GDPR, DLT & Messaging Compliance: What Your Business Must Know

Modern business messaging almost always involves handling personal data. This brings your organization under the scope of data protection and telecom laws.

• In the EU and UK, the key regimes are GDPR (General Data Protection Regulation), UK GDPR, and the e-privacy rules (such as PECR in the UK).
• In India, the telecom-specific DLT (Distributed Ledger Technology) rules issued by the Telecom Regulatory Authority of India (TRAI) apply.

This guide explains the essentials and provides a practical compliance checklist to help you send messages at scale—while staying within the law.

Whenever you send SMS WhatsApp messages, RCS (Rich Communication Services), or automated voice alerts to real people, you must manage compliance across four areas:

1. Lawful Basis & Channel Rules

• GDPR Requirement: You must have a lawful basis to process personal data (e.g., consent, contract, or legitimate interest).
• E-privacy / PECR (EU/UK): Defines how consent must be obtained for marketing messages.
• DLT (India): Requires strict adherence to telecom rules on consent and sender identity.
  • (Source: European Commission, ICO)

2.Identity & Template Control

• Many jurisdictions require businesses to register their sender identity.
• In some cases (e.g., India’s DLT), pre-approval of message templates is mandatory before messages are sent.
  • (Source: Telecom Regulatory Authority of India)

3.User Choice & Rights

• Customers must be able to:
  • Opt in (consent to receive messages).
  • Opt out (unsubscribe from messages).
  • Exercise data rights (access, correction, deletion, objection, etc.).
• These requests must be easy to perform and honored promptly.
  • (Source: ICO)

4. Security, Retention & Accountability

• Personal data must be protected with appropriate security controls.
• Data should only be kept for as long as necessary.
• Organizations must document processing activities and be accountable for compliance.
  • (Source: GDPR)

Messaging compliance is not only about sending messages; it requires a lawful basis, identity checks, user rights, and secure handling of personal data.

1. Controllers, Processors & Roles

• Controller: Your organization, which decides why and how customer contact details and campaigns are used.
• Processor: Your messaging vendors, who act only on your instructions.

Key Legal Requirements (GDPR):

1. You must sign a Data Processing Agreement (Article 28) with each processor.
2. You must keep a Record of Processing Activities (Article 30).

2. Lawful Bases You’ll Actually Use

Under GDPR, you must have a valid lawful basis for processing personal data when sending messages. In practice, messaging teams typically rely on three:

• Consent
  • Most common for promotional SMS/OTT channels in the EU and UK.
  • Required because channel-specific rules mandate opt-in consent for marketing.
  • (Source: ICO)
• Contract
  • Applies to service-related messages strictly necessary for fulfilling a contract
  • Examples: OTPs (one-time passwords), delivery updates, and other messages promised in your Terms & Conditions.
    (Source: European Commission)
• Legitimate Interests
  • May apply to some direct marketing contexts, but only if:
    • You conduct a documented three-part test (purpose, necessity, balance)
    • You still respect stricter channel rules.
  • Important: If a channel requires opt-in consent, consent always overrides legitimate interest.
  • (Source: European Data Protection Board, ICO)

While multiple bases exist, consent dominates marketing channels, contract supports essential service messages, and legitimate interests require careful testing and documentation.

3. Core GDPR Principles to Build into Messaging Workflows (Article 5)

Every messaging workflow must embed these data protection principles:

• Data Minimization → Store only the data required to send the message.
• Purpose Limitation → Do not reuse numbers collected for OTPs to send promotional campaigns without fresh consent.
• Accuracy → Keep phone numbers current; suppress invalid contacts, bounces, and opt-outs
• Storage Limitation → Define retention periods (e.g., keep campaign logs for a set number of months).
• Security & Accountability → Use encryption in transit, enforce access controls, and maintain audit logs.
  • (Source: GDPR, ICO)

Practical Tip: Think of these as the “golden rules” to integrate directly into your CRM and campaign tools.

4. Security Expectations (Article 32)

GDPR sets out specific security obligations for messaging data:

Measures You Should Implement

• Strong authentication for systems and users.
• Role-based access controls to limit data exposure.
• Encryption at rest and in transit.
• Centralized logging and monitoring.
• Clear incident response playbooks.

If a Breach Occurs

1. Assess whether you must notify regulators (Article 33).
2. If risk to individuals is high, notify affected users as well (Article 34).

(Source: GDPR, European Data Protection Board)

Summary: Security isn’t optional—your choices must be documented, tested, and defensible if regulators ask.

