India’s telecom industry is undergoing a significant transformation. This is driven by the Telecommunications Act 2023 and the rapid expansion of services into digital platforms and AI technologies. With these advancements, the need to protect consumer data and uphold security and governance standards has become more critical than ever. This was also highlighted in the case of Nivedita Sharma v. Bharathi Hexcom Ltd where telecom operators were found sharing consumer data with third parties without consent. This judgment reinforced the urgent need for telecom companies to prioritize data security and protection. Since then, the government has released multiple regulations mandating telecom companies to abide by stricter security standards.
The blog aims to highlight the key obligations of telecom companies with regard to data security, data privacy, data governance, and AI.
Overview of the Regulatory Framework
The Telecom Act, 2023 modernizes the framework set by the Indian Telegraph Act, 1885, and the Indian Wireless Telegraphy Act, 1933. It introduces stricter data security obligations and applies to telecom entities that include providers of telecommunication services (TSPs), network operators, radio equipment owners, and access providers. Moreover, the Telecom Act is regulated by the Telecom Regulatory Authority of India (TRAI) which was created under the TRAI Act.
Additionally, the Digital Personal Data Protection Act, 2023 (DPDPA), is a comprehensive data privacy law enacted to regulate the processing of digital personal data in India. It aims to grant individuals control over their personal data and balance the needs of businesses with the privacy rights of individuals. The DPDPA applies to the telecom sector and mandates lawful data processing, enforces strict data security safeguards to prevent breaches, and grants individuals the right to access, correct, or delete their personal data.
A. Security Measures
Maintaining and upgrading security systems requires continuous investment in technology and expertise. However, it is crucial for telecom entities to avoid data breaches, comply with regulatory obligations, and maintain consumer trust in an increasingly data-driven environment. As per the Telecommunications (Telecom Cyber Security Rules) Rules 2024, telecom entities are obligated to take appropriate measures with regard to cyber security. They must:
- adopt a telecom cyber security policy covering risk management, testing, rapid response, and forensic analysis;
- inform the government upon adoption of this policy and submit regular reports on security measures;
- identify and mitigate security risks;
- conduct periodic security audits and share reports with the government;
- report security incidents and take corrective actions; and
- establish Security Operations Centres (SOCs) to monitor and log security incidents.
In addition, the DPDPA Rules also mandate security mechanisms to minimize the risk of data breaches, and build trust with consumers by safeguarding their personal data. These include:
- encrypting, obfuscating, masking, or using virtual tokens to secure personal data;
- controlling access to computer systems used by the telecom entities;
- keeping logs, monitoring access, and reviewing activity to detect, investigate, and prevent unauthorized access;
- retaining logs and personal data for at least one year to support breach detection and response;
- maintaining data backups to ensure continued processing if data is lost or compromised; and
- security safeguard requirements in contracts.
Moreover, as per the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), TSPs must leverage Distributed Ledger Technology (DLT) for verification and smart contracts to regulate communication flow. DLT ensures transparency and prevents unauthorized messages, while smart contracts automate compliance, enforcing customer preferences and reducing telecom fraud. Embedding such security within the system enhances consumer protection and streamlines compliance.
Securiti’s Data Security Posture Management empowers organizations to mitigate data breach risks, safeguard data sharing, and enhance compliance while minimizing the cost and complexity of implementing data controls.
B. Data Classification and Integrity
To comply with the DPDPA, telecom entities must know how to classify the type of data they process and retain. This enhances compliance by distinguishing between different data types and applying appropriate safeguards, not only reducing regulatory risks but ensuring data reliability.
Furthermore, it is important to ensure data accuracy and completeness, while verifying the integrity of personal data before using it to make decisions. Telecom entities should create frameworks that:
- have procedures to validate data upon entry, especially for high-risk operations like customer onboarding;
- set up a structured process for data principals to request data corrections or updates; and
- use automated tools to track data accuracy and flag inconsistencies in real time.
Securiti Sensitive Data IntelligenceTM (SDI) goes beyond basic data discovery to help organizations accurately classify data and get rich data context, including security and privacy metadata.
C. Incident Response and Breach Notifications
The DPDPA defines a “personal data breach” as any unauthorized access, use, disclosure, or loss of personal data that compromises confidentiality, integrity, or availability. In the event of a breach, the Data Protection Board of India must be notified within 72 hours. Each affected individual must also be notified.
