DPDPA-Compliant CRM for India — What You Need in 2026

India's Digital Personal Data Protection Act 2023 passed in August and covers all businesses processing personal data of Indian residents, regardless of company size. If you store a contact's name, mobile number, or email address in a CRM, DPDPA applies to your business. There is no SMB exemption.

Key principles that directly affect CRM use: (1) Lawful purpose — you must have a valid reason (consent or legitimate interest) to store a contact in your CRM. (2) Data minimisation — only collect fields you actually need for your stated purpose. (3) Purpose limitation — if a lead gave you their number for a product inquiry, you cannot use it for an unrelated marketing campaign without fresh consent. (4) Storage limitation — don't keep leads forever if they haven't engaged in years. (5) Accountability — you must be able to demonstrate compliance if audited. This is not theoretical — the Data Protection Board started accepting complaints after the Act came into force. Review your privacy policy to ensure it discloses your CRM use and data retention practices.

The practical consequence for Indian sales teams: the days of building a CRM database from scraped contacts, purchased lists, or business card dumps without consent are over. DPDPA requires documented consent at the point of data collection — and a CRM that cannot store and demonstrate that consent is a liability, not an asset.

DPDPA is not a vague aspiration — it maps specific rights and obligations to specific technical requirements. Here are the seven capabilities a DPDPA-compliant CRM must have, with the relevant DPDPA section for each:

(1) Consent logging (Section 6) — every consent must be captured, timestamped, and linked to the specific purpose. (2) Opt-out automation (Section 6(5)) — contacts must be able to withdraw consent at any time and opt-outs must be honoured immediately. (3) Data export for subject access requests (Section 11) — contacts have the right to know what data you hold about them. (4) Data erasure (Section 17) — contacts have the right to request permanent deletion of their personal data. (5) Role-based access controls (security safeguards rule) — access to personal data must be restricted to employees with a legitimate need. (6) Data retention controls (storage limitation principle) — personal data cannot be kept indefinitely without justification. (7) Audit log (accountability principle) — access, export, and modification of personal data must be logged with user and timestamp. For a full breakdown of how HelloGrowthCRM handles WhatsApp CRM compliance, see our dedicated compliance page.

In a CRM, personal data is broader than most teams expect. It includes: mobile numbers, email addresses, names, job titles, physical addresses, conversation history (WhatsApp threads, call recordings, email threads), lead scores, and behavioural data (email opens, link clicks, website visits tracked against a known contact). DPDPA applies to all of this data if it can be linked to an identifiable individual.

The practical implication: your CRM is a personal data processing system, and every action it takes on contact data — storage, analysis, export, broadcast — is governed by DPDPA. Your data processing must be covered by a proper Data Processing Agreement with HelloGrowthCRM as your Data Processor. Every WhatsApp message stored in a lead timeline is personal data. Call recordings are particularly sensitive — store only what is necessary for your business purpose, with clear retention limits. Access our full WhatsApp CRM features guide to understand how conversation data is stored and managed.

Pure company-level firmographic data — company name, registered address, GST number, company website — is generally not personal data under DPDPA and is not subject to the same consent and erasure rules. The practical challenge for most Indian CRMs: they contain a mix of both, and the personal and firmographic data is often intertwined in the same contact record.

DPDPA Section 6 defines valid consent as: freely given, specific, informed, and unambiguous. This rules out several common practices that Indian businesses have historically relied on. What does NOT count as consent: pre-ticked checkboxes on web forms, bundled consent buried in general Terms and Conditions, implied consent from a business card exchange at a trade fair, or assumed consent because someone called your business inquiry number.

What DOES count as valid consent: a clear, standalone opt-in checkbox on a web form that says exactly what the contact is consenting to (e.g., "I consent to receive product updates and marketing communications from [Company Name]"), a click-to-WhatsApp interaction where the contact initiates contact and your first message includes a clear consent confirmation, or a verbal consent that is immediately documented in the CRM record with date, source, and the specific purpose consented to. HelloGrowthCRM's consent fields let you record how and when consent was obtained for every contact — so if challenged by the Data Protection Board or by the contact themselves, you have documented evidence that meets DPDPA's standard. For further reading, see our WhatsApp compliance guide.

For most Indian SMBs, DPDPA compliance with a CRM comes down to seven practical steps: (1) Review all web forms — add WhatsApp and email marketing opt-in checkboxes that clearly state the purpose. (2) Update your privacy policy to disclose CRM use, data retention periods, and contact information for data subject requests. (3) Sign a Data Processing Agreement with HelloGrowthCRM — request via hello@hellogrowthcrm.com. (4) Configure data retention settings in HelloGrowthCRM — archive leads inactive for 2+ years. (5) Test your opt-out flow — send a test broadcast and verify the opt-out link works and correctly updates the CRM record.

(6) Identify who is your Data Protection Officer or compliance contact — even if it is the founder, have a named person responsible for DPDPA obligations. (7) Check if you need to register with the Data Protection Board as a Significant Data Fiduciary — this applies to businesses processing large volumes of sensitive personal data at scale, and specific thresholds will be defined in future rules. For most Indian SMBs and mid-market businesses, completing steps 1–6 provides a defensible compliance posture against the most likely regulatory scrutiny. For WhatsApp-specific compliance, including opt-out templates and consent message examples, see our dedicated guide.