5. International Transfers

When transferring EU/UK personal data outside the European Economic Area (EEA) or the UK, you must use approved safeguards:

• Standard Contractual Clauses (SCCs) → EU-approved legal mechanism.
• IDTA (International Data Transfer Agreement) or UK Addendum → For UK-based transfers.
• Always perform a Transfer Risk Assessment to ensure protections are equivalent.

(Source: European Commission, ICO)

Example: If your messaging vendor routes SMS through a U.S. data center, you must sign SCCs and document the risk assessment.

While GDPR sets the privacy foundation, electronic marketing in the EU and UK is specifically governed by the EU e-Privacy Directive and national laws such as the UK’s PECR (Privacy and Electronic Communications Regulations).

1. General Rule: Opt-In is Mandatory

• You generally need prior opt-in consent before sending marketing messages via SMS, MMS, or OTT (e.g., WhatsApp-style apps).

Consent must be freely given, specific, informed, and unambiguous.

2. The “Soft Opt-In” Exception

• In limited cases, you may send messages without fresh opt-in if:
  • The number was collected during a prior sale.
  • The messages relate to your own similar products or services.
  • You provided an opt-out at the time of collection.
  • Every message still contains an easy opt-out option.
• Important: Always verify local implementation—rules differ across EU member states.

3.Legitimate Interests and Objections

• Even if you rely on legitimate interests, individuals have an absolute right to object.
• Once someone opts out, you must stop immediately.
  • (Source: ICO)

4. Operational Requirements

To stay compliant in day-to-day operations:

• Maintain separate consent flags per channel (SMS vs. WhatsApp vs. email).
• Capture and store evidence of consent: time stamp, source, and method.
• Include a clear opt-out instruction in every marketing message.
• Ensure opt-out requests are processed immediately.
  • (Source: ICO)

In the EU/UK, electronic marketing = consent first. Exceptions are narrow, and operational discipline in managing opt-ins/opt-outs is critical.

India regulates commercial messaging under TRAI’s TCCCPR 2018 and later amendments. The regime uses Distributed Ledger Technology (DLT) to bring transparency and prevent spam. Businesses must register on operator-led DLT platforms before sending any SMS campaigns.

1. Mandatory Registrations Before Sending

Every business must complete these registrations:

• Principal Entity (PE) Registration → Your business must register as the primary sender entity.
• Header (Sender ID) Registration → Register your chosen 11-character alphanumeric sender ID.
• Content Template Registration →
  • Promotional
  • Service (informational or transactional)
  • Transactional
  • Government
• Consent Capture and Registration →
  • Customer consent must be captured and logged.
  • Operators maintain consent registries and perform scrubbing (removing numbers without consent).

(Source: Telecom Regulatory Authority of India)

Example: If an e-commerce company in India wants to send delivery updates, it must first register as a Principal Entity, create a sender ID like SHOP123INFO, and register a service template describing the update format.

Summary: In India, compliance = register first, send later. Without DLT approvals, your SMS traffic will be blocked.

2. Template Control and CTA Whitelisting

India’s DLT framework requires all businesses to use pre-approved message templates.

• Template Approval
  • Every SMS must follow a registered template.
  • Variables (e.g., customer name, OTP code) must stay within the approved format.
• CTA (Call-to-Action) Whitelisting
  • Links, phone numbers, and app package names included in messages often need separate whitelisting.
  • This process reduces phishing and fraud risks.
  • (Source: msg91.com)

Example: If your promotional SMS includes a payment link, that specific domain must be whitelisted in advance.

Summary: Pre-approval ensures templates are consistent and CTAs are safe from misuse.

3. Time Bands and DND (Do Not Disturb)

India enforces strict rules around when and to whom messages can be sent:

• Time Restrictions
  • Promotional SMS → Allowed only between 9:00 a.m. and 9:00 p.m. IST.
  • Attempts outside this window are automatically blocked.
  • Transactional and Service Messages → Permitted 24×7, including OTPs and critical alerts.
• DND Compliance
  • Customers who register their numbers under Do Not Disturb (DND) must not receive promotional SMS.
  • Complaints are managed via:
    • The DND helpline (1909)
    • Official DND mobile apps
  • (Sources: support.telesign.com, smscountry.com, The Times of India)

Example: A retail brand cannot send “SALE ALERT” texts at 10:30 p.m. If attempted, the operator blocks it at the network level.

Summary: Respecting time bands and DND preferences is critical to avoid blocks, complaints, and penalties.

4. Stronger Enforcement (2025 Updates)

In 2025, TRAI introduced stricter amendments to the DLT framework, designed to fight spam more aggressively. Key enhancements include:

• Tougher Anti-Spam Measures → Increased monitoring of suspicious traffic.
• Higher Penalties → Heavier fines for repeated violations.
• Faster Complaint Resolution → Operators and platforms must address complaints within shorter timelines.
• Clearer Accountability → Defined responsibilities for both senders (businesses) and access providers (operators).

