Gistly
Subscribe to newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Last updated: April 2026
DPDP Act compliance for contact centers means meeting India's data protection requirements for call recording consent, PII handling, data retention, and agent-collected personal data across every customer interaction. The Digital Personal Data Protection Act, 2023 imposes penalties up to Rs 250 crore (~$30 million) for violations — and a BPO handling 150,000 calls per month cannot prove compliance by reviewing a 2-5% sample.
If your QA program still relies on manual sampling, you have a structural compliance gap. The DPDP Act expects organizations to demonstrate compliance across all calls, not just the ones someone listened to.
TL;DR
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data privacy legislation. Passed by Parliament in August 2023, it establishes a legal framework for processing digital personal data with individual consent and sets out the rights of data principals (individuals whose data is being processed) and the obligations of data fiduciaries (organizations processing that data).
The Act applies to any organization that processes the personal data of individuals located in India, regardless of where the organization itself is based. For BPOs, this means both domestic operations and offshore centers handling Indian customer data fall within scope.
Key concepts contact centers must understand:
The DPDP Act joins a global landscape of data protection laws. Here is how it compares to two other major frameworks:
| Aspect | DPDP Act (India) | GDPR (EU) | HIPAA (US Healthcare) |
|---|---|---|---|
| Scope | Indian personal data | EU resident data | Protected health info |
| Consent | Free, specific, informed | Explicit for sensitive data | Written authorization |
| Right to erasure | Yes | Yes | Limited |
| Penalties | Up to ₹250 crore (~$30M) | Up to 4% global turnover | Up to $2M per category |
| Data retention | Purpose-limited | No longer than necessary | 6 years minimum |
| Breach notification | To Data Protection Board | 72 hours to authority | 60 days |
Every call generates personal data: voice recordings, transcripts, customer identification details, payment information, and service history. The DPDP Act imposes specific requirements on how this data is handled at each stage.
Call recording is foundational to QA, training, and compliance monitoring in contact centers. Under the DPDP Act, recording a customer's voice constitutes processing personal data, which requires valid consent.
What this means in practice:
Agents routinely collect personal data during calls: names, addresses, Aadhaar numbers, bank account details, health information. Under the DPDP Act, every piece of personal data collected must be:
The DPDP Act requires organizations to delete personal data once the purpose for which it was collected has been fulfilled, unless retention is required by another law. For contact centers, this creates a direct tension with common practices.
Many BPOs retain call recordings indefinitely, treating them as a growing training and quality library. Under the DPDP Act, indefinite retention without a clear, ongoing purpose is not compliant.
What operations leaders need to do:
The DPDP Act allows cross-border data transfers except to countries specifically restricted by the central government. The restricted list has not been finalized as of early 2026, but operations leaders should prepare by mapping data flows across borders, including DPDP compliance clauses in client contracts, and monitoring the government's restricted country notifications.
The DPDP Act prescribes specific penalty ranges based on the nature of the violation. For BPO operations leaders, understanding which daily operational failures carry the highest financial exposure is critical for prioritizing compliance investments.
| Violation Category | Penalty (Up To) | Contact Center Example | Risk Level |
|---|---|---|---|
| Failure to implement reasonable security safeguards | ₹250 crore (~$30M) | Unencrypted call recordings stored on shared drives accessible to unauthorized staff | Critical |
| Failure to notify Data Protection Board of breach | ₹200 crore (~$24M) | Agent accidentally emails call transcript containing Aadhaar numbers to wrong recipient; BPO does not report to DPB | Critical |
| Non-compliance with Significant Data Fiduciary obligations | ₹150 crore (~$18M) | Large BPO (classified as SDF) fails to appoint Data Protection Officer or conduct periodic audits | High |
| Processing personal data without valid consent | ₹50 crore (~$6M) | Recording calls without DPDP-compliant consent disclosure; using QA recordings for sales training without separate consent | High |
| Failure to fulfill Data Principal rights | ₹50 crore (~$6M) | Customer requests deletion of all recordings; BPO cannot locate or delete them across fragmented storage | Medium |
| Non-compliance with provisions related to children's data | ₹200 crore (~$24M) | EdTech BPO processing calls involving student data (minors) without verifiable parental consent | High (EdTech/Healthcare) |
| Breach of voluntary undertaking | As specified | BPO commits to remediation plan after DPB inquiry but fails to implement within agreed timeline | Variable |
Key nuance: Penalties are cumulative, not capped per incident. A single data breach that involves both inadequate security safeguards and failure to notify could attract penalties under both categories. For a mid-market BPO with annual revenue of ₹50-200 crore, even a ₹50 crore penalty would be existential.
