If you're running outbound calls in India in 2026, the Digital Personal Data Protection Act 2023 already applies to you — even if the enforcement notifications are still rolling out. Here's the actual operator-level checklist we run for every Cualify pilot, written in plain English instead of clauses.
1. Establish your role
Under DPDP, you are the Data Fiduciary for every contact you call. Cualify (or any voice-AI vendor) is your Data Processor — we act on your instruction, we don't decide what to do with the data. This matters because the legal liability for unlawful calling sits with you, not the platform. The flip side: as long as your platform contract is solid, you're not liable for vendor breaches alone.
Action: appoint a Data Protection Officer in writing. For an SMB this is usually the CEO or COO — formality matters, the title doesn't.
2. Get consent before you dial
Every dial needs a lawful basis. For B2B work-email contacts, that's typically legitimate interest under §7(d). For B2C / consumer calling, you need affirmative consent — the form fill, the opt-in checkbox, the WhatsApp-bot agreement.
- Capture the consent timestamp + the language the consent was given in.
- Store the consent statement verbatim — not paraphrased — alongside the contact record.
- Re-confirm consent at the start of every call. We play a 5-second AI disclosure clip in the customer's language; that's both a TRAI requirement and a DPDP belt-and-braces.
3. Mind the calling window
TRAI's 09:00–21:00 IST window is the floor; DPDP doesn't override it. Your calling stack should reject any dispatch outside the window, not just warn — it's the kind of audit-trail compliance that closes a complaint in five seconds.
4. Run the NCPR scrub every time
The National Customer Preference Register is updated daily. Scrubbing once at list upload isn't enough — by the time your campaign dispatches a week later, dozens of numbers may have opted out. Scrub at dispatch, every time.
5. Set retention windows you can actually defend
DPDP doesn't prescribe a number; it asks you to retain data only as long as 'necessary for the purpose'. We default to 90 days for recordings, configurable up to 365. After the window, recordings are auto-purged and the transcript is redacted. The shorter your retention, the easier your DPDP audit.
6. Wire the rights workflow before the first request
Within 30 days of a Data Principal request — access, correction, erasure, consent withdrawal — you have to deliver. The way to handle this is not a special-case workflow when the request lands. Build the in-app DSR inbox now, write the SOP now, run a tabletop drill now. Two paragraphs of policy and zero tooling is a fail mode.
7. Notify breaches in 72 hours
If a sub-processor leaks recordings, you have 72 hours to notify the Data Protection Board of India and your affected customers. Cualify commits to notifying you within the same 72-hour window so your clock starts on time.
What this looks like in practice
On the Cualify side, every campaign goes through a pre-flight gate that checks: DLT template ID attached (yours, registered under your entity), calling window valid, NCPR scrub recent, AI disclosure clip ready in the call language, retention policy attached, consent text on file. The gate refuses to dispatch if any of those fails. We're bring-your-own-carrier — Cualify connects to your existing telephony provider (Exotel / Plivo / Twilio), uses the DLT templates you've already filed, and adds the AI orchestration + audit trail on top. You stay the Principal Entity; we give you the receipts.
If you're running calls today without these guardrails, the cost of retrofitting is much higher than building it in. Email [email protected] if you want to walk through your specific stack.
Read more