Policy that lists what personal data you hold (customer names, employee PAN, etc.), how long to keep it, and who is responsible for deleting it. Share it with the team. | IT Manager or Senior Manager | 3-5 days |
| 1 → 2 | Implement file shredding software (free options available) on all computers and servers used for personal data storage. Create a simple deletion log (Excel spreadsheet) where IT records what data was deleted, on which date, and from where. | IT Manager | 1-2 weeks |
| 2 → 3 | Define a quarterly review schedule where IT audits systems to confirm deletion happened according to policy. Document the audit findings in a report. Train all staff who handle personal data (HR, sales, finance) on the deletion policy and why secure deletion matters. | IT Manager and HR Lead | 2-4 weeks (setup) + 2 hours per quarter (ongoing) |
| 3 → 4 | Upgrade deletion tools to enterprise-grade secure erasure software that logs every deletion event automatically. Integrate deletion into your backup and storage lifecycle so old backups containing personal data are also securely wiped. Conduct a mock recovery test to prove deleted data cannot be retrieved. | IT Manager | 1-2 months |
| 4 → 5 | Automate data deletion using scheduled policies in your storage systems so that personal data is automatically erased on the retention date without manual intervention. Engage a third-party auditor to test and certify your deletion process annually. Continuously monitor emerging secure deletion standards and update tools accordingly. | IT Manager and external auditor | Ongoing (quarterly reviews + annual third-party audit) |
Documents and records that prove your maturity level.
- A documented Data Retention and Deletion Policy signed by management, specifying retention periods for each type of personal data (e.g., customers 3 years, employees 7 years, prospects 1 year)
- A deletion log or register showing date, type of data deleted, quantity/volume, deletion method used, and who performed the deletion, for at least the last 12 months
- Copies of secure deletion tool reports or logs showing deletion events with timestamps for servers, PCs, and mobile devices
- Quarterly or annual audit reports documenting that deletion was performed according to policy, signed by IT manager or auditor
- Training records or sign-off sheets showing that staff responsible for data handling have been trained on the retention and deletion policy
Prepare for these questions from customers or third-party reviewers.
- "Show me your data retention policy. How do you decide how long to keep customer PAN numbers, employee addresses, or other sensitive data?"
- "Walk me through a recent deletion. How did you physically remove that data, and what proof do you have that it was completely erased and cannot be recovered?"
- "Do you use standard file deletion or a secure wiping tool? If standard deletion, how do you know the data is unrecoverable from the hard drive?"
- "What happens to deleted data in your backup systems and archives? When do you delete it from there?"
- "Can you show me your deletion logs for the past six months? Who authorized each deletion and when was it verified as complete?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Securely erase files and hard drives so deleted data cannot be recovered | Eraser (Windows, open source), BleachBit (Windows/Linux/Mac, open source), DBAN (hard drive wiping, free) | Symantec Endpoint Encryption (~₹20,000-50,000/year for small team), KillDisk Professional (~₹15,000/year) |
| Manage data retention schedules and automate deletion based on policy | Built-in OS scheduling tools (Windows Task Scheduler, Linux cron), basic spreadsheet-based tracking | Varonis Data Governance (~₹5-10 lakhs/year for SMEs), Commvault Data Management (~₹3-8 lakhs/year) |
| Track and audit all deletion events with logs and timestamps | Microsoft Excel or Google Sheets for manual logging, standard OS audit logs | SolarWinds Event Log Manager (~₹2-5 lakhs/year), Splunk (~₹10-20 lakhs/year for SMEs) |
- Assuming that deleting a file from the recycle bin or emptying the trash permanently removes it—the data remains on the hard drive until overwritten with new data, making recovery possible with forensic tools.
- Keeping personal data 'just in case' without a documented retention period, leading to accumulation of unnecessary sensitive information that increases breach risk and storage costs over years.
- Failing to delete data from backup systems and archives, so even if you delete from the live server, copies remain in old backups that are rarely reviewed and can be recovered if compromised.
- Not documenting deletions, so during audits you cannot prove that data was actually removed, and auditors or customers assume you still have their information and may penalize you or terminate contracts.
- Repurposing or donating old computers and hard drives without securely wiping them first, inadvertently exposing customer and employee data to whoever receives the device.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Right to be forgotten) and Section 10 (Data fiduciary obligations including secure deletion) |
| CERT-In Guidelines 2022 | Guideline 6.2 - Data Lifecycle Management and secure deletion practices |
| ISO 27001:2022 | Annex A.5.3 (Removal of access rights) and A.8.2.4 (Removal of access to information) |
| NIST CSF 2.0 | Govern (GV) function - Data security governance; Protect (PR) category - Data protection and secure removal |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →