What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Quick Answer•4 min read

DPDP: How Long Can Indian Businesses Keep Data?

Understand DPDP data retention rules for Indian businesses. Learn how long you can keep personal data and what compliance entails with MBS.

Sushant Pasumarty5 June 2026

How Long Can You Keep Data Under DPDP?

The Data Protection Digital Personal Data Act (DPDP) 2023 mandates that Data Fiduciaries (businesses) must delete or anonymize personal data as soon as the purpose for which it was collected is no longer being served. This principle is known as 'purpose limitation' and 'storage limitation'. There is no fixed duration like '3 years' or '7 years' specified in the Act; retention is tied directly to the stated purpose.

💡 Key Insight: DPDP's data retention rule is dynamic. You can keep data only as long as it's necessary for the specific, declared purpose for which you collected it. Once that purpose is met, the data must be deleted or anonymized.

What This Means for Indian Businesses Right Now

The DPDP Act is in its implementation phase. While exact timelines for full enforcement are still emerging, businesses must already begin auditing their data retention practices. The shift from indefinite storage to purpose-bound retention requires a fundamental change in how data is managed across your organization.

Sushant Pasamarty, founder of Meridian Bridge Strategy, notes, 'Many businesses in India collect data and store it 'just in case' they might need it later. DPDP directly challenges this. You must clearly define the purpose at collection and adhere to it.' This means an active data lifecycle management strategy is no longer optional.

What You Actually Need to Do for DPDP Data Retention

Identify and Document Data Purposes: For every piece of personal data you collect, clearly define and document the specific, legitimate purpose. This forms the basis for your retention policy.
Implement Retention Schedules: Develop and enforce data retention schedules aligned with each documented purpose. Include automatic deletion or anonymization triggers once the purpose is fulfilled or a pre-defined period (justified by the purpose) expires.
Establish Deletion Mechanisms: Ensure you have robust technical and organizational measures to securely delete or anonymize personal data across all systems, including backups and third-party vendor systems.
Vendor Due Diligence: Extend your retention policies to your vendors and partners. Ensure their Data Processing Agreements (DPAs) stipulate that they too will delete or anonymize data once the original purpose is met. This is a critical component of DPDP Cross-Border Data Transfer Rules as well.
Regular Audits: Conduct regular audits of your data inventories and retention policies to ensure ongoing compliance and identify any data being held beyond its defined purpose.

✅ Pro Tip: Merely having a policy isn't enough. You must demonstrate that data is *actually* being deleted or anonymized. This often requires automating the process to minimize human error and ensure consistency.

What DPDP Data Retention Compliance Costs

Implementing proper data retention policies under DPDP requires understanding your data flows and integrating new processes. Sushant Pasamarty and Meridian Bridge Strategy offer tiered services that address this directly:

Data Mapping: Foundational Understanding

Understanding where all personal data resides is the first step to managing its retention. This service identifies who collects data, where it's stored, and which vendors interact with it.

Includes: Map every personal data flow: who collects it, where it goes, which vendors touch it.
Price range: ₹1.5L – ₹3L
Duration: 1-2 weeks

DPDP Readiness Audit: Identifying Gaps

Beyond mapping, a readiness audit identifies where your current retention practices fall short of DPDP requirements. It includes an assessment of your deletion protocols and vendor agreements.

Includes: Data Mapping + Gap Analysis (consent, DPAs, grievance, breach, deletion).
Price range: ₹2L – ₹6L
Duration: 2-4 weeks

DPDP Workshop: Roadmap for Implementation

The workshop builds on the audit, providing a prioritized roadmap to address retention gaps, including developing specific retention schedules and improving deletion mechanisms. You can read more about DPDP Workshop deliverables here.

Includes: Data Mapping + Gap Analysis + Prioritized Recommendations with a 90-day roadmap.
Price range: ₹5L – ₹10L
Duration: 4-6 weeks

Full DPDP Consulting: End-to-End Support

For comprehensive support, this service ensures your data retention policies are not only designed but also effectively implemented, with ongoing support and DPO training on best practices for data lifecycle management.

Includes: Workshop + Implementation Support + DPO Training + Final Readiness Opinion.
Price range: ₹7L – ₹12L
Duration: 3-6 months

When to Start Implementing Retention Policies

You should start now. While the full enforcement framework is still being finalized, the principles of data retention are clear. Delaying implementation increases your risk of non-compliance and potential penalties once the Act is fully enforced.

Next Step: Understand Your Specific Requirements

Every business has unique data flows. Understanding your specific data retention obligations starts with an assessment of your current practices against DPDP's requirements. Use our calculator to get an initial estimate of the resources needed.

Frequently Asked Questions

Does DPDP specify a maximum number of years I can keep personal data?

No, DPDP does not specify a fixed maximum number of years. Instead, it mandates that personal data be deleted or anonymized once the purpose for which it was collected is no longer being served. Retention is tied to the purpose, not a set duration.

What happens if I keep data longer than the purpose requires under DPDP?

Keeping data longer than necessary for its stated purpose is a violation of DPDP's 'purpose limitation' and 'storage limitation' principles. This can lead to non-compliance and potential penalties imposed by the Data Protection Board of India.

Do I need to delete personal data from backups as well?

Yes, DPDP requires that personal data be deleted or anonymized from all systems, including backups. Your data retention policy and deletion mechanisms must account for all copies of personal data across your infrastructure.

How does DPDP apply to data I share with third-party vendors?

Under DPDP, you (as the Data Fiduciary) remain responsible for personal data even when it's shared with third-party vendors (Data Processors). Your Data Processing Agreements (DPAs) must explicitly include clauses requiring vendors to adhere to your retention policies and delete or anonymize data once the processing purpose is fulfilled.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →