banner image banner image
 

The Data Conundrum: The Challenges & Benefits of DPDP Act’s Deletion Clause - Part 2

The draft rules under the Digital Personal Data Protection (DPDP) Act stipulate that platforms like social media, e-commerce, and online gaming erase user data after three years of inactivity. In the first part of this two-part series, Adgully dwelled at length on the implications of such a clause.

In the second part of this report, Adgully analyses the potential risks and benefits of this mandatory data erasure policy for users and businesses. Also, how can platforms ensure user data is erased securely and completely, while also minimizing disruptions to user experience and legitimate business operations?

Also read:

The Data Dilemma: Navigating the three-year rule under the DPDP Act – Part 1

Benefits

Sajal Gupta, Chief Executive, Kiaos Marketing, feels that the draft policy is a positive step in the right direction. However, he adds, further elaboration on specific use cases is required to eliminate ambiguity.

“It will be crucial for the government to implement clear mechanisms for ensuring compliance with the outlined guidelines. Finally, there is a need for the policy document itself to avoid overly complex, bureaucratic language. Just as businesses are expected to present data usage policies in a clear and comprehensible manner, the government should aim to make its guidelines equally accessible and straightforward,” he adds.

“Additionally, the policy emphasizes the responsibility of businesses to secure stored data and conduct audits. This necessitates investment in secure infrastructure and robust processes for data protection. The proposed guidelines also outline clear reporting procedures to both users and regulatory authorities in case of data breaches, with the potential for significant financial penalties. Therefore, a robust security framework, coupled with periodic compliance audits, becomes essential,” Gupta says.

Sammy Mamdani, Executive Vice President – Global Operations, Route Mobile, asserts that there are a few clear benefits to deleting data after it is no longer needed. First, he explains, it helps protect user privacy by reducing the chances of unauthorized access or data leaks.

“Minimizing data retention offers several benefits; but it also comes with challenges. By retaining less data, companies reduce the amount of “at-risk” information in the event of a breach, which can lower both legal and financial exposure. It also aligns well with data protection laws like the GDPR and helps cut down on storage costs. However, there are drawbacks to consider. For instance, if businesses rely on historical data for personalization, analytics, or fraud detection, deleting older records might impair their ability to serve users effectively. Additionally, conflicting regulations can pose challenges—some laws may require companies to retain certain records for extended periods, particularly in industries like finance or healthcare. Finally, securely erasing data across the myriad of systems and backups a company uses can be a complex and resource-intensive task,” Mamdani explains.

He suggests that to manage the data deletion process effectively, companies should begin by mapping out where all their data resides, including backups. Using automated tools to erase data from every location ensures thoroughness and reduces manual effort. Conducting regular audits is also crucial to confirm that the data has been completely removed. This method not only helps maintain a seamless user experience but also ensures compliance with regulations and enhances data security.

“The government’s focus on privacy is commendable, but mandatory data erasure can create both operational and strategic risks,” says Vivek Bhargava, Co-founder, consumr.ai (ProfitWheel).

According to Bhargava, deleting data is often more complicated (and costly) than simply retaining it, especially with legacy backup systems that are designed for bulk restoration rather than selective deletions. This complexity raises questions about the completeness of any data erasure effort—if backups aren’t properly purged, organisations remain exposed to privacy breaches and regulatory penalties.

“Additionally, losing historical data can be detrimental for marketing, analytics, and customer engagement. High-value or long-lifecycle customers (e.g., those who purchase infrequently but spend significantly) could have their historical insights wiped out, undermining effective personalisation and loyalty programmes. On the other hand, such a policy can benefit users by reinforcing stronger privacy protections, reducing the volume of stale personal information and thereby minimizing the impact of potential data breaches. It can also compel companies to streamline their data management practices and invest in more modern, privacy-centric infrastructure,” he adds.

Bhargava further says that rather than outright deletion, businesses and regulators could explore anonymization or tokenization of old customer records – preserving aggregate insights for analytics while removing personal identifiers. This approach can safeguard privacy without destroying valuable data signals.

 

According to Rajiv Dhingra, Founder & CEO, ReBid, potential risks and benefits of the mandatory data erasure policy are:

Benefits:

  • Enhanced User Privacy: Reduces the risk of misuse or breaches of inactive user data.
  • Trust Building: Demonstrates a commitment to privacy, fostering greater user confidence in platforms.
  • Data Minimization: Encourages businesses to focus on active, consented data rather than accumulating unnecessary information.

Risks:

  • Disruptions to Business Operations: Historical data is often critical for re-engagement campaigns, fraud detection, and personalization. Losing it may affect user experience.
  • Compliance Challenges: Ensuring complete and secure deletion across complex systems can lead to operational bottlenecks and potential non-compliance risks.

To minimize disruptions, platforms should:

  • Implement secure data deletion protocols to ensure complete erasure without affecting active systems.
  • Maintain clear exceptions for specific scenarios like legal compliance, fraud investigations, or customer support.
  • Use advanced analytics to extract value from data within its active lifecycle.

Key considerations and recommendations for policymakers:

  • Balancing Privacy with Business Needs: Policymakers should refine the provision to allow flexibility for industries with unique data retention needs, such as finance or healthcare, where longer retention may be essential.
  • Defining Inactivity: The term “inactivity” should be clearly defined to avoid ambiguity. For instance, should inactivity include users who browse but don’t transact or engage?
  • Exceptions Framework: Develop an exceptions framework that outlines permissible scenarios for retaining data beyond three years, ensuring it is well-regulated and justified.
  • Incentivizing Compliance: Provide businesses with guidelines and resources to implement compliance measures effectively, such as adopting secure deletion technologies or conducting regular audits.

