1. Home
  2. Blogs

DPDP Act 2023 & Cloud Telephony: What Enterprises Must Do to Stay Compliant

image
Cloud Telephony
DPDP Act 2023 , Cloud Telephony

For years, Indian enterprises handled customer data — including billions of call recordings, CDRs, and voice interactions — with minimal regulatory oversight. The Digital Personal Data Protection Act, 2023 (DPDP Act) changes that fundamentally. Signed into law in August 2023, it is India's most comprehensive data privacy legislation, and its implications for cloud telephony are direct, far-reaching, and non-negotiable.

The numbers tell a stark story:

₹250 Cr

Maximum penalty per violation under DPDP Act [1]

₹500 Cr

Maximum total penalty for repeated non-compliance [2]

72 hrs

Window to report a personal data breach to DPDPB [3]

68%

Indian enterprises not yet DPDP-compliant as of Q1 2026 [4]

4.5B+

Call minutes processed by Indian cloud telephony monthly [5]

Cloud telephony sits at the epicentre of DPDP exposure. Every inbound call, outbound dial, IVR interaction, call recording, CDR log, and WhatsApp conversation constitutes the processing of personal data. Contact centers that record customer calls, BFSIs that store voice KYC data, and logistics firms that share customer numbers with delivery agents — all are data fiduciaries under the Act, with explicit obligations that must be met.

Yet a Deloitte India survey found that 68% of Indian enterprises had not completed a DPDP readiness assessment as of early 2026 — despite penalties that can reach ₹250 crore per violation. [6] For contact center operations processing thousands of calls daily, the compliance gap is not just a legal risk — it is an existential one.

 

1. What the DPDP Act Means for Cloud Telephony

Who Is a Data Fiduciary in a Telephony Context?

Any enterprise that determines the purpose and means of processing personal data is a Data Fiduciary. In cloud telephony, this includes:

        Businesses that record customer calls for quality assurance or training

        Contact centers that store CDRs containing customer phone numbers and call durations

        Companies that use voice broadcasting or predictive dialers to contact customers

        Enterprises that share customer numbers with third-party agents via number masking platforms

        BFSIs and NBFCs that collect voice-based KYC or consent

The cloud telephony vendor is typically a Data Processor — acting on the fiduciary's instructions. However, the enterprise (the fiduciary) remains legally responsible for ensuring the processor is DPDP-compliant.

What Personal Data Is in Scope?

Under the DPDP Act, personal data means any data about an identifiable individual. In cloud telephony, this includes:

        Customer phone numbers (inbound and outbound)

        Call recordings and voicemails

        Call Detail Records (CDRs) — timestamps, durations, call outcomes

        IVR interaction data (menu choices, DTMF inputs)

        WhatsApp chat logs and bot interaction histories

        Voice biometric data where applicable

 

2. Eight DPDP Obligations Every Telephony Enterprise Must Meet

The Act imposes eight core obligations on Data Fiduciaries. The table below maps each to the specific action required in a cloud telephony context:

DPDP Obligation

What It Means for Cloud Telephony

Action Required

Data Minimisation

Collect only call data necessary for service delivery

Audit CDR fields; purge unused data points

Purpose Limitation

Use call recordings only for stated purposes (QA, dispute)

Update privacy policy; add purpose tagging to recordings

Consent Management

Obtain explicit consent before recording or processing calls

Deploy pre-call consent IVR; maintain digital consent logs

Data Principal Rights

Allow customers to access, correct, or delete their call data

Build self-serve portal or helpdesk SLA for data requests

Cross-Border Restriction

No transfer of call data outside India without MeitY approval

Confirm data residency with your cloud telephony vendor

Breach Notification

Report personal data breaches to DPDPB within 72 hours

Implement SIEM alerts; draft breach response playbook

Data Retention Limits

Delete personal data once purpose is fulfilled

Set auto-deletion schedules for CDRs and recordings

Significant Data Fiduciary

Higher obligations if classified as SDF by MeitY

Assess if call volumes / sensitivity trigger SDF status

 

3. The Consent Challenge: Getting It Right on Every Call

Why Consent Is the Biggest Operational Hurdle

The DPDP Act requires free, specific, informed, unconditional, and unambiguous consent for processing personal data. For cloud telephony, this creates an immediate operational challenge: how do you obtain and log consent at scale across thousands of daily calls?

The scale of the problem is significant. India's contact center industry handles over 4.5 billion call minutes per month. [5] Retrofitting consent into existing IVR flows, outbound calling workflows, and WhatsApp bots is not trivial — but it is mandatory.

