The rollout of the Digital Personal Data Protection Act, 2023 (DPDP Act) is expected to require businesses, particularly financial institutions, to review how they manage and retain customer data alongside existing regulatory obligations.
Draft Rules were issued in November 2025 and are expected to be enforced by May 2027, giving organisations a transition window to operationalise compliance frameworks.
Where does the issue arise?
Under the DPDP Act, organisations are required to delete personal data once it is no longer necessary for the purpose for which it was collected, unless retention is required under law.
At the same time, sector-specific regulations mandate defined retention periods.
For example, entities regulated by the Reserve Bank of India (RBI) must retain Know Your Customer (KYC) records for at least five years after the end of a customer relationship. Depending on the category of regulated entity, transaction records may need to be preserved for between five and ten years.
