Step 6 of 11
Data Retention Policies
Define how long you keep different types of data.
Data Minimization Principle
Under DPDPA, you should only keep personal data for as long as necessary for the purposes for which it was collected. Define clear retention periods for each data category.
Common Retention Periods
| Data Type | Typical Period | Reason |
|---|---|---|
| Account data | Duration of account + 1-3 years | Service provision, legal claims |
| Transaction records | 7 years | Tax and accounting requirements |
| Marketing preferences | Until consent withdrawn | Consent-based processing |
| Support tickets | 2-5 years after resolution | Quality improvement, legal protection |
| Website logs | 30-90 days | Security, troubleshooting |
| Employment records | 7 years after employment ends | Legal requirements |
Factors Affecting Retention
Legal Requirements
Tax laws, employment regulations, industry rules
Contractual Obligations
Agreement terms, warranties, support periods
Legitimate Business Need
Analytics, improvement, security
Legal Claims
Statute of limitations for potential disputes
Creating Your Retention Schedule
For each data category, specify:
Category of data
Retention period
Trigger for deletion (e.g., account closure + X years)
Legal basis for retention
Exceptions (if any)
Review schedule
Deletion Procedures
Document how data is deleted when the retention period expires:
- • Automated deletion for time-based retention
- • Manual review process for complex cases
- • Backup deletion schedules
- • Notification to third parties (if shared)
- • Anonymization as an alternative to deletion
Don't Forget Backups
Remember that data often exists in backups. Your retention policy should account for backup retention and how data is purged from backup systems.