How does the ‘right to be forgotten’ under DPDPA impact data retention and deletion policies?

In the era of always-on digital footprints, how long should your data live online? Once you give your personal information to a company — be it your name, ID number, or intimate details about your habits — do you lose control forever?

India’s Digital Personal Data Protection Act (DPDPA) 2025 says: No, you don’t.

One of its most citizen-centric provisions is the “Right to be Forgotten” (RTBF) — a legal right that empowers individuals to demand that their personal data be erased when it’s no longer needed, or when consent is withdrawn.

But for organizations, this right triggers big changes. It forces businesses — from e-commerce giants and banks to local schools and hospitals — to rethink how they store, manage, and delete user data. It reshapes how long data stays on servers, backups, and archives — and what truly “deletion” means in a world where data is copied everywhere.

As a cybersecurity and privacy expert, I’ll unpack what the Right to be Forgotten means under DPDPA 2025, how it impacts retention and deletion policies, and how citizens can actually use this right in everyday life.

What is the Right to be Forgotten?

The Right to be Forgotten under DPDPA allows any Data Principal (that’s you, the individual) to request that a Data Fiduciary (the company or organization) erase your personal data when:
✅ The data is no longer needed for the original purpose.
✅ You withdraw consent.
✅ The retention period agreed upon has expired.
✅ Keeping the data is no longer necessary under any law.

Example:
If you close an account with a food delivery app, and there’s no legal reason to keep your address or order history, you can ask them to delete it — and they must comply.

Inspired by Global Best Practice

India’s RTBF echoes similar provisions in the European Union’s GDPR. The aim is simple: individuals should not be haunted forever by stale, outdated, or irrelevant data.

It balances:

  • Privacy and dignity.

  • The right to freedom of expression and information.

  • Other legal requirements, like keeping records for tax or fraud prevention.

The Big Impact on Retention Policies

Before DPDPA, many companies treated user data like a digital goldmine — store everything forever, “just in case” it might be useful for marketing, analytics, or future products.

Now, that mindset must change:

  • Organizations must define clear retention periods for each type of personal data.

  • When data is no longer needed, it must be securely deleted.

  • Consent withdrawal must automatically trigger deletion (unless other laws say it must be kept).

Example: A Bank’s Policy Shift

A bank once kept transaction logs indefinitely for marketing insights. Under DPDPA:

  • They must justify why they need each type of data.

  • After a legally required period (like for audits or anti-fraud rules), the data must be purged.

  • If you withdraw consent for promotional offers, your info must be removed from marketing lists and related systems.

Technical Challenges: Is Deletion Ever Perfect?

Deleting data isn’t as simple as hitting “delete.” Organizations must tackle:

  • Backups: Data often exists in multiple backup copies — all copies must be erased.

  • Archives: Historical logs or data lakes can store old user info for years.

  • Third parties: If data has been shared with vendors, partners, or processors, those parties must delete it too.

Failure to fully erase data could expose a company to fines up to ₹250 crore under DPDPA.

How Companies are Responding

Forward-thinking companies are redesigning their data lifecycle:
✅ Implementing “privacy by design” — only collecting what’s needed, for as long as needed.
✅ Mapping where data lives: main servers, backups, partner systems.
✅ Automating data deletion workflows.
✅ Adding user dashboards so people can easily submit deletion requests.
✅ Updating contracts with vendors — if they store your data, they must comply too.

Public Example: Using Your RTBF Rights

Imagine you joined a gym and shared your contact details and health info. You later switch gyms and no longer want them to store your records.

Under DPDPA, you can:

  • Submit a written request to delete your data.

  • The gym must respond within a reasonable time.

  • If they refuse, they must show clear legal reasons (like keeping payment records for taxes).

If they don’t comply, you can escalate it to the Data Protection Board of India.

What About Social Media?

The Right to be Forgotten is especially relevant for social media. If you delete an old post or your entire account, the platform must:

  • Remove your personal data.

  • Ensure it’s wiped from backups where feasible.

  • Prevent search engines or partners from continuing to index it.

However, there are reasonable limits: if a post is part of public record or journalism, platforms may balance privacy with freedom of information.

How It Empowers People

Before DPDPA, people had no clear way to demand deletion. Companies might claim, “We don’t do that.” Now, it’s not optional — it’s your legal right.

This means:
✅ Less risk of old, irrelevant data being misused for scams.
✅ More control over your online reputation.
✅ Stronger privacy for sensitive info — like health, biometrics, or ID scans.

Why This Matters in India

India’s data ecosystem is huge: digital payments, e-commerce, EdTech, health apps, and gig work platforms collect endless personal details. Without clear deletion rules, people’s data can live on servers for decades, often in ways they never agreed to.

The RTBF provision recognizes that our right to privacy doesn’t expire — and that stale data can be a security risk or a reputational threat.

What Businesses Must Balance

Businesses must balance RTBF with:

  • Record-keeping laws: Some data must stay for audit, taxation, or anti-fraud needs.

  • Freedom of speech: For media houses, taking down factual articles may not always be justified.

  • Technical feasibility: Some deletion may be partial (anonymizing instead of fully erasing).

But the principle remains: if you keep data, you must have a lawful reason — not just convenience.

Example of Good Practice

A top EdTech company lets students delete old profiles or test results once they graduate. They provide a self-service portal to request deletion, with clear timelines.

Behind the scenes, they:

  • Flag the user’s data.

  • Erase it from live systems and backups.

  • Notify any partners or vendors who received the data.

How the Public Should Use It

To protect yourself:
✅ Check privacy dashboards: Many apps now have “Delete My Data” or “Deactivate Account” buttons.
✅ Don’t overshare: Only give apps the info they really need.
✅ Follow up: If you withdraw consent, ask for written confirmation that data has been erased.
✅ Report non-compliance: The DPDPA gives you the right to file a complaint if an organization ignores valid requests.

Conclusion

India’s Right to be Forgotten under DPDPA 2025 is more than a legal clause — it’s a powerful shift that gives people genuine control over their digital lives. For businesses, it demands new data retention and deletion policies that respect consent and purpose. For individuals, it’s a reminder that your data is yours — not a permanent asset for companies to hold forever.

As India’s digital economy grows, respecting the RTBF will build public trust, reduce security risks, and create a culture where personal data is handled with the dignity and care it deserves

By

shubham

Posts