TL; DR:
The DPDP Rules 2025 make DPDPA compliance fully enforceable with fixed timelines, pushing enterprises to prove how they store, retain, delete, and govern personal data across its entire lifecycle. Historical personal data has now become the highest-risk asset because legacy systems cannot meet requirements for auditability, deletion workflows, retention logic, and access rights.
To stay compliant, organizations need a unified, governed architecture that handles discovery, ingestion, storage, retention, and deletion in one system. The platform should create an operationally compliant personal data lifecycle that stands up to DPDPA scrutiny.
On 14 November 2025, the Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the operational framework of the DPDP Act. With this, DPDPA moves out of the ‘policy stage’ and straight into enforcement. The timelines are now fixed, and the expectations are clear.
The notification closes a long consultation cycle involving 6,915 stakeholder inputs across startups, enterprises, industry bodies, and civil society. DPDPA Compliance now has a clock attached to it:
The Rules introduce an eighteen-month phased compliance period.
Phase 1 — Consent Manager regime: November 2025
This is when enterprises must integrate with government-approved Consent Managers to allow individuals to give, review, and withdraw consent through a standardised interface.
Phase 2 — Progressive implementation of storage, retention, rights, and safeguard requirements throughout the eighteen-month (May 2027) window
Enterprises are expected to align their data storage, retention, deletion, rights fulfilment, breach reporting, and governance practices during this period.
Phase 3 — Completion of the phased compliance window, eighteen months after notification
By the end of this window, all operational obligations under the Act and Rules are expected to be fully implemented.
The Rules of DPDPA compliance expect enterprises to operationalize privacy, not just declare it. This is why this blog focuses on the part of compliance no one prepared for: how to store, retain, govern, and eventually delete historical personal data in a way that stands up to DPDPA scrutiny.
Does DPDPA Compliance Apply to Your Enterprise?
| Scenario | DPDPA Applies? | Why |
|---|---|---|
| 🏢 Global enterprises with operations in India | ✅ Yes | You process the personal data of individuals located in India (employees, customers, vendors). |
| 🌍 Global enterprises with no Indian office but processing Indian data | ✅ Yes | DPDPA is data-principal centric; Indian personal data stays in scope even when processed abroad. |
| 🔄 Cross-border storage & processing | ✅ Yes (Allowed) | Transfers are permitted except for government-restricted countries. No mandatory localization (except by sectoral laws that may apply). |
| 🌐 Data of individuals outside India | ❌ No | The Act protects individuals located in India or those submitting to Indian jurisdiction. |
| 🏠 Personal/domestic use | ❌ No | Non-commercial, household processing falls outside the Act. |
| 🔒 Fully anonymized data | ❌ No | Irreversible anonymization removes it from the DPDPA scope. |
Why Historical Personal Data is Now the Highest-Risk Asset Under DPDPA Compliance
Every organization carries years or sometimes decades of personal data scattered across legacy systems that were never designed for privacy compliance. HRMS snapshots, payroll exports, CRM backups, SAP and Oracle dumps, SharePoint sites, email archives, file servers, PDFs, scanned documents, and old application folders all quietly hold personal data. None of these environments was built with purpose limitation, storage limitation, or auditability in mind.
Further Read: Application Decommissioning & Application Retirement: Guide for 2026
DPDPA compliance mandates minimization, lawful retention, accuracy, secure storage, and deletion once the purpose is fulfilled. Most legacy HR, CRM, ERP, and customer platforms don’t maintain a provable consent trail. Under DPDPA, that becomes a direct compliance liability because:
- Fiduciaries must obtain consent in the legally valid format (informed, specific, unambiguous, accompanied by a compliant notice).
- They must store a record of the consent, including what notice was shown, when it was accepted, and for what purpose.
- They must also store every change to consent — withdrawals, modifications, renewed consents, refusals, and version updates.
In practice, this means a fiduciary must maintain a full, time-stamped consent history, not just the final consent state.
Legacy systems don’t support any of this. They lack basic governance controls such as:
- Versioned consent storage
- Audit logs of how consent changed over time
- Linkage between consent events and data purpose
- Proof of which notice was displayed
- Retention clocks
- Provable audit trails
- Metadata lineage
- WORM or immutable storage
- Deletion workflows
- Access logs
- Separation of personal vs non-personal data
- Fast search for access and correction rights
This is why historical personal data becomes the highest-risk asset.
