Well, DPDPA mandates that personal data should not be retained longer than necessary for its intended purpose. But how should Data Fiduciaries determine and enforce appropriate data retention periods? What mechanisms - such as automated deletion policies, periodic audits, or anonymization - can help ensure compliance?
For example, if an organization retains customer records for operational use but no longer needs certain details, how should it decide when to delete them? Are there industry best practices or legal guidelines that can help businesses structure their data retention and disposal policies effectively? If you have experience with implementing retention strategies or navigating compliance challenges, please share your insights.