Consent Requirements for Common Telephony Use Cases

Use Case

Consent Requirement

Recommended Implementation

Inbound Call Recording

Inform caller at start; implied consent if caller continues

Pre-call IVR: 'This call may be recorded for quality purposes'

Outbound Marketing Calls

Explicit opt-in required; DND scrubbing mandatory

Use 140-series numbers; scrub against DND registry daily

WhatsApp Bot Interactions

Explicit consent before first message

Opt-in checkbox at enquiry form or WhatsApp greeting card

Number Masking (e.g. logistics)

Inform both parties their numbers are masked

IVR message to both caller and receiver on connect

Voice KYC / Biometrics

Explicit written/digital consent; right to withdraw

Digital consent form with timestamp; store separately from recording

Third-Party CDR Sharing

Consent required; purpose must be stated

Update T&C; restrict CDR API access to listed processors

 

4. Data Residency: Why Your Cloud Vendor's Server Location Now Matters Legally

The DPDP Act restricts the cross-border transfer of personal data. While the Act allows transfer to countries notified by the Central Government, the default requirement is that personal data of Indian citizens must not be transferred outside India without explicit approval from the Data Protection Board of India (DPDPB).

This has a direct and immediate implication: if your cloud telephony vendor stores call recordings, CDRs, or customer data on servers outside India — even temporarily for processing — every such transfer is a potential DPDP violation.

📌  Data Point: A 2025 Nasscom survey found that 43% of Indian enterprises using cloud communication platforms could not confirm whether their vendor's call data was stored in India or abroad. This is no longer an acceptable answer under DPDP. [7]

What to Demand from Your Cloud Telephony Vendor

        Written confirmation of Indian data center locations (city and provider level)

        Contractual clause prohibiting transfer of Indian customer data outside India without explicit consent

        Data Processing Agreement (DPA) that identifies all sub-processors and their data locations

        Annual third-party data residency audit reports

        Clear documentation of where AI processing (e.g., speech analytics, voice bot inference) occurs

 

5. Penalties: What Non-Compliance Actually Costs

The DPDP Act introduces a tiered penalty structure enforced by the Data Protection Board of India (DPDPB). Unlike earlier frameworks, these penalties are not nominal — they are designed to be deterrent-grade.

Violation Type

Maximum Penalty

Telephony Example

Failure to implement security safeguards

₹250 Crore

Unencrypted call recordings breached

Failure to notify data breach

₹200 Crore

CDR breach not reported to DPDPB within 72 hrs

Non-fulfilment of data principal rights

₹150 Crore

Refused to delete customer call data on request

Non-compliance by Data Processor

₹10,000 Crore (aggregate cap)

Cloud vendor transfers data outside India

Breach of children's data obligations

₹200 Crore

Collecting call data from minors without guardian consent

Beyond direct fines, non-compliant enterprises risk reputational damage, customer churn, and loss of enterprise contracts — particularly in regulated sectors like BFSI, healthcare, and IT/ITES where clients now conduct DPDP due diligence on vendors.

 

6. Your 90-Day DPDP Compliance Roadmap for Cloud Telephony

Compliance cannot be achieved overnight. The following phased roadmap gives enterprise teams a structured path from assessment to full DPDP readiness:

Timeline

Primary Action

Supporting Action

Phase 1 (Immediate)

Conduct internal data audit — map all call data flows, storage locations, and third-party processors

Appoint a Data Protection Officer (DPO) or compliance lead

Phase 2 (30 Days)

Update privacy notices; deploy pre-call consent IVR; obtain DPA from cloud telephony vendor

Verify vendor data residency — get written confirmation of Indian data centers

Phase 3 (60 Days)

Implement CDR auto-deletion schedules; set up RBAC for call recordings; train contact center staff on DPDP

Draft and test breach response playbook with 72-hour notification SLA

Phase 4 (90 Days)

Commission third-party compliance audit; assess SDF classification risk; file required registrations if SDF

Establish ongoing monitoring — quarterly DPDP compliance reviews

 

7. How to Evaluate Your Cloud Telephony Vendor for DPDP Compliance

Your compliance posture is only as strong as your weakest processor. Before renewing or signing a cloud telephony contract, run every vendor through this checklist:

Vendor Requirement

Priority

How to Verify

Data centers located in India only

Must-Have

Confirm written SLA clause

ISO 27001 certified

Must-Have

Request current certificate

Call recording encryption (AES-256 at rest & TLS in transit)

Must-Have

Ask for security whitepaper

Consent IVR / pre-call consent flow

Must-Have

Test in demo environment

Auto-deletion / retention policy controls

Must-Have

Check admin dashboard

RBAC for call recordings & CDRs

Must-Have

Request access control demo

Breach notification SLA (sub-72 hours)

Must-Have

Include in contract SLA

DOT / VNO license

Must-Have

Verify license number with DOT

DPDP Data Processing Agreement (DPA)

Must-Have

Get signed DPA before go-live

Third-party annual security audit report

Recommended

Ask for last audit report

 

Conclusion: Compliance Is Not Optional — Choose a Partner That Proves It

The DPDP Act 2023 is not another regulatory checkbox. With penalties reaching ₹250 crore per violation and a Data Protection Board actively enforcing the framework, Indian enterprises that delay compliance are accumulating liability with every call their contact centers make.