(Sources: Press Information Bureau, Telecom Regulatory Authority of India)

Summary: Expect tighter checks, faster penalties, and reduced tolerance for gray practices under the new 2025 rules.

Different message types have different compliance requirements. Below are the three most common categories, with rules for both EU/UK and India, plus practical best practices.

1.One-Time Passwords (OTPs) and Security Alerts

• EU/UK Legal Basis
  • Contract or Legitimate Interest (security).
  • Consent is not required for security-critical alerts.
• India (DLT Rules)
  • Use Transactional or Service templates.
  • Register header and template in advance.
  • Can be sent 24×7 without restriction.
• Best Practices
  • Apply short data retention (don’t keep OTPs longer than necessary).
  • Rate-limit message frequency to prevent abuse.
  • Protect APIs with multi-factor authentication (MFA) for API keys.

(Sources: GDPR, Telecom Regulatory Authority of India)

Summary: Security messages bypass marketing consent but must be tightly secured and short-lived.

2. Order Confirmations, Delivery Updates, Appointment Reminders

• EU/UK Legal Basis
  • Contract or Legitimate Interests, but only if strictly necessary for the promised service.
• India (DLT Rules)
  • Use Service or Transactional templates.
  • No promotional content is allowed inside service messages.
• Best Practices
  • Keep messages factual and precise.
  • Avoid cross-selling or promotional add-ons unless you have separate marketing consent.

(Sources: ICO, Telecom Regulatory Authority of India)

Summary: Service updates are permitted but must not be “disguised marketing.”

3. Promotional Campaigns and Re-Engagement

• EU/UK Rules
  • Require opt-in consent for SMS/OTT marketing.
  • Every message must include a clear opt-out option.
  • The “soft opt-in” exception may apply to existing customers if:
    • The product/service promoted is similar to the original purchase.
    • An opt-out was offered at the collection.
    • Each message includes an opt-out.
• India (DLT Rules)
  • Use Promotional templates and registered promotional headers.
  • Messages must be sent only within the daytime window (9:00 a.m. – 9:00 p.m. IST).
  • Numbers are checked against DND registries, and non-consenting users are filtered (“scrubbing”).
  • Opt-out handling must follow operator-managed flows.
• Best Practices
  • Segment marketing lists to respect consent status.
  • Monitor opt-out logs regularly.
  • Align campaigns with local rules to avoid blocking.

Summary: Marketing messages require strict consent and operational discipline—get opt-ins, honor opt-outs, and follow time/DND rules.

Strong data governance is the backbone of compliant messaging. It ensures that personal data is collected, stored, used, and transferred responsibly. Below are the four pillars every messaging team should implement.

1. Consent and Preference Records

• What to Store
  • Who gave consent (identity).
  • When consent was collected (time stamp).
  • Where it was collected (channel, platform).
  • How it was collected (checkbox, form, app prompt).
  • Keep verifiable proof of consent.
• Granularity
  • Maintain per-channel consent flags (SMS, WhatsApp, email, push).
  • Support topic-level preferences (e.g., “offers” vs. “product updates”).
• Suppression Lists
  • Sync opt-out/suppression lists across all tools to prevent accidental re-targeting. (Source: ICO)
    Example: A user opts out of SMS offers but keeps email notifications. Your system should respect this split without errors.

Summary: Detailed records + synced preferences = reduced complaint risk.

6.2 Security and Access

• Access Control
  • Restrict access to contact data and campaign logs strictly on a need-to-know basis.
• Technical Safeguards
  • Encrypt data in transit (TLS) and at rest (AES-256 or similar).
  • Rotate API keys regularly.
  • Maintain detailed access logs.
• Testing & Preparedness
  • Run incident response simulations to ensure readiness for breaches.
  • (Source: GDPR)

Summary: Limit who can see data, protect it everywhere, and test your defenses.

3. Retention and Minimization

• Retention by Purpose
  • Define retention windows clearly.
  • Example: 90–180 days for delivery logs unless a legal/regulatory requirement demands longer storage.
• Automatic Purging
  • Purge expired content and metadata systematically.
  • Use automated scripts or vendor features to avoid human error.
  • (Source: GDPR)

Analogy: Treat data like perishable goods—keep only what you need, discard the rest.

Summary: Minimize storage to minimize risk.