Use this framework to score your contact center's DPDP readiness. Rate each area from 0 (not started) to 3 (fully compliant with documentation). A score below 15 indicates significant compliance gaps requiring immediate attention.
| Compliance Area | 0 - Not Started | 1 - Aware | 2 - In Progress | 3 - Compliant |
|---|---|---|---|---|
| Consent management | Generic recording notice only | Aware of DPDP requirements | Updated IVR scripts drafted | Purpose-specific consent live with audit trail |
| Data flow mapping | No documentation | Know where data enters | Partial flow documented | Full map: entry, processing, storage, deletion, cross-border |
| Retention schedules | Indefinite retention | Aware of need | Periods defined per purpose | Automated deletion in place with logs |
| Security safeguards | Basic access controls only | Encryption planned | Encryption at rest deployed | Full encryption, RBAC, MFA, audit logs |
| Data Principal rights | No process for requests | Aware of obligations | Process defined on paper | Operational: locate, access, correct, delete within SLA |
| QA coverage | Manual 2-5% sampling | Evaluating AI QA tools | Pilot running | 100% call auditing with compliance checks |
| Agent training | No DPDP-specific training | Planned | Initial training delivered | Ongoing, scenario-based, with completion tracking |
| Breach response | No documented plan | Generic incident plan | DPDP-specific plan drafted | Tested plan with DPB notification workflow |
| Cross-border compliance | No awareness | Know data crosses borders | Client contracts under review | DPDP clauses in all contracts, restricted country monitoring active |
| DPO appointment | Not considered | Evaluating if SDF classification applies | DPO candidate identified | DPO appointed, registered with DPB |
Scoring guide:
The DPDP Act was passed in August 2023, but full enforcement depends on the rules being notified by the central government. As of March 2026, here is the current status and what BPOs should anticipate.
| Milestone | Status (Mar 2026) | What It Means for BPOs |
|---|---|---|
| Act passed by Parliament | Complete (Aug 2023) | Legal framework established. Organizations should begin compliance preparation. |
| Draft rules published | Complete (Jan 2025) | Detailed rules covering consent managers, DPO obligations, and breach notification timelines available for review. |
| Public consultation on rules | Complete (2025) | Industry feedback incorporated. Final rules expected with minor adjustments from draft. |
| Final rules notified | Expected H1 2026 | Once notified, compliance becomes legally enforceable. BPOs should have all systems in place before this date. |
| Data Protection Board operational | Expected 2026 | The DPB will begin accepting complaints and conducting inquiries. Enforcement actions become possible. |
| Consent Manager framework live | Expected post-rules | Registered consent managers will offer standardized consent collection. BPOs may need to integrate with these platforms. |
| Significant Data Fiduciary classification | Expected post-rules | The government will notify criteria for SDF classification. Large BPOs should assume they will qualify and prepare accordingly. |
| Cross-border restricted country list | Not yet notified | Until notified, transfers are permitted to all countries. Monitor government gazette for updates. |
The bottom line for BPOs: Do not wait for final rule notification to begin compliance work. Organizations that treat DPDP preparation as a project that starts "when the rules are final" will find themselves scrambling to implement consent management, retention schedules, security upgrades, and DPO appointments under regulatory pressure. The organizations preparing now will have a 6-12 month head start.
Consider a mid-market BPO with 300 agents handling 500 calls per day each. That is 150,000 conversations per month generating personal data that falls under the DPDP Act.
Traditional QA programs review 2-5% of calls. That means 95-98% of conversations where agents might be skipping consent scripts, collecting data without proper disclosure, or mishandling PII are never reviewed.
You cannot prove DPDP compliance on calls you did not review.
This is not a theoretical risk. When a data principal files a complaint with the Data Protection Board of India, the organization must demonstrate compliance. "We reviewed a sample and the sample was fine" is not a defensible position when the complaint relates to one of the 95% of calls nobody listened to.
The compliance gap creates three specific risks:
You cannot manually review 150,000 calls per month, but the DPDP Act expects you to demonstrate compliance across all of them. This is where AI-powered conversation intelligence platforms change the equation.
The most direct solution to the compliance gap is eliminating it. Platforms like Gistly audit 100% of calls automatically, scanning every conversation for compliance markers: consent disclosures delivered, PII handling procedures followed, mandatory scripts completed, and prohibited statements avoided.