DPDPA compliance forces enterprises to confront the question they’ve avoided for years: “Do we actually know what historical personal data we have, where it lives, and whether we can delete it when required?”
For most CIOs and CTOs, the honest answer is still no. And with enforcement deadlines approaching, the law no longer tolerates that ambiguity.
See how Archon brings order to decades of legacy personal data for DPDPA compliance.
What DPDPA Compliance Actually Requires for Storage, Retention, and Governance
Below is a breakdown of the obligations that directly shape how enterprises must govern both active and historical personal data.
1. Secure, Tamper-Evident Storage
Source: THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (NO. 22 OF 2023)
| DPDPA Requirement | What it Means Operationally | Compliance Risk if Missing |
|---|---|---|
| Secure, tamper-evident storage | Data must be stored in systems where modifications are detectable and traceable. | Inability to prove integrity; exposure during audits or breach investigations. |
| Encryption at rest and in transit | All personal data must be encrypted consistently across systems and backups. | ₹250 crore penalty for inadequate safeguards; high breach exposure. |
| Masking/tokenisation | Sensitive data must be protected using irreversible or controlled transformations. | Violations for overexposure; increased breach impact. |
| Access controls + access logs | Least-privilege access, monitored activity, logs retained for 1 year. | Lack of visibility; failure to meet breach reporting obligations. |
| Ability to retrieve accurate data quickly | Systems must deliver correct records for access/correction/erasure requests. | Inability to fulfil rights; up to ₹50 crore penalties. |
2. Lawful Retention and Deletion
Source: THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (NO. 22 OF 2023)
| DPDPA Requirement | What it Means Operationally | Compliance Risk if Missing |
|---|---|---|
| Store only as long as necessary (purpose limitation) | Retention schedules mapped to each dataset; automated expiry. | Illegal over-retention; liability during audits. |
| Delete when the purpose ends | Purpose tracking, linked retention clocks, and deletion triggers across systems. | Violations of Section 8; inability to justify storage. |
| Delete when consent is withdrawn | Immediate cessation of processing; deletion cascaded to processors. | Failure to honour rights; penalties up to ₹50 crore. |
| Retention logic must be demonstrable | Documented retention policy + logs showing adherence. | Cannot prove compliance; regulator scrutiny. |
| Minimum 1-year log retention | Maintain system logs, access logs, and activity history. | Weak breach investigations; failure to meet the expectations of the Data Protection Board of India (DPB). |
| 3-year cap for dormant users (large digital platforms) | Automatic deletion for inactive accounts after the allowed period. | Specific platform-level enforcement penalties. |
3. Governance & Auditability
Source: THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (NO. 22 OF 2023)
| DPDPA Requirement | What it Means Operationally | Compliance Risk if Missing |
|---|---|---|
| Accurate, complete, up-to-date data | Correction workflows + metadata governance across systems. | Liability for decisions made using outdated data. |
| 90-day SLA for rights responses | Searchable archives; fast retrieval; unified view of personal data. | Failure to meet statutory timelines → fines and escalations. |
| Breach notification (immediate + 72-hour report) | Ability to identify impacted data, affected individuals, and exposure scope. | ₹200 crore penalty for breach notification failures. |
| Mapping processors and third parties | Updated records of all vendors handling personal data. | Accountability failures → Section 8 violations. |
| Provable compliance | Evidence logs, lineage, access history, and deletion proof. | High regulator risk; DPB can assume non-compliance. |
| Significant Data Fiduciary Obligations | DPIAs, independent audits, detailed logging, and DPO appointment. | ₹150 crore penalties for SDF non-compliance. |
Read more: DPDPA vs GDPR: Key Differences in Data Retention, Deletion, and Access Governance
What Happens if you Don’t Comply: The Penalties and Enterprise Exposure
Here’s the operational reality:
| Type of Non-Compliance | Penalty (Up to) | Why Enterprises Get Caught Here |
|---|---|---|
| Failure to implement reasonable security safeguards | ₹250 crore | Legacy systems lack encryption, access logs, immutable storage, and breach monitoring. |
| Failure to notify the Data Protection Board & affected individuals of a breach | ₹200 crore | Scattered historical data = no ability to detect breaches or identify affected records. |
| Violations related to children’s data | ₹200 crore | Unstructured repositories rarely separate minor data from adult data. |
| Non-compliance by Significant Data Fiduciaries (SDFs) | ₹150 crore | Missing DPIAs, audits, detailed logs, and retention documentation. |
| General violations of the Act (including retention & deletion failures) | ₹50 crore | Over-retention, no deletion workflows, inaccurate or inconsistent data, no provability. |
Source: THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (NO. 22 OF 2023)
What a DPDPA-Compliant Archival Architecture Must Include
DPDPA makes storage, retention, and deletion enforceable obligations. Legacy systems weren’t built for governed retention or auditability, which means enterprises need an architecture that can classify, store, retrieve, and delete personal data with proof.
