Data Protection Lifecycle Under the DPDP Act

Because personal data does not remain still, it travels through stages.

Understanding the lifecycle of data helps readers understand when and how protection applies.

🔄 Stages of the Data Lifecycle

1. Collection

Data is collected from:

• Websites

• Applications

• Forms

• Transactions

Collection must be lawful and typically consent-based.

2. Processing

Processing includes:

• Recording

• Storing

• Organising

• Using

• Sharing

• Altering

• Deleting

Under the Act, almost any operation on digital data qualifies as processing.

3. Storage

Data must be stored securely with:

• Technical safeguards

• Access controls

• Protection against unauthorised access

4. Transfer

Data may be:

• Shared with processors

• Transferred cross-border (subject to restrictions)

5. Retention

Data must not be stored indefinitely.

It should be retained only:

• For the purpose it was collected

• Or as required by law

6. Deletion / Erasure

Once the purpose is fulfilled:

• Data should be erased

• Unless legally required to be retained

This supports the principle of data minimisation.

Why Lifecycle Understanding Is Important

Because compliance applies at every stage.

Security is not a one-time action, it is continuous.

Conclusion

The Data Lifecycle demonstrates that protection under the DPDP Act is not limited to storage alone.

It applies from:👉 Collection to 👉 Deletion