When a regulator or client asks "how do you ensure DPDP compliance on every call?", you have a concrete answer backed by data, not a sample-based estimate.
AI-powered QA platforms can be configured with custom compliance rules that reflect DPDP requirements:
This turns DPDP compliance from a periodic audit exercise into continuous, real-time oversight.
Indian contact centers operate in a linguistically complex environment. Agents frequently switch between English, Hindi, Tamil, Telugu, Kannada, and other languages within a single call. DPDP compliance monitoring must work across all these languages to be meaningful.
Gistly supports 10+ languages, including Indic language code-switching, which means compliance monitoring does not break down when an agent delivers the consent script in English but handles the rest of the call in Hindi or Tamil. This is a critical capability for Indian BPOs where monolingual solutions leave significant blind spots. For more on how multilingual QA works, see our guide to Hinglish call auditing.
The DPDP Act requires organizations to demonstrate compliance, not just practice it. AI platforms generate timestamped audit trails showing when compliance was monitored, which calls were flagged, and what remediation was taken. This documentation is precisely what you need when responding to a Data Protection Board inquiry or satisfying a client's compliance audit.
Use this checklist to assess your current compliance posture and identify gaps.
Compliance is not a one-time project. The organizations that handle DPDP well embed data protection into their operational DNA rather than treating it as a legal checkbox.
Train continuously, not annually. Use real call examples (anonymized) from your QA data to reinforce DPDP requirements in weekly team huddles. When agents hear actual flagged calls where consent was missed, the lesson sticks far longer than an annual training slide deck.
Measure compliance like you measure CSAT. Track consent delivery rates, PII handling accuracy, and data request response times as operational KPIs, not just legal metrics.
Close the loop between monitoring and training. Flagging a compliance violation is only useful if it triggers a coaching conversation. The best operations connect their QA platform to their training workflow so that identified gaps feed directly into targeted coaching.
Start by mapping your data flows to understand where personal data enters and is stored. Update IVR scripts to meet DPDP informed consent requirements. Implement retention schedules with automated deletion for recordings past their retention period. Use AI-powered call auditing to monitor 100% of calls for consent language and data handling compliance rather than relying on manual sampling.
Yes. The DPDP Act applies to any processing of personal data of individuals located in India, regardless of where the data fiduciary or processor is based. If your BPO handles calls from Indian customers on behalf of a foreign client, the Act applies to that processing.
Yes. Recording a customer's voice constitutes processing personal data, which requires informed consent under the DPDP Act. The consent disclosure must specify the purpose of recording. A generic "this call may be recorded" message may not meet the Act's requirement for specific, informed consent.
The Act requires deletion of personal data once the purpose for which it was collected has been fulfilled. There is no fixed retention period prescribed. You must define retention periods based on the purpose of recording, any other applicable laws that require retention (such as SEBI or RBI regulations for financial services), and your contractual obligations with clients.
Penalties range from ₹50 crore (~$6M) for consent violations and failure to fulfill data principal rights, up to ₹250 crore (~$30M) for failure to implement reasonable security safeguards. Penalties for children's data violations and breach notification failures can reach ₹200 crore (~$24M). Penalties are cumulative: a single incident can attract fines under multiple categories simultaneously.
Organizations classified as "Significant Data Fiduciaries" are required to appoint a Data Protection Officer based in India. The criteria include the volume and sensitivity of personal data processed. Large BPOs handling high volumes of personal data across multiple clients should prepare for this requirement.
They are separate legal frameworks with overlapping but distinct requirements. GDPR compliance provides a strong foundation, but the DPDP Act has India-specific requirements around consent mechanisms, the Data Protection Board's adjudication process, and cross-border transfer restrictions that require separate attention.
The Act was passed in August 2023 and draft rules were published in January 2025. Final rules are expected in H1 2026. Once rules are notified, the Data Protection Board will become operational and enforcement actions will begin. BPOs should not wait for final notification; compliance preparation should be underway now. Organizations that wait will face compressed timelines and regulatory pressure.
Ready to close your DPDP compliance gap?
Gistly gives your operation 100% call coverage with built-in compliance monitoring, multilingual support for Indian languages, and audit-ready documentation. See how it works for regulated contact centers.
Request a DemoGistly audits every conversation automatically — compliance flags, QA scores, and coaching insights in 48 hours.