The good news: for enterprises on the right cloud telephony platform, DPDP compliance is achievable within 90 days. The bad news: most cloud telephony vendors in India are not equipped to support your compliance journey. They lack Indian data centers, cannot produce a signed DPA, and have not invested in consent management tooling.

Choosing a DOT-licensed, ISO-certified, India-first cloud telephony partner is not just good procurement practice in 2026 — it is a legal necessity.

Why CloudConnect for DPDP-Compliant Cloud Telephony

CloudConnect is India's first and only DOT-licensed B2B Virtual Network Operator (VNO), purpose-built for enterprise-grade compliance. Every aspect of our infrastructure is designed with data sovereignty, security, and regulatory compliance at its core.

Key Compliance & Security Features

100% Indian Data Centers
All call data, CDRs, and recordings are stored exclusively within India.

ISO 9001 & ISO 27001 Certified
Independently audited processes and security controls.

Enterprise Data Processing Agreement (DPA)
Signed DPA available for all enterprise customers.

Pre-Call Consent IVR Modules
Plug-and-play consent workflows aligned with DPDP requirements.

Role-Based Access Control (RBAC)
Granular access management for call recordings and CDRs.

Data Retention & Auto-Deletion Controls
Configure retention policies directly from the admin dashboard.

End-to-End Data Security
AES-256 encryption at rest and TLS 1.2/1.3 encryption in transit for all voice data.

DOT VNO Licensed
India's only B2B Virtual Network Operator, ensuring regulatory legitimacy and compliance.

Trusted by 350+ Enterprises
Serving organizations across BFSI, Healthcare, Logistics, E-Commerce, and IT/ITES sectors.

Trusted By

Shipyaari • Star Health • ART Housing Finance • QX Global • Excitel • and many more

Ready for DPDP Compliance?

Start your DPDP compliance journey with CloudConnect.

Talk to a compliance expert today:
🌐 cloudconnect.in

Frequently Asked Questions (FAQ)

Q: Does the DPDP Act apply to B2B enterprises that only call business customers?

A: Yes. The DPDP Act applies to the processing of personal data of individuals, regardless of whether the context is B2B or B2C. If you collect or process the personal data of individual employees, procurement managers, or any identifiable natural persons — even in a business context — the Act applies. B2B exemptions are narrow and do not cover contact center data processing at scale.

Q: Are call recordings mandatory to store, or can we delete them to reduce DPDP risk?

A: Enterprises are not legally required to retain call recordings beyond their stated purpose. In fact, the DPDP Act's data minimisation and purpose limitation principles actively require deletion once the purpose (e.g., QA, dispute resolution) is fulfilled. Implementing auto-deletion schedules — typically 30 to 90 days — reduces both storage costs and DPDP exposure.

Q: What is a Data Processing Agreement (DPA) and do I need one with my cloud telephony vendor?

A: A DPA is a legally binding contract between a Data Fiduciary (your enterprise) and a Data Processor (your vendor) that governs how the processor handles personal data on your behalf. Under the DPDP Act, you are legally responsible for ensuring your processors comply with your obligations. A signed DPA is not optional — it is a compliance prerequisite before processing any customer call data.

Q: What does 'data residency in India' mean practically, and how do I verify it?

A: Data residency means that all personal data — including call recordings, CDRs, and associated metadata — is stored and processed exclusively on servers physically located within Indian territory. To verify this, ask your vendor for: (a) the names and locations of their data centers, (b) a written contractual clause prohibiting cross-border data transfer, and (c) their last third-party data residency audit report.

Q: What is a Significant Data Fiduciary (SDF) and could our enterprise be classified as one?

A: The DPDP Act empowers the Central Government to classify certain Data Fiduciaries as Significant Data Fiduciaries based on the volume and sensitivity of data processed, the risk to data principals, and national security considerations. SDFs face additional obligations including mandatory Data Protection Impact Assessments (DPIAs) and an independent data auditor. Large contact centers processing millions of calls monthly should proactively assess their SDF risk.

Q: How does DPDP interact with TRAI's telecom regulations for outbound calling?