1. Discovery, Classification & Lineage Mapping
A compliant archive must give enterprises clear visibility into their personal data. Without this foundation, lawful retention and deletion are impossible.
- Identify personal data across structured and unstructured sources
- Classify by purpose, category, sensitivity, and retention basis
- Map lineage across systems, exports, and backups
- Detect redundant or excessive datasets
- Separate personal from non-personal data
2. Governed Ingestion with Context & Purpose Metadata
Historical data cannot be lifted and shifted blindly. Ingestion must:
- Pull data from ERPs, HRMS, CRMs, file servers, and legacy stores
- Preserve metadata, timestamps, and provenance
- Maintain business purpose and lawful basis context
- Apply retention rules at ingestion
- Enforce personal vs non-personal separation
3. Immutable, Secure, Tamper-Evident Storage
DPDPA demands integrity and demonstrable safeguards. Archival storage must provide:
- Immutable, tamper-evident (WORM-like) behavior
- Encryption at rest and in transit
- Dataset-level isolation
- Role-based access controls
- Access logs (minimum one year)
- Monitoring for unusual access
4. High-Speed Search, Retrieval & Rights Fulfilment
Strict timelines for access, correction, and erasure require an archive that can:
- Search personal data across formats and sources
- Retrieve records accurately and quickly
- Support correction of inaccurate or outdated data
- Identify all data that must be deleted
- Produce evidence of completion
5. Sector-Specific Localization & Storage Residency Considerations
While DPDPA does not mandate data localization, several sectoral regulations do. A compliant archival architecture must therefore account for:
- RBI – Strict residency and localization rules for payments data, card transactions, and certain categories of financial records.
- IRDAI – Insurance data (including policyholder records) may need to be stored and processed within India.
- SEBI – Market intermediaries must maintain books, records, and transaction logs in formats and locations prescribed by SEBI; certain data must remain within India for audit and supervisory access.
- TRAI – Telecom operators must store subscriber data, call logs, and related personal information within India, with strict restrictions on offshore storage or access.
- Health-sector regulations – Many healthcare frameworks require mirrored storage or primary residency within India for sensitive health data.
- Government/critical-sector rules – Several ministries mandate that specific categories of citizen or critical-infrastructure data remain within Indian jurisdiction.
- Future notifications – DPDPA empowers the government to designate restricted countries, which may impose new cross-border constraints later.
Enterprises must align DPDPA compliance checklist with sector-specific residency laws to avoid conflicting obligations.
This is the operational foundation required for the 2025–2027 DPDPA compliance window.
DPDPA Turns Storage and Retention into a Compliance Function
Now that DPDP Rules are notified, and the compliance window is already shrinking, enterprises finally have clarity on what the law expects and no room to hide behind ambiguity.
A DPDPA-aligned, modern archive governs the data with retention rules, audit trails, immutable storage, fast search, secure deletion, and evidence you can show during an investigation or audit. That’s the foundation enterprises need for the 2025–2027 compliance cycle.
Frequently Asked Questions
A DPDPA compliance checklist really comes down to seven things:
- Knowing what personal data you have
- Managing consent
- Assigning purpose and retention rules
- Enforcing security safeguards
- Enabling access, correction, and deletion rights
- Proving that you delete data when you should
- Keeping processors governed with proper contracts and audits
