Retention and Deleton Under DPDP: Why Uncontolled Data Lifecycles Create Risk
Data retention has long been an uncomfortable topic in pharma organisations. Most teams know that data should not be kept forever, yet few can confidently explain when data should be deleted, who decides, or how deletion actually happens across systems.
The Digital Personal Data Protection Act 2023 removes this ambiguity.
Under DPDP, retaining personal data without a valid purpose is a violation. Deletion is not optional housekeeping. It is a legal obligation that must be enforced operationally and demonstrably.
For pharma companies that handle large volumes of doctor and patient data across CRMs, marketing platforms, analytics systems, and AI models, retention and deletion rules require a fundamental shift in how data lifecycle is managed.
This article explains DPDP retention and deletion rules in a practical pharma context, identifies common failure points, and outlines how pharma organisations must redesign data lifecycle governance to remain compliant at scale.
What Retention Means Under DPDP
Retention under DPDP refers to how long personal data is kept after it has served its stated purpose.
DPDP requires that personal data be retained only for as long as necessary to fulfil the purpose for which it was collected. Once that purpose is achieved, the data must be deleted or anonymised.
Retention is therefore purpose driven, not convenience driven.
This principle applies equally to doctor data, patient data, engagement logs, analytics outputs, and derived datasets.
Why Pharma Historically Retained Data Indefinitely
Pharma organisations evolved in an environment where data deletion was rarely enforced.
Data was retained because it might be useful later. Historical engagement was considered valuable for trend analysis. Legal teams preferred retention over deletion due to litigation concerns.
Over time, this led to data hoarding. Databases grew, systems accumulated redundant records, and deletion processes were either manual or nonexistent.
DPDP challenges this behaviour directly.
Retention Without Purpose Is a DPDP Violation
DPDP expects organisations to define retention periods.
Undefined retention is not acceptable. Pharma companies must specify how long different categories of data are retained and why.
Retention schedules should be purpose specific. Doctor engagement data may have different retention periods than patient support data.
These schedules must be enforced, not just documented.
Retention Rules for Doctor Data
Doctor data is often retained indefinitely in pharma CRMs.
Contact details, engagement history, preferences, and behavioural scores may remain active long after a doctor stops engaging or withdraws consent.
Under DPDP, this is problematic.
Doctor data should be retained only while there is an active, consented purpose for engagement. If consent is withdrawn or engagement ends, data should be reviewed for deletion or anonymisation.
Inactive data presents unnecessary risk
Retention Rules for Patient Data
Patient data requires even stricter control.
Patient support programs often retain data long after program completion. Historical records may be kept without clear justification.
Under DPDP, patient data must be deleted once the program purpose is fulfilled, unless there is a lawful reason to retain it.
Medical, legal, or regulatory retention requirements must be clearly documented. Retaining patient data simply because it exists is not acceptable
Engagement Logs and Analytics Data
Engagement logs are often overlooked in retention discussions.
Email opens, message clicks, page visits, and interaction timestamps accumulate rapidly. Analytics systems may store this data indefinitely.
Under DPDP, engagement logs linked to identifiable individuals are personal data. They must follow retention rules.
Once analytics insights are generated, raw data may need to be anonymised or deleted depending on purpose.
Derived Data and Profiles
Many pharma systems create derived data such as engagement scores, segmentation labels, or predictive indicators.
These derived datasets are often treated as non personal. Under DPDP, if they can be linked back to an individual, they are personal data.
Derived data must therefore follow retention and deletion rules.
Keeping outdated profiles increases risk and reduces accuracy.
Consent Withdrawal Triggers Deletion Obligations
Consent withdrawal has direct implications for retention.
When a doctor or patient withdraws consent, the organisation must stop processing data for that purpose. In many cases, this also triggers deletion obligations.
Data that has no remaining lawful purpose must be deleted.
Failure to link consent withdrawal to deletion workflows is a common compliance gap.
Legal and Regulatory Retention Exceptions
DPDP allows retention where required by law.
Pharma organisations may need to retain certain data for regulatory, pharmacovigilance, or legal obligations. These exceptions must be specific and documented.
However, legal retention does not justify retaining all data indiscriminately. Only the minimum required data should be retained.
Clear separation between retained and deleted datasets is essential.
Retention Periods Must Be Defined
DPDP expects organisations to define retention periods.
Undefined retention is not acceptable. Pharma companies must specify how long different categories of data are retained and why.
Retention schedules should be purpose specific. Doctor engagement data may have different retention periods than patient support data.
