Sector wise readiness
Telecom and ISPs: retention pulls both ways
A misconception I keep seeing when telecom and ISP teams read DPDP checklists: "we already retain everything the licence requires, so DPDP retention is handled."
It is the opposite problem. DPDP does not ask you to retain. It asks you to erase when the purpose ends. Your licence and lawful interception duties ask you to keep. Those two pull in opposite directions, and the reconciliation between them is exactly what an auditor will want to see on paper.
What applies from the start, whatever your size
- ✅ Notice
- ✅ Consent and easy withdrawal
- ✅ Security safeguards
- ✅ Rights handling
- ✅ Grievance mechanism
- ✅ Processor contracts
- ✅ Breach response
What telecom carries because of the data it holds
- ✅ Subscriber, CDR and location security. Encrypt and tightly access control call records, location data and subscriber records. This is population scale, sensitive data, and it is a day one duty.
- ✅ A controlled process for government information requests, including any non disclosure direction that comes with them.
- ✅ Retention reconciliation. This is the one that trips teams up. Where you keep data past the DPDP purpose, the lawful hook is the Rule 8(3) proviso, retention where another law requires it, and you must document the basis for each retained dataset. It is not a blanket "telecom keeps everything" assumption.
What may not apply yet, and stays separate
- ❌ SDF duties: annual DPIA, independent audit, algorithmic due diligence. Population scale and sensitive location data make telecom a strong case to assess, but these attach only once the Central Government notifies you as a Significant Data Fiduciary. Scale alone does not make you one.
The better question
The better question is not "does telecom have to retain this?"
It is "for each dataset I keep, can I point to the specific law that requires it, and erase the rest?"
Law creates obligations. Scale and risk influence implementation. But the retention reconciliation is a day one discipline. You cannot wait for a notification to start documenting why you hold what you hold.
If you work in telecom, how clean is your dataset by dataset retention basis? Drop it in the comments.