The DPDP Rules 2025: Data Deletion Clarity or Confusion?

After nearly 10 months of consultation, India’s Digital Personal Data Protection Rules 2025 were notified on November 13, 2025. These rules are neither rushed nor delayed—they strike a balanced approach, providing organizations with an 18-month compliance window for critical requirements. The thoughtful drafting reflects the government’s commitment to building a robust privacy framework that protects citizens while enabling business growth.

The Third Schedule: A Necessary but Narrow Lens

One of the most discussed provisions is the Third Schedule, which mandates automatic data deletion timelines—specifically, a 3-year retention cap for large e-commerce platforms (2 crore+ users), online gaming platforms (50 lakh+ users), and social media companies (2 crore+ users). This is a much-needed safeguard against indefinite data hoarding by Big Tech, and the clarity in these rules is commendable.

But here’s where it gets interesting: Banks, hospitals, financial institutions, insurance companies, and healthcare providers are NOT mentioned in the Third Schedule.

Does this mean they’re exempt from data deletion obligations?

The Answer: Absolutely Not

The absence of banks, healthcare providers, and financial institutions from the Third Schedule doesn’t grant them unlimited data retention rights. Instead, these sectors fall under a stricter, purpose-based deletion framework outlined in Rule 8:

✅ Universal Deletion Obligation: ALL Data Fiduciaries—including banks, NBFCs, diagnostic labs, insurance brokers, and clinics—must erase personal data once the specified purpose is no longer being served, unless retention is mandated by law.

✅ One-Year Minimum Log Retention: Every organization must retain processing logs and traffic data for at least one year to support breach detection, investigation, and remediation efforts.

✅ Sector-Specific Law Override: Where existing regulations (RBI guidelines for banks, IRDAI rules for insurance, Clinical Establishment Acts for healthcare) mandate longer retention periods, those laws prevail—but organizations must document the legal basis for every retention decision.

The table below illustrates specific timelines for each sub-sector set by their respective regulators:

The healthcare and wellness sector are governed by the following regulations:

1. Medical Records Act/Rules (varies by state) – typically 3-5 years retention for active patients
2. Clinical Establishment Act – clinical records must be maintained during patient treatment and for a specified period after
3. Hospital accreditation standards (NABH, JCI) – require patient records retention aligned with clinical protocols
4. Insurance/reimbursement audits – require longer retention for claim verification

Like financial institutions, healthcare providers must delete data upon purpose completion, except where law mandates longer retention.

Why This Matters for SMBs and Regional Players

If you are a small and mid-sized banks, NBFCs, insurance agents, healthcare clinics, and diagnostic centers, or a vendor or service provider to any of the above, the lack of a safe-harbor timeline like the Third Schedule creates a compliance obligation:

→ You must map DPDP’s purpose-based deletion against your sector-specific retention laws
→ You need documented justification for every data retention decision
→ You face dual audit exposure: privacy regulators AND sector regulators

The takeaway? 

Not being in the Third Schedule is not a free pass—it’s a call to build stronger data governance.

#DPDPA #DataPrivacy #DigitalIndia #Compliance #DataProtection #CyberSecurity #PrivacyDesign #RegulatoryCompliance

Need help mapping your data retention obligations under DPDP Rules 2025? Let’s connect.