These schedules must be enforced, not just documented.
Why Deletion Is Operationally Difficult in Pharma
Deletion is hard because pharma data is fragmented.
Doctor data exists in CRMs, email platforms, WhatsApp systems, analytics tools, data warehouses, and vendor systems. Deleting data from one system is insufficient.
DPDP requires deletion across all systems where the data exists.
This complexity often leads to partial deletion, which still violates the law.
Legal and Regulatory Retention Exceptions
DPDP allows retention where required by law.
Pharma organisations may need to retain certain data for regulatory, pharmacovigilance, or legal obligations. These exceptions must be specific and documented.
However, legal retention does not justify retaining all data indiscriminately. Only the minimum required data should be retained.
Clear separation between retained and deleted datasets is essential.
Anonymisation as an Alternative to Deletion
In some cases, anonymisation may be acceptable.
If data can be irreversibly anonymised such that individuals cannot be identified, it may fall outside DPDP scope.
However, anonymisation must be robust. Pseudonymisation is not sufficient if re identification is possible.
Pharma companies must be careful not to treat weak anonymisation as compliance.
Designing Deletion as a System Workflow
Deletion must be designed as a workflow, not an ad hoc task.
Triggers such as consent withdrawal, purpose completion, or retention expiry should initiate deletion processes automatically.
Manual deletion requests do not scale and increase error rates.
Systems must support deletion propagation across integrated platforms.
This is where DPDP-compliant HCP marketing frameworks add value by aligning lifecycle governance with execution systems.
Vendor and Third Party Deletion Obligations
Pharma companies often forget vendor systems during deletion.
Agencies, data processors, and technology vendors may retain copies of data. Under DPDP, the data fiduciary remains responsible.
Vendor contracts must include deletion obligations. Deletion confirmations should be auditable.
Ignoring vendor data creates hidden exposure.
Auditing Retention and Deletion Compliance
Auditors will examine retention practices closely.
They may ask why data from five years ago still exists. They may test deletion requests. They may examine whether deletion propagates across systems.
Being able to demonstrate systematic deletion builds credibility.
Ad hoc explanations do not.
Business Benefits of Proper Retention Management
While deletion feels risky, it often brings benefits.
Smaller datasets are easier to manage and secure. Data quality improves. Analytics become more relevant.
Clear retention rules reduce confusion and operational friction.
Overcoming Organisational Resistance to Deletion
Resistance to deletion is cultural.
Teams fear losing historical insight. Legal teams fear future litigation. Marketing teams fear reduced reach.
Addressing this requires leadership alignment and clear policy.
Deletion does not eliminate insight. It eliminates unnecessary risk.
Retention and Deletion in AI Systems
AI systems present unique challenges.
Models may be trained on historical data that should later be deleted. DPDP requires organisations to consider how deletion affects AI pipelines.
This may require retraining models or designing data separation strategies.
Ignoring AI implications is not acceptable.
Frequently Asked Questions on Retention and Deletion Under DPDP
What does DPDP say about data retention?
⌄
Data must be retained only for the duration necessary to fulfil a clearly defined and lawful purpose.
Is indefinite retention allowed under DPDP?
⌄
No. Retaining personal data without an ongoing, lawful purpose constitutes a violation under DPDP.
Does consent withdrawal require data deletion?
⌄
In most cases, yes. If no alternative lawful basis exists, the data must be deleted upon consent withdrawal.
Does DPDP apply to engagement logs and analytics data?
⌄
Yes. When such data can be linked to an individual, it qualifies as personal data under DPDP.
Can pharma companies retain data for legal reasons?
⌄
Yes, but strictly limited to specific categories of data that are legally required to be retained.
Is anonymisation acceptable instead of deletion?
⌄
Only if anonymisation is irreversible and the data can no longer be linked to any individual.
Who is responsible for deletion across vendors?
⌄
The pharma company, acting as the data fiduciary, remains responsible for ensuring deletion across all vendors.
Closing Perspective and CTA
Retention and deletion under DPDP force pharma companies to confront long standing data hoarding practices.
Keeping data without purpose is no longer safe. Deletion must become an operational capability, not an afterthought.
Pharma organisations that design clear retention schedules and enforce deletion across systems will significantly reduce DPDP risk while improving data hygiene.
If you are evaluating how to implement DPDP-compliant HCP marketing with proper data retention and deletion controls, this page explains how compliant data lifecycle management is being implemented in real pharma environments.