By Anisha Mathur
The DPDP Act urges deletion, yet India’s legal system continues to function on digital memory. The real challenge for organisations is recognising what must never be erased.
India’s digital economy rests on an invisible architecture of electronic traces such as payments, reconciliations, approvals, service logs, CCTV footage, GPS trails, settlement records, warranty logs, and complaint histories. These fragments of digital memory increasingly determine how disputes unfold and how rights are enforced.
With the Digital Personal Data Protection Act, 2023, and the newly notified DPDP Rules now shaping organisational behaviour, attention has shifted to storage limitation: the principle that personal data must be deleted once its purpose is fulfilled. At the same time, the very same framework contains an equally important mandate, i.e. data must be retained wherever any other Indian law requires it. Privacy and preservation must now coexist, not compete.
As companies begin revisiting their retention schedules, the pressure points are easy to anticipate.
An electric-mobility manufacturer may decide to shorten the life of telematics records or diagnostic logs to showcase DPDP compliance. On paper, this aligns with the Act’s storage-limitation principle. But if a warranty dispute arises months later, the customer may still possess e-mails or screenshots while the company, acting in good faith, may have deleted the very operational evidence necessary to defend itself. Legitimate deletion can collide with limitation periods, statutory retention requirements, and evidentiary duties that operate independently of privacy law.
A hospitality chain faces a different but predictable tension. In the spirit of minimisation, it may reduce CCTV retention. Yet footage that appears unnecessary today may become the centrepiece of a criminal investigation or civil liability claim long after the ordinary retention cycle. If law-enforcement agencies later request footage that has already been erased pursuant to an internal privacy policy, the organisation may find itself unable to assist despite full compliance with its DPDP-driven processes. The DPDP Rules permit retention where other laws require it, but this nuance is often missed when companies apply uniform deletion.
Fintech platforms experience this tension more acutely. Shortening the retention of reconciliation logs, settlement files, audit trails, or API histories may seem privacy-forward, but financial disputes, chargebacks, tax audits and fraud reviews routinely arise years after a transaction. Corporate, tax and accounting laws such as the Companies Act’s record-keeping requirements, Income-tax Rules’ six-year retention period, and GST’s 72-month mandate all require records to be preserved well beyond operational life cycles. A privacy-driven deletion schedule cannot override these statutory obligations; both frameworks must be read together.
Across these sectors, one theme emerges: evidence is fragile, and deletion while necessary becomes risky when undertaken without understanding what must legally survive. The DPDP Act sets the principles; the DPDP Rules make them operational; and both sit within a broader ecosystem of tax, corporate, financial, criminal and regulatory laws. The danger for organisations today is not excessive storage, but indiscriminate erasure undertaken without mapping statutory retention duties, evidentiary needs, contractual requirements and foreseeable dispute scenarios.
India is entering a new chapter in data governance. The organisations that thrive will be those that master the discipline of forgetting responsibly, deleting what privacy demands, while preserving what justice, accountability and statutory compliance still require.
(The author is a Founding Partner at Shepherd Law Associates)
Disclaimer: The opinions, beliefs, and views expressed by the various authors and forum participants on this website are personal and do not reflect the opinions, beliefs, and views of ABP Network Pvt. Ltd.
