A documented schedule specifying how long each category of personal data is kept and when it must be deleted.
A retention policy is a formal document specifying the maximum retention period for each category of personal data, the legal basis for that retention, the trigger event (from collection, from last activity, from consent), and the deletion method. Under Rule 8 of Rules 2025, Data Fiduciaries must establish and enforce retention policies that ensure data is erased once the purpose is fulfilled or the retention period expires. The policy must account for statutory minimums where other laws mandate retention.
Without a formal retention policy, you are likely retaining data indefinitely — which violates DPDPA. A clear policy also helps respond to erasure requests and demonstrates accountability during Board audits.
A Hyderabad NBFC defines: KYC documents retained 5 years post-account closure (RBI mandate), transaction logs retained 8 years (Income Tax Act), marketing preferences deleted 30 days after consent withdrawal, and inactive user accounts purged after 2 years of inactivity.
Retention policies cannot have a single blanket period like "we retain all data for 7 years." Each data category needs its own justified retention period based on its specific purpose.
DPDPA Shield automates Data Inventory & RoPA. See how →