Furthermore, under the Telecom Cyber Security Rules, if a security incident occurs, telecom entities must:
- report security incidents to the government within six hours of awareness, providing details of the affected system; and
- submit additional information within 24 hours, including the number of affected consumers, duration, geographical impact, extent of disruption, remedial measures, and any other relevant details.
This strict timeline ensures swift containment and mitigation, reducing potential harm and reinforcing sector-wide cybersecurity resilience. Additionally, the government may disclose incidents, mandate security audits, and issue directives with set timelines.
Securiti’s Breach Management solution automates breach notifications and compliance actions, providing incident response workflows that help organizations respond to privacy incidents promptly and effectively.
D. Data Retention & Deletion Requirements
According to the DPDPA, personal data must be erased either when consent is withdrawn or as soon as it can reasonably be concluded that the specified purpose is no longer being served. This ensures data minimization and compliance with applicable data protection laws.
In addition, as per the TCCCPR, TSPs must keep a tamper-proof, secure system to store complaints and reports for at least 3 years, ensuring accountability in commercial communications. This system should:
- store details of all complaints and spam reports;
- include sender’s and recipient’s phone numbers, message details, and complaint status; and
- allow secure data sharing with authorized entities.
Thus, these retention requirements balance regulatory compliance, operational needs, and consumer rights, preventing unnecessary data accumulation while maintaining necessary records for audits and dispute resolution.
Securiti’s Sensitive Data Intelligence module uses AI to identify and remove unnecessary data, reducing storage costs and ensuring compliance with retention policies. It enables organizations to leverage granular insights and discover the security posture of data assets across on-premise, IaaS, SaaS, and data clouds.
E. Compliance Officer Requirements
Ensuring regulatory compliance and consumer protection requires dedicated oversight roles for data protection and cybersecurity. To that end, under the DPDPA, telecom entities are required to appoint a Grievance Officer to receive complaints regarding personal data processing and address them in a timely and effective manner. Moreover, the DPDPA also mandates that telecom entities acting as SDFs must appoint a DPO to oversee data protection activities, including internal audits and impact assessments, and act as the main contact between the organization, data protection authorities, and data principals. SDFs are appointed based on factors such as volume, data sensitivity, risks to data principal rights, and effects on national sovereignty and integrity. DPOs should:
- represent the organization as per the DPDPA;
- be based in India;
- be responsible to the Board of Directors (BOD) of the organization; and
- be the point of contact for the grievance redressal mechanism under the provisions of the DPDPA.
Beyond data protection, the Telecom Cyber Security Rules require every telecom entity to appoint a Chief Telecommunication Security Officer (CTSO). The CTSO must be an Indian citizen and resident, reporting to the BOD or governing body. They are responsible for coordinating with the government on implementing security rules, ensuring compliance, and reporting security incidents. By mandating such roles, telecom regulations aim to enhance data security, ensure compliance, and protect consumer rights, fostering a secure and accountable telecom ecosystem.
Securiti’s Data Mapping module can equip Data Protection Officers with tools to uphold stringent data security and governance protocols to catalog and map all data processing activities.
F. Vendors and Third Parties
To ensure compliance with DPDPA, telecom entities should structure contracts to include:
- data security protocols (including encryption, data residency, vulnerability assessments, penetration testing and real-time monitoring);
- comprehensive termination clauses for seamless data retrieval and deletion support;
- vendor security assessments and liability for breaches;
- periodic testing of business continuity and contingency plans;
- data localization requirements for payment and regulatory data; and
- detailed audit trails of vendor interactions to monitor compliance.
By taking such measures, telecom entities can mitigate third-party risks, enhance regulatory adherence, and maintain the confidentiality and integrity of telecom services and consumer data. However, there must be a balance, as extensive scrutiny will increase operational complexity. This may potentially slow down business processes and strain relationships with vendors, while also diverting resources from core activities.
Securiti’s Vendor Risk Management solution automates vendor risk assessments, enabling organizations to assess third-party privacy risks, track subcontractor engagements, and provide automated alerts, supplier assessments, and security audits for ongoing third-party risk monitoring.
A. Privacy Principles
As per the DPDPA, telecom entities need to adhere to privacy principles whereby they must:
- define the purpose of using personal data, with restrictions on usage and disclosure;
- ensure accuracy before sharing data with other entities; and
- maintain personal data per regulations, including retention period, deletion procedures, and record maintenance.
