Module 8 · Data Retention & Erasure — DPDP §8(7) and §12
Manish GargAssociate of (ISC)² · RingSafe
Apr 27, 20263 min read
Read as
Last updated: April 29, 2026
100% Free
No signup. No paywall. No catch.One of our 10 most-requested practitioner modules — published in full so anyone can learn for free. We earn through consulting, not by gating knowledge.
Why this module exists. “How long do we keep customer data?” is the question that has the most-wrong answers in Indian SaaS. The right answer is structured: per-data-category retention, with sectoral overrides, with erasure capability for data principals.
Why this module exists. “How long do we keep customer data?” is the question that has the most-wrong answers in Indian SaaS. The right answer is structured: per-data-category retention, with sectoral overrides, with erasure capability for data principals. Implementing this requires both legal mapping and engineering work.
The DPDP retention principle
§8(7)(d): “the personal data is erased upon the consent being withdrawn, or as soon as it is reasonable to assume that the specified purpose is no longer being served.”
Translation: retention is purpose-bound. When the purpose ends or consent is withdrawn, erase — unless overriding obligation says otherwise.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
