January 1, 2025
Blog
What happens when one Indian law forces you to retain data while another legally demands its deletion? In 2026, this is no longer a theoretical conflict—it’s a real compliance trap created by the overlap between CERT-In directives and the Digital Personal Data Protection Act (DPDPA). While CERT-In mandates long-term log and data retention for cybersecurity and forensic purposes, the DPDPA prioritizes individual rights like consent withdrawal and the right to erasure. This collision exposes a critical gap between security obligations and privacy compliance. In this blog, we unpack how these laws intersect, where conflicts arise across sectors like BFSI, and how organizations can legally balance retention, deletion, and user trust.
What happens when CERT-In legally forces you to keep data that the DPDPA legally forces you to delete? For many Indian organizations in 2026, this isn’t just a theoretical question, it’s a high-stakes compliance trap. While your CERT-In framework is designed to build a thorough log retention and incident response, the DPDPA demands a privacy-first approach that prioritizes the individual’s right to be forgotten. This creates a massive gap between protecting your systems and protecting your users, leading to several friction points and implementation hurdles that can catch even the most secure firms off guard.
In today’s regulatory landscape, having a secure perimeter is no longer a substitute for a valid consent trail. The transition from a technical mandate to a rights-based framework means that your existing Security Operations Center (SOC) and ICT protocols must now account for Data Principal rights, such as consent withdrawal and the right to erasure. Because CERT-In prioritizes data preservation for forensic evidence while the DPDPA mandates data deletion to ensure privacy, organizations are hitting a compliance wall where their reasonable security safeguards are technically sound but legally contradictory.
What is the Resolution when Laws Collide?
When these two laws clash, the legal answer lies in Section 12 of the DPDPA. The Act specifically allows you to refuse an erasure request if retaining the data is necessary for compliance with any law for the time being in force. Since CERT-In directives (under the IT Act) are mandatory laws, your 180-day log retention or 5-year KYC mandates legally override a user’s request to delete.
However, you cannot simply keep using that data for business. To remain compliant, you must move into a Restricted Processing mode:
You must logically delete the user from your active databases and marketing funnels.
The data must be moved to an encrypted cold archive, held solely for CERT-In forensic audits.
You are legally required to inform the user why their data is being retained despite their request, citing the specific CERT-Inmandate.
While the conflict between CERT-In and DPDPA is a horizontal challenge, its impact is far from uniform across the Indian industrial landscape. In 2026, the specific compliance friction an organization feels, is largely determined by their sectoral regulator and the nature of the data they handle. For some, the primary hurdle is long-term forensic retention with the right to erasure; for others, it is the technical difficulty of maintaining real-time security monitoring without violating strict prohibitions on behavioral tracking. These issues are especially acute in sectors where sensitive personal data is the lifeblood of the business and regulatory oversight is already intensive.
To illustrate how these contradictions play out in practice, consider the following high-prone sectors:
The BFSI Sector (Banking, Financial Services, and Insurance)
In the BFSI sector, the clash between CERT-In and the DPDPA isn’t just a legal debate,it’s an operational nightmare. Banks are caught between the duty to never forget (for national security) and the duty to forget immediately (for user privacy).
Here is a detailed breakdown of how this problem plays out:
The Conflict: KYC Data vs. The Right to Erasure
The Scenario: A customer closes their digital wallet or bank account and sends a formal request under the DPDPA to have all their personal data deleted.
The CERT-In/PMLA Requirements: Under the Prevention of Money Laundering Act (PMLA) and CERT-In directives, financial institutions must retain Know Your Customer (KYC) documents and transaction logs for at least five to ten years. This is to ensure that if a financial crime is discovered years later, a forensic trail(forensic evidence) exists for investigators.
The DPDPA Requirements: The Right to Erasure mandates that once the purpose (the banking relationship) ends, the Data Fiduciary must delete the data.
The Issue: If the bank deletes the data, they face jail time for violating anti-money laundering laws. If they keep it in their active CRM, they face a ₹250 Crore penalty under DPDPA for over-retention.
The Solution: Banks must move this data into a Legal Hold archive. The data is removed from the eyes of bank employees and marketing bots but stays on the server in an encrypted, read-only format solely for government audits.
ARC: Achieve 100% DPDPA Compliance
Navigating the collision between CERT-In’s security logs and the DPDPA’s privacy rights doesn’t have to be a manual nightmare. ARC is an end-to-end, customizable compliance platform designed to manage the entire data lifecycle in a single system. Whether you are facing a 6-hour reporting deadline or a complex Right to Erasure request, ARC automates the friction away.
Why Enterprises Choose ARC:
Deep Data Discovery: Automatically locate and classify sensitive personal data across your entire infrastructure so nothing stays hidden.
Smart Lifecycle Governance: Seamlessly balances Data Retention (for CERT-In) with DSAR Automation and the Right to Erasure(for DPDPA).
Automated Consent & Cookies: Manage granular user permissions and Cookie Consent with a system that updates your ROPA (Record of Processing Activities) in real-time.
Third-Party Risk Management: Audit your vendors and data processors instantly to ensure your compliance chain never breaks.
Book your Personalised Demo Today
Conclusion
By 2026, the overlap between CERT-In rules and the DPDPA changed compliance from a simple checklist into a careful balancing act. Indian organizations now have to manage real-world conflicts, such as reporting incidents within 6 hours while still completing a 72-hour impact analysis, or retaining data for regulatory needs while respecting the right to be forgotten. This tension has become the new normal for compliance teams in India.
The key takeaway is clear: Technical security is no longer a substitute for data privacy. While your CERT-In framework protects your infrastructure from external threats, your DPDPA framework protects your relationship with the individual. A single breach can cause two investigations and heavy fines, which is why security and privacy cannot be handled separately.
Moving Forward: The Resilience Mindset
To succeed under both CERT-In and DPDPA, businesses must move away from reacting to rules and start building privacy into their systems from the beginning. This means not only protecting systems from cyber threats, but also respecting user data at every stage of its lifecycle. Security and privacy teams need to work together with a single strategy, supported by privacy-aware technology that can correctly identify, protect, retain, or delete data based on legal requirements. Clear and honest communication with users should be seen as a way to build trust, not as a compliance burden. In the end, the goal is not just to avoid penalties of up to ₹250 crore, but to create a digital environment where security obligations and individual rights coexist, helping organizations stay compliant, trusted, and ready for the future of India’s digital economy.
Contact Us
Learn DPDPA: https://dpdpaedu.org
Book ARC Demo: https://arc.securze.com
DPDPA Consultation and Implementation: https://securze.com
Email: info@securze.com
Mobile: +91-8451073938