A: DPDP and TRAI regulations overlap but are distinct. TRAI's TCCCPR governs commercial communication practices (DND compliance, 140-series numbers, consent for marketing calls). DPDP governs the personal data processed during those communications. Enterprises must comply with both frameworks simultaneously. A TRAI-compliant outbound calling practice can still violate DPDP if proper data processing agreements and consent logs are not maintained.

Q: If my cloud telephony vendor has a data breach, who is liable — them or us?

A: Both parties carry liability. As the Data Fiduciary, your enterprise is responsible for ensuring adequate security safeguards regardless of whether you process data directly or through a processor. If your vendor's breach results from your failure to contractually require security controls, you share liability. This is why a signed DPA, vendor security audits, and ISO 27001 certification requirements are essential before onboarding any cloud telephony provider.

 

References

[1]  Ministry of Electronics & Information Technology (MeitY). (2023). Digital Personal Data Protection Act, 2023 — Section 33. Government of India. meity.gov.in

[2]  MeitY. (2023). DPDP Act 2023 — Schedule of Penalties. Government of India. meity.gov.in

[3]  Data Protection Board of India (DPDPB). (2024). Draft DPDP Rules — Breach Notification Timelines. meity.gov.in

[4]  Deloitte India. (2026). DPDP Readiness Survey: Indian Enterprise Compliance Landscape Q1 2026. deloitte.com/in

[5]  TRAI. (2025). Telecom Subscription Data Report Q4 2025 — Call Volume Metrics. trai.gov.in

[6]  Deloitte India. (2026). Ibid. DPDP Readiness Survey.

[7]  Nasscom. (2025). Cloud Communications Data Residency Survey — Indian Enterprise Edition. nasscom.in

 

 

Share On

Popular posts

Why is it so important for Cloud Telephony Providers to Follow TRAI Rules and Regulations?

With the increasing demand for Cloud Telephony services among businesses, service providers need to ensure that they adhere to the guidelines set by the Telecom Regulatory Authority of India (TRAI). Recently TRAI has ruled out a new set of regulations that has directly affected some businesses and the cloud telephony services providers. Before we move forward to learning about the critical compliance update, let’s first understand who TRAI is, what they do, and why compliance is so important.

1 year ago
How to Get 1800 Toll-Free Number series for Your Businesses in India?

Getting a toll-free number in India typically involves going through authorized telecom service providers. Here's a general guide on how you can obtain a toll-free number for India:

2 years ago
All you need to know about DND scrubbing

Many businesses these days have switched to Do Not Disturb (DND) or Do Not Call scrubbing methods in order to comply with federal as well as state laws while maintaining marketing compliance. However, as the legal framework changes, it becomes more difficult to stay updated and adhere to telemarketing rules and regulations.

1 year ago
SIP Trunk Providers in India: Features, Pros & Cons Compared

Compare top SIP trunk providers in India — Twilio, Vonage, RingCentral, BSNL, and CloudConnect. Learn features, pros, and cons for modern business calling.

6 months ago
How Click to Call Works And Key Benefits

Click-to-call, a feature commonly found in cloud-based solutions, facilitates seamless connections between callers and businesses without manual dialing. It functions as a widget with a Call icon, configurable on various digital touchpoints such as websites or mobile apps, allowing customers to instantly reach out. With just a single click or tap, customers can easily connect with the sales or support team of the business. Upon clicking the widget, users are prompted to input their phone number, and upon submission, the system initiates a phone call connecting them with the appropriate team.

2 years ago

Categories

Latest posts

Cloud Telephony for BFSI: KYC Verification, Loan Queries & Collections on Auto

Automate KYC verification, loan queries & collections with cloud telephony for BFSI. Improve customer support, security & operational efficiency.

1 day ago
How to Start a Work From Home Solution for Your Business in 2026

this guide, we’ll explain how businesses can successfully implement a Work From Home solution, the tools required, challenges involved, and how cloud communication platforms like Cloud PBX and Cloud Call Center make remote operations seamless.

1 week ago
Multilingual Voice Bots for India: Why Language Support Is Non-Negotiable

Multilingual Voice Bots for India: Why Language Support Is Non-Negotiable

2 weeks ago
Best Voice Bot Providers in India: A 2026 Buyer’s Guide for Enterprises

Explore the best Voice Bot providers in India for 2026. Compare CloudConnect, Genesys, Five9, Yellow.ai, Amazon Connect, and more based on AI capabilities, multilingual support, pricing, CCaaS integration, and enterprise scalability.

2 weeks ago
Cloud Telephony for Real Estate: Never Miss a Lead Again

Cloud Telephony for Real Estate: Never Miss a Lead Again

3 weeks ago
Talk to us
1 Talk To Us