User Data Retention Guidelines

DPDP Act, 2023 | Data Retention Is Not a Storage Policy—It Is a Purpose Policy One common misconception under India’s DPDP regime is that organisations can define retention periods freely. The law is clear: retention flows from purpose, not convenience. Key takeaways practitioners should note: • Erase when purpose ends Personal data must be erased on withdrawal of consent or when the specified purpose is no longer served—whichever occurs earlier (Section 8(7)). • Inactivity triggers deemed purpose expiry For large digital platforms, the law deems purpose to be over after inactivity: – E-commerce (≥2 crore users): 3 years – Social media (≥2 crore users): 3 years – Online gaming (≥50 lakh users): 3 years • 48-hour user notice before deletion Before erasure due to inactivity, users must be informed at least 48 hours in advance—an operational control many systems currently lack. • Security logs are not optional Traffic data and processing logs must be retained for minimum 1 year to support breach detection and investigations. • Consent Managers have extended retention Consent records must be preserved for at least 7 years. • Legal retention overrides DPDP erasure Where another law mandates retention (banking, taxation, AML, employment), DPDP permits continued storage. Bottom line: DPDP forces organisations to engineer retention into system design, not bury it in policy documents. If your data inventory, log architecture, and erasure workflows are not aligned, compliance remains theoretical. This is where privacy governance meets IT controls—and where you should focus.

THIS COULD BE IMPORTANT. A new paper on Transformer models has important implications for how organisations should think about retention, deletion and security in LLM deployments. The paper sets out to prove that internal inference artefacts can encode a prompt so fully that the prompt can be reconstructed from them, which could shift the analysis of what it means to “retain” user-provided material under copyright and data protection law. The critical point argued is that reconstruction requires access to internal model states during inference, specifically the hidden activations or key-value caches at intermediate layers. This is not something an end user can do from ordinary model outputs, since many different prompts can lead to similar responses. The paper is about what happens inside the model’s computational pipeline, not about what comes out at the end. If the paper is correct, the practical enterprise risk depends entirely on who can access these internal artefacts and whether they are retained. In most consumer and enterprise API use cases, end users do not have this access. However, model providers do, operators of self-hosted open-weight models do, and attackers or contractors may gain access through telemetry, debugging tools or infrastructure compromise. The risk increases substantially if inference artefacts are preserved in ways that can later be retrieved, whether for monitoring, performance optimisation or safety evaluation. Organisations have grown comfortable distinguishing between “prompt content” and “non-readable telemetry”, particularly when designing systems to avoid long-term storage of prompts while retaining derived vectors and internal representations. The paper challenges the assumption that those artefacts are inherently low risk, since retaining them may be functionally equivalent to retaining the prompt itself, provided someone with the right access and resources attempts reconstruction. If a prompt contains personal data and the model’s internal representations do actually permit reconstruction of that prompt through an algorithm, then those representations are difficult to characterise as non-personal just because reconstruction requires technical sophistication. As per the EDPB opinion on the issue - is it possible to reconstruct through “reasonably likely means”? This has direct consequences for data minimisation, purpose limitation, storage limitation, erasure and security, where observability pipelines and debugging stores may become repositories requiring the same protections as plaintext prompts. Enterprise buyers should therefore ask whether providers store, export or log any prompt-derived inference artefacts, and if so under what retention periods, access controls, encryption, deletion processes and third-party sharing restrictions. Contractual restrictions should address not merely “prompts and outputs” but any prompt-derived inference artefacts where confidentiality or regulated data is involved.

Your data has a temperature, and you are wasting money if you don't know it. Hot, Warm, and Cold data. Storing data is not just about saving it and forgetting about it. You need to understand how often you will access the data and how long you should keep it. You can group data into three categories based on how often it's accessed: 𝗛𝗼𝘁 𝗗𝗮𝘁𝗮 • What It Is: Data that you need often and fast. • Where It's Stored: On fast storage like SSDs or even in memory. • Examples: Things like product recommendations or cached search results. • Cost: Storing hot data is expensive, but accessing it is cheap because it's always ready to go. 𝗪𝗮𝗿𝗺 𝗗𝗮𝘁𝗮 • What It Is: Data you access occasionally, like once a month. • Where It's Stored: On slower but still accessible storage, e.g., Amazon S3 Infrequently Accessed Tier, Google Nearline. • Examples: Older logs or data that are not as frequently needed. This could be data that you use for reporting or analytics. • Cost: It is cheaper to store than hot data, but accessing it costs a bit more. 𝗖𝗼𝗹𝗱 𝗗𝗮𝘁𝗮 • What It Is: Data are rarely accessed and primarily kept for long-term storage. • Where It's Stored: On the cheapest storage options, like HDDs or cloud archive services. • Examples: Old backups or records that you keep for compliance reasons. • Cost: It is very cheap to store but can be slow and expensive to access. Retention is a different animal, explains "how long you should keep data" and is based on 4 pillars: 𝗩𝗮𝗹𝘂𝗲 Is this data critical for you, or can it be recreated if needed? You should keep Important data for longer. 𝗧𝗶𝗺𝗲 For data you store in fast-access places like memory, set a time limit (TTL) for how long it stays there before moving it to cheaper storage. 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 Some laws require you to keep data for a certain amount of time or delete it after a specific period. Make sure your data storage practices follow these rules. 𝗖𝗼𝘀𝘁 Storing data costs money. To save on storage costs, you can automate deleting or archiving data when it's no longer needed. Don't just store data—manage it. Save this for your next Storage Decision.

🛡️⚖️The OLG Karlsruhe’s ruling of January 15, 2025 (Case No. 14 U 150/23) adopts a strict interpretation of data retention and Article 17(3)(e) #GDPR. It addresses whether businesses may keep personal data for potential legal defence once the original purpose for collecting it no longer exists. 🚫The case centred on an online platform user whose account was deactivated after unknown parties uploaded child pornography. Although the user’s account was reinstated, the records of the suspension and deletion of illegal content remained in the platform’s database. The operator refused to delete records of the incident, invoking the need to defend against possible future lawsuits. 📍The court disagreed, emphasising that continued data storage for merely hypothetical claims violates GDPR requirements once the initial dispute has been resolved. The court clarified that the mere possibility of future litigation does not justify indefinite storage. In its view, litigation must be genuinely probable, not just conceivable. The defendant’s argument that the plaintiff might file additional damage claims was dismissed as “highly unlikely,” raising the evidentiary bar for companies seeking to retain data under the “legal defence” exemption. 📍This decision could reshape corporate data practices, as many businesses store personal information to guard against future claims or to accommodate lengthy statutes of limitations. According to the OLG Karlsruhe, organisations must provide concrete evidence of imminent legal action before relying on Article 17(3)(e) GDPR. Storing data merely “in case” of a lawsuit will no longer suffice. 🇵🇱A similar approach has emerged in Poland. The Supreme Administrative Court (NSA) affirmed that data retention for legal defence requires more than vague speculation: a bank could not continue holding former customers’ data where no actual claim was pending or reasonably expected. However, last year, in another judgement involving rejected job applicants, the NSA allowed further data processing to defend against possible discrimination lawsuits grounded in statutory limitation periods. The court balanced employers’ legitimate interest in retaining data against applicants’ privacy, ultimately finding that limited retention during the legally mandated timeframe was acceptable. 💡Overall, the courts may take a more rigid stance on data storage. Many organisations store data as a precautionary measure, citing statutes of limitations and the need to defend against unforeseen legal action. To comply with GDPR, they should revise their internal procedures and data retention policies to ensure that any personal data held for legal defence is tied to real litigation risks rather than purely hypothetical claims. #privacy #rodo #dataprotection #court #dispute #litigation

Did you know that a poorly scoped data retention policy can actually violate multiple laws at once? Most people think data retention is just about holding onto records—but holding onto too much can be just as risky as not keeping enough. So let’s say .. You’re working with a company that stores user data indefinitely “just in case.” Sounds safe, right? Until a user files a data deletion request under GDPR and the company can’t honor it because they don’t know where that data lives—or worse, they’ve shared it with vendors who also aren’t deleting it. • Under GDPR, that’s a violation of the “right to be forgotten.” • If the same company operates in California, CPRA requires data minimization and purpose limitation. That’s strike two. • If they’re in a regulated industry like finance or healthcare? Now you’re looking at sector-specific laws being broken too. So what should a #GRC professional be doing? Start asking: • Do we have a data retention schedule? • Are we tracking where data lives and who we’ve shared it with? • Can we honor deletion requests within legal timelines? It’s not about deleting everything—it’s about proving you know why you’re keeping it and how long you’re allowed to.

📌 Summary of Data Retention Policy for Data Extensions Starting around November 2025, the Data Retention Policy began to be enabled by default in Marketing Cloud Engagement. Many users are now asking: ❓ “When does the data actually get deleted?” ❓ “Should we configure Retention?” ❓ “Should we keep all historical data?” Today, I’ve summarized the core specs, important behaviors, and best practices as clearly as possible. =============== ⚙️ How to Configure Retention You can set the policy: • When creating a DE in Email Studio / Contact Builder • Or from the DE edit screen in Contact Builder ⚠️ Note: You cannot edit retention settings on an existing DE from Email Studio. Also, the option “Delete individual records” is only available if the DE contains fewer than 1 billion records. 🧩 Two Main Configuration Sections 1️⃣ Deletion Target Type ① Delete individual records ② Delete the entire DE (with records) ③ Delete all records 2️⃣ Retention Period • Retain for X days/weeks/months/years • Or specify a fixed deletion date If option ② or ③ is selected, a "Next Scheduled Deprecation" date appears in the DE properties. This date is recalculated based on when the retention policy was turned on. 🕒 How the Deletion Schedule Works Deletion does not occur immediately when the retention period is exceeded. ✔ After the period elapses, deletion begins within 24 hours ✔ Salesforce triggers this on a non-public internal schedule ✔ Timing varies by system load and data volume If deletion does not finish within the window: ➡️ The next run resumes from where it left off. This timing delay also functions as a safety buffer to avoid instant deletion the moment retention is enabled. 🏆 Best Practices for Retention ① Define retention based on DE purpose (for example:) • Master tables → ❌ No retention • Temporary work tables → 7–30 days • Send logs / tracking → 90–180 days ② Understand the hidden field _CreatedDate Use this SQL in Query Studio: =============== SELECT     Id,   Email,   DATEADD(HOUR, 15, _CreatedDate) AS CreatedDate,   DATEDIFF(DAY, _CreatedDate, GETDATE()) AS Period FROM     [Data Extension Name] =============== 📌 Notes on “_CreatedDate” - The timestamp of _CreatedDate is recorded in CST, so timezone adjustments may be required. - When using _CreatedDate, you must always provide an alias (AS). - When values in a record are updated (via import or SQL query), _CreatedDate is preserved. - When a record is overwritten (via filter, import, SQL query), _CreatedDate is reset to 0. This is because overwriting internally deletes the original record and inserts a completely new one. ③ Keep DEs lightweight If old records are no longer needed → delete aggressively. ④ Take backups as needed • SFTP • Cloud storage • Data Cloud and more... Blog: https://lnkd.in/gHyBeth2 #Salesforce #MarketingCloud #MomentMarketer #MarketingChampion #MarketingChampions

Security teams in India — IMPORTANT UPDATE. Under the new Digital Personal Data Protection (DPDP) Rules, companies must keep their logs for at least 1 year. This is longer than the current CERT-In requirement of 6 months. The new rule becomes fully active in May 2027. What this means for you: • More storage will be needed • SIEM and log pipelines may need changes • Retention policies must be updated • Audits will expect proof of 1-year logs If you haven’t already started adapting, you’re already behind. Review your ingestion paths. Rework your storage tiers. Fix your retention policies. The teams that prep early won’t feel the burn in 2027. The ones that don’t… good luck explaining that to your CFO and your auditors. More info here: https://lnkd.in/gwxkmWfa #DPDP #DPDPRules #CyberSecurityIndia #CERTIn #DataProtection #SecurityTeams #Compliance2027 #LogRetention #InfoSec #CloudSecurity #SIEM #DataSecurity