Securiti’s Data Privacy solution automates compliance with evolving global privacy regulations and principles.
B. Consent
As per DPDPA, informed consent is a fundamental requirement for the collection and processing of personal data in the telecom sector. Telecom entities may appoint a Consent Manager to manage consent processes and should:
- collect consent at the time or before requesting data;
- ensure consent is given explicitly and freely, in a manner that is specific, informed, unconditional, unambiguous, and clearly indicated through affirmative action; and
- collect and use personal data only when it is essential for the specific purpose.
Moreover, the Telecom Act requires prior consent before sending "specified messages" (which include promotional or advertising content). To manage consent preferences, the TCCCPR requires TSPs to have a Customer Preference Registration Facility (CPRF) available 24/7 to register, modify, or revoke preferences regarding communication categories, modes, and time slots.
Moreover, access providers (entities that provide consumer access to telecom services, such as internet service providers and mobile network operators) must implement subscriber preferences within 24 hours. Customers should be informed about these procedures and no commercial communication can be sent without recorded consent or preference compliance. There should also be a digital consent acquisition system to record consent for receiving commercial communications and unsolicited messages.
While there is a possibility of consumers becoming overwhelmed with consent requests, ensuring explicit and informed consent remains a critical aspect of data protection in the telecom sector. That is why having easy and accessible mechanisms for consent management is essential.
Securiti’s Consent Module automates consent tracking and management, simplifying the management of first-party and third-party consent and enabling organizations to obtain, record, track, and manage individuals' explicit consent.
C. Privacy Policy
Having a comprehensive and up-to-date privacy policy not only ensures regulatory compliance but also builds consumer trust, demonstrating commitment to safeguarding personal data. As per the DPDPA, any request for consent must be preceded or accompanied by a notice that should:
- use simple language to make the notice understandable (either in English or any of the 22 languages specified in the Indian Constitution);
- clearly outline the purposes for which data is being processed;
- clearly indicate the types of data being collected and specify the duration for which the data will be retained; and
- include comprehensive information about consumer rights concerning their personal data, grievance mechanisms, and how to report any misuse of their data.
It’s also important to note that as per the TCCRR, TSPs must publish a Citizen’s Charter detailing services, consumer rights, quality parameters, and complaint resolution mechanisms. It must be updated annually, available in multiple languages and locations and provided to consumers at the time of service subscription.
Securiti’s Privacy Policy and Notice Management enables organizations to rapidly build and deploy privacy notices, automate updates, and easily manage hundreds of privacy and cookie policies and notices via a unified privacy dashboard.
D. Data Principal Rights
Telecom entities must ensure that the following rights are available to consumers as per the DPDPA:
- right to access their personal data;
- right to have their personal data corrected, completed, or updated;
- right to have their personal data erased;
- right to nominate another person to exercise their data privacy rights; and
- right to have an available means of grievance redressal.
While ensuring these rights are provided to consumers, telecom entities must manage operational challenges, such as handling large volumes of requests within prescribed timeframes. Failure to do so may lead to delays, non-compliance, or consumer dissatisfaction.
Securiti’s Data Subject Rights Management solution automates handling requests like access, deletion, and correction. It streamlines request tracking, identity verification, and secure data transfer, ensuring timely compliance and reducing administrative workload.
E. Assessment
As per the DPDPA, only those telecom entities that the government has appointed as SDFs are required to conduct periodic Data Protection Impact Assessments (DPIA) outlining:
- data principals' rights;
- processing purposes; and
- assessment and management of risks to the rights of data principals.
Thus, assessments are essential, however, they can be resource-intensive if not planned properly. That is why telecom entities should streamline the process, prioritize high-risk areas, and leverage automation tools to ensure efficient and comprehensive evaluations without overburdening resources.
Securiti’s Assessment solution helps organizations evaluate their internal protocols, ensuring the necessary technical and organizational measures are in place to prevent human errors.
A. Framework for Commercial Communication
As per TCCCPR, unregistered entities are prohibited from sending unsolicited commercial communication, and TSPs must take measures to detect and block such messages. They must allow subscribers to set communication preferences and establish systems to:
- record and manage subscriber consent;
- identify senders using digital signatures;
- detect and act against unsolicited commercial communication;
- deploy honeypots (trap systems) to collect data on spam activities;
- exchange data with similar systems from other providers;
- analyze complaints and network data to detect suspicious activity; and
- ensure compliance with regulatory guidelines.
Moreover, as per the Telecom Unsolicited Commercial Communications Regulations, 2007 (TUCCR), TSPs must establish a mechanism to register numbers on the National Do Not Call Register, maintain a Private Do Not Call List, offer free registration to new subscribers, verify requests within 10 days, and update the National Register. All information disclosed and entered in the Do Not Call lists must remain confidential. By implementing these measures, telecom companies can effectively reduce spam and protect consumers from unsolicited communications.
B. Grievance Resolution Framework
The Telecom Act mandates an online grievance redressal system and establishes an online dispute resolution (ODR) mechanism for resolving disputes between consumers and telecom providers. This is coupled with the requirement of appointing a Grievance Officer given in the DPDPA and setting up a Complaint Centre as mandated by the Telecom Consumers Complaint Redressal Regulations, 2012 (TCCRR).
Moreover, there are additional requirements related to spam messages. Under the TCCCPR, TSPs must:
- offer a 24/7 complaint service for spam messages;
- acknowledge complaints within 15 minutes with a reference number, and provide guidance if complaints are incomplete; and
- maintain daily logs, submit reports to the relevant authority, while ensuring data security.
It is essential to ensure that the framework is well-structured, efficient, and sufficiently resourced to handle grievances in a timely and effective manner. Otherwise, it can be ineffective, erode trust, and lead to further dissatisfaction and potential legal challenges.
C. Codes of Practice
As per TCCCPR, Codes of Practice (CoP) should be implemented to ensure standardized procedures for various aspects of telecom operations. These include guidelines for entities within the telecom ecosystem, managing consumer preferences, handling complaints effectively, detecting unsolicited commercial communication, and reporting such violations. The CoP helps create a structured framework that ensures compliance with regulatory requirements while protecting consumer rights and preventing spam or fraudulent communications.
While codes of practice offer valuable guidance, they may need to be adapted to specific business contexts, which can be time-consuming and challenging. Thus, telecom entities should ensure that they are regularly reviewed and updated to reflect the latest regulatory changes and industry trends.
Securiti’s Data Governance provides a unified approach to managing data assets, ensuring compliance, security, and data quality across the organization. It automates policies, access controls, and data lifecycle management, enabling transparent, accountable, and consistent data practices aligned with regulatory standards.
India's telecom sector is witnessing increasing regulatory focus on AI. As highlighted in a report by the Data Security Council of India (DSCI), the adoption of Generative AI in cybersecurity is accelerating, with 35-40% of security providers already integrating AI-driven solutions. However, concerns around data privacy, model bias, and regulatory compliance remain key challenges, with 82% of organizations citing data privacy risks as a primary concern.
While India lacks a dedicated AI law, the government is exploring AI governance through policy initiatives such as the National Strategy on AI (NSAI) and the Responsible AI Guidelines, which emphasize accountability, transparency, and risk mitigation. Meanwhile, initiatives like INDIAai, launched by the Ministry of Electronics and Information Technology (MeitY), aim to create a structured roadmap for AI innovation. Thus, the government may introduce stricter compliance requirements, including those for telecom operators using AI in network management, fraud detection, and customer service automation.
Securiti's AI Security & Governance module protects AI systems by managing data security, privacy, and compliance, ensuring safe and ethical AI operations.
How Securiti Can Help
Securiti can help telecom providers, telemarketers and other businesses comply with navigating data regulations in India’s Telecom sector by automating key compliance processes. Securiti’s AI-powered data governance solution enables organizations to monitor and manage consumer consent effectively, ensuring that promotional messages are sent only to those who have opted in.
Data intelligence tools can help telecom providers analyze call and SMS patterns to detect and prevent spam, while automated workflows streamline complaint handling and reporting obligations. Additionally, data privacy and data security automation solutions assist in maintaining consent, creating comprehensive records of consumer preferences, ensuring compliance with opt-out mandates and retention policies. By leveraging AI-driven compliance management, organizations can reduce regulatory risks, avoid penalties, and enhance consumer trust in their communication practices.
Request a demo to witness Securiti in action.