4. International Transfers

• When It Applies
  
  • If your tools or storage are located outside the EEA/UK, transfers are in play.
• Safeguards
  • Use Standard Contractual Clauses (SCCs) in the EU.
  • Use the International Data Transfer Agreement (IDTA) or UK Addendum for UK transfers.
  • Perform and document a Transfer Risk Assessment (TRA).
• Recordkeeping
  • Keep copies of agreements and risk assessments on file for audits.
  • (Sources: European Commission, ICO)

Cross-border data flows require legal scaffolding—always have SCCs/IDTA plus a documented risk assessment.

Designing compliant messaging isn’t just about one law—it’s about aligning your entire workflow with GDPR, e-privacy/PECR, and India’s DLT rules. Below is a six-step framework that applies across both regions.

Step 1 — Map Your Messages

• List every type of message you send.
• Note the channel (SMS, WhatsApp-style, email, voice).
• Define the purpose (marketing, service update, security).
• Identify the data fields used (phone number, name, order ID).

Example: “SMS: OTP for login → Purpose: Security → Data fields: Phone number + OTP code.”

Step 2 — Assign Lawful Basis and Channel Rule

• EU/UK
  • Choose between Consent, Contract, or Legitimate Interest.
  • If sending marketing SMS/OTT, plan for:
    • Opt-in collection.
    • Clear opt-out in every message.
• India
  • Select the correct DLT template category:
    • Promotional
    • Service
    • Transactional
    • Government

(Sources: ICO, Telecom Regulatory Authority of India)

Step 3 — Build Consent UX (Where Needed)

• Use unticked boxes (never pre-checked).
• Keep language plain and simple.
• Do not bundle consent with unrelated terms.
• Capture:
  • Time stamp
  • Source of collection
  • Proof of choice
• Offer a no-marketing alternative so declining consent does not block service.(Source: DMA)

Example: A food delivery app allows users to create an account without ticking “Receive special offers.”

Step 4 — Register What India Requires (If Messaging Indian Numbers)

On India’s DLT portal, businesses must:

1. Register as a Principal Entity (PE).
2. Register Headers (Sender IDs).
3. Register Templates (by category).
4. Register Consent records.
5. Link your telemarketer (TSP).
6. Whitelist CTAs such as URLs or app package names.
   (Sources: Telecom Regulatory Authority of India, msg91.com)

Step 5 — Add Compliance Controls to Your Send Pipeline

• Pre-Send Suppression Checks
  • DND list filtering (India).
  • Opt-out list filtering (Global).
  • Quiet hours enforcement (India promotional SMS).
• Sender and Link Controls
  • Use only approved headers.
  • Send only whitelisted URLs/CTAs in India.(Sources: smscountry.com, msg91.com)

Example: Before a campaign launches, the system checks that all recipients are non-DND and that links match the approved whitelist.

Step 6 — Document and Train

• Documentation
  • Maintain your Record of Processing Activities (RoPA).
  • Keep Data Processing Agreements (DPAs) with vendors.
  • Ensure transfer tools (SCCs, IDTA) are up to date.
• Training
  • Educate support and marketing teams on:
    • Data rights.
    • Handling opt-outs.
    • Responding to complaints.

(Source: GDPR)

Summary: A compliant flow = map messages → assign lawful basis → build consent UX → register (India) → enforce pipeline checks → document and train.

Messaging compliance failures are common—but avoidable. Below are the most frequent mistakes, why they matter, and how to prevent them.

Pitfall 1: Using OTP or Service Templates to Sneak in Promotions

• Why It’s a Problem: Mixing promotional content into service/transactional templates violates DLT rules. Operators block such traffic, and regulators may impose penalties.

How to Avoid: Keep transactional and promotional content separate. Use the correct template and header for each type.
(Source: Telecom Regulatory Authority of India)

Pitfall 2: No Proof of Consent for Marketing SMS

• Why It’s a Problem: Without a consent trail, you cannot prove compliance if challenged by regulators or customers.
• How to Avoid: Store detailed consent records: page/screen where consent was given, exact wording shown, time stamp, and user action.
  (Source: ICO)

Pitfall 3: Missing Opt-Out in Marketing Messages

• Why It’s a Problem: Opt-outs are legally required in both EU/UK (PECR/GDPR) and India. Missing them can lead to enforcement action and customer complaints.
• How to Avoid: Include a clear opt-out instruction in every promotional SMS and make it functional (e.g., “Reply STOP”).
  (Sources: ICO, Securiti)

Pitfall 4: Sending Indian Promotions Outside Allowed Time Band

• Why It’s a Problem: India enforces 9:00 a.m. – 9:00 p.m. IST limits for promotional SMS. Messages outside this window are blocