Data retentionDPDPIT ActCompliance
Data Retention Policy Template (IT Act Compliant)
workro desk team·6 min read·18 June 2025
Why Data Retention Matters
Keeping data forever is not safer — it is riskier. The DPDP Act 2023 requires you to define retention periods and delete data when it is no longer needed. The IT Act requires certain records to be kept for 8 years. A data retention policy balances these competing requirements.
Retention Periods by Data Type
| Data Type | Minimum Retention | Maximum Retention | Legal Basis |
|---|---|---|---|
| Financial records | 8 years | 8 years | IT Act 2000, Companies Act |
| Employee records | 8 years post-exit | 10 years | Labour laws, PF/ESI |
| Audit logs | 3 years | 5 years | ISO 27001, IT Act |
| Customer data | As per contract | 3 years post-contract | DPDP Act |
| Email communications | 1 year | 3 years | Business need |
| Ticket records | 1 year | 3 years | Service quality |
Download the Template
Download the Data Retention Policy Template
FAQ
What happens if I keep data longer than the retention period?
Under the DPDP Act, keeping data longer than necessary without justification is a violation. You could face penalties up to ₹250 crore for repeated violations.
Ready to fix faster?