According to Dhingra, the government should also prioritize engaging with industry stakeholders to ensure the rules reflect real-world operational challenges while maintaining user-centricity. Striking the right balance will help achieve the dual goal of protecting user privacy and supporting a thriving digital economy.

Ayush Nambiar, Chief Strategist & Director, Flags Communications, believes that the data erasure policy offers substantial benefits for users by enhancing privacy and reducing the risk of data breaches. For businesses, he adds, it can help foster trust, demonstrating a commitment to ethical data management. However, the risks are equally significant. Losing inactive user data may disrupt services such as account recovery, long-term customer insights, and continuity for users who wish to re-engage after a period of inactivity.

“To ensure secure and complete data erasure, platforms must adopt robust data deletion protocols that are verifiable and auditable. Employing advanced encryption and secure deletion methods can minimize the risk of residual data being exploited. Simultaneously, businesses can create systems to inform users proactively about inactivity thresholds and provide mechanisms for reactivating their accounts. Balancing privacy with operational integrity will be key to avoiding unintended disruptions to the user experience and legitimate business functions,” Nambiar adds.

Nambiar suggests that policymakers should consider industry-specific nuances and provide tailored guidelines for data retention, addressing exceptions like financial transactions, legal compliance, and account recovery. A phased implementation with technology and compliance support for SMEs can ease the transition. Standardized data management frameworks, regular audits, and certifications can enhance security and trust. Additionally, integrating user consent provisions for extended data retention can balance privacy and flexibility. By aligning strict data privacy regulations with practical business needs, policymakers can foster a digital ecosystem that respects user privacy and supports economic growth, he says.

Vishal Rupani, Co-founder, Sprect.com, points out that the DPDP Act ensures that companies can’t collect or use your personal data without your consent, giving you more control over your information.

“If your data is mishandled or exposed in a breach, the Act holds businesses accountable. You also have the right to know what data companies have about you and even request its deletion. In short, the DPDP Act helps keep your personal details safe and gives you the power to decide how they're used,” says Rupani.

He highlights a significant challenge for businesses in India: the shortage of skilled professionals in privacy and data protection. He points out that a LinkedIn search for “Chief Privacy Officer” in India yields fewer than 25 relevant results, emphasizing the limited talent pool available to manage data compliance and secure erasure practices. This talent gap, he warns, could hinder businesses from meeting regulatory requirements, increasing the risk of non-compliance and data management errors.

Challenges ahead

The data erasure provision is a crucial element of modern data protection frameworks, aiming to empower individuals by granting them greater control over their personal information. However, its implementation poses significant challenges for governments, policymakers, and businesses alike. Striking a balance between safeguarding user privacy and maintaining the operational needs of businesses is essential to foster trust, innovation, and economic growth in the digital landscape.

Sammy Mamdani is of the opinion that policymakers should begin by clearly spelling out which types of data must be kept for legal or regulatory reasons and how long they should be retained. After that, he says, it’s important to give businesses some room to adapt the rules to their specific sectors. For example, a bank might need to keep certain records longer than a social media site does. Another helpful option is to allow companies to anonymize data instead of deleting it entirely. That way, he adds, businesses can still analyse trends or improve services without compromising individuals’ personal information.

“Aligning India’s rules with global standards – like the GDPR – can also make it easier for companies that work across borders. And finally, policymakers should continue engaging with industry experts, consumer groups, and privacy advocates. This collaboration will help ensure the rules strike the right balance: safeguarding people’s personal data while still giving digital services room to innovate and flourish,” says Mamdani.

Vivek Bhargava points out that unlike the DPDP Act’s proposed three-year blanket rule, regulations such as GDPR and CCPA generally require businesses to have defensible retention policies and to honour user-driven data deletion requests without setting a universal timeline.

Building on this precedent, policymakers could consider a more flexible, user-centric approach: notify individuals who have been inactive for three years and offer them the choice to delete or maintain their data. According to him, this respects consumer autonomy while preventing unnecessary data loss for businesses that serve long-lifecycle customers.

“Policymakers should also set clear guidelines around secure storage and limited sharing of personal data, emphasizing robust encryption, access controls, and frequent audits. By incentivizing or mandating the use of best-in-class privacy and cyber security practices, governments can ensure data is protected even if it’s retained beyond three years for legitimate reasons,” says Bhargava.

To balance user privacy with business needs, Bhargava adds, policymakers could adopt a tiered data retention framework. For instance, strictly personal data (for example, contact details) might be erased after three years of inactivity, while certain transactional or compliance-related records could be retained longer under transparent, well-defined exceptions.

“From a digital marketing standpoint, data is a powerful asset for personalization, analytics, and customer engagement. However, the regulatory push toward stronger privacy protections – including mandated data erasure – forces businesses to modernize their data-handling practices. Rather than viewing this solely as a compliance burden, organisations can use it as an opportunity to refine data governance, enhance consumer trust, and innovate in privacy-first personalization strategies,” Bhargava concludes.

Thinking of a three-year data erasure rule might sound easy, but it’s like assuming everyone loves pineapple on pizza, quips Vishal Rupani, who calls for sector-specific data rules.

“It doesn’t fit all tastes. Different sectors have different needs. Financial platforms often require data longer than social media does. Instead of a universal rule, sector-specific guidelines would be more effective. A phased rollout with pilot programmes can help identify issues early. The government also needs to align these rules with existing laws, like those for financial audits or law enforcement requests, so businesses aren't caught in compliance crossfire. And to make it all smoother, offering exemptions for things like anonymized data would help businesses continue their operations without unnecessary hurdles,” Rupani concludes.

Also Read: The Data Dilemma: Navigating the three-year rule under the DPDP Act – Part 1

Related Items
Media
5 MINUTES TO READ
@adgully

News in the domain of Advertising, Marketing, Media and Business of Entertainment

Related Items