𝗖𝗡𝗜𝗟 𝗴𝗶𝘃𝗲𝘀 𝗴𝘂𝗶𝗱𝗮𝗻𝗰𝗲 𝗼𝗻 𝗚𝗗𝗣𝗥 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝘁 𝗹𝗼𝗴𝗴𝗶𝗻𝗴 𝗼𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝘀 - 𝗿𝗲𝘁𝗲𝗻𝘁𝗶𝗼𝗻 𝗽𝗲𝗿𝗶𝗼𝗱, 𝗰𝗼𝗻𝘁𝗲𝗻𝘁 𝗼𝗳 𝗹𝗼𝗴𝘀 𝗲𝘁𝗰. The CNIL - Commission Nationale de l'Informatique et des Libertés published its "Practice Guide for the Security of Personal Data" (Version 2024). One of the mentioned topics within the guidance are "Logging Operations" (Factsheet 16). In view of the CNIL, in order to be able to identify fraudulent access or misuse of personal data, or to determine the origin of an incident, it is necessary to log certain actions carried out on IT systems. The logs then collected are also useful evidence for the demonstration of compliance under Art. 5 (2) and 24 (1) GDPR. One could also mention the security obligations under Art. 32 GDPR. The authority recommends to provide a logging system (i.e. recording system in log files) of users’ business activities (application logs), technical interventions (including by administrators), anomalies and security-related events (technical or system logs). Which also means that personal data of users / employees will be collected and stored in the logs. Another relevant view for practice concerns the retention period of logging data (including personal data). According to the CNIL, these logs should be kept for a rolling period of between six months and one year. But exceptions might apply, e.g. in the event of a legal obligation relating to this retention period or an identified need for post-incident analysis. Furthermore, a record for application logs should be created, which includes information about - the creation - consultation - sharing - modification, and - deletion of the data. This should be done by retaining the author’s identifier, the date, time and nature of the operation as well as the reference of the data concerned (to avoid duplication). Users of the systems should of course be informed about the logging process. With regard to data processors, the CNIL recommends that they are contractually obliged to implement logging in accordance with these recommendations and to notify as soon as possible of any anomaly or security incident to the controller. The guidance is available in English: https://lnkd.in/driez3YV #GDPR #dataprotection #privacy #DSGVO

60 billion ChatGPT conversations. 👆 That’s how much data a federal court ordered OpenAI to preserve in the New York Times copyright lawsuit. These are conversations users believed were private or temporary. It’s a reminder for anyone leading AI at scale. Your retention policies and governance are more than just legal fine print...they become real, public, and operational in moments like this. Here’s what this case makes clear: >> 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 𝐩𝐫𝐨𝐦𝐢𝐬𝐞𝐬 𝐡𝐚𝐯𝐞 𝐞𝐝𝐠𝐞𝐬. Even if you frame data as “temporary,” clauses like “retained to comply with legal obligations” can turn into long-term storage overnight. >> 𝐃𝐚𝐭𝐚 𝐚𝐫𝐜𝐡𝐢𝐭𝐞𝐜𝐭𝐮𝐫𝐞 𝐦𝐚𝐭𝐭𝐞𝐫𝐬. OpenAI argued that only 0.010% of logs were relevant, but because the data wasn’t tagged or segmented by sensitivity or purpose, the court required everything to be preserved. >> 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞 𝐠𝐚𝐩𝐬 𝐬𝐮𝐫𝐟𝐚𝐜𝐞 𝐟𝐚𝐬𝐭. “AI privilege,” as floated by Sam Altman, didn’t hold water. Courts treat AI data like any other data. So, if a subpoena landed tomorrow, could you really find and isolate sensitive AI data in minutes? Could you confidently defend why you keep, or delete the data you do? And could you separate what’s truly relevant from all the noise? This isn't just about copyright...it's what happens when AI, privacy, and the law collide. A key takeaway: segment your data thoughtfully, check your vendor agreements carefully, and ensure your AI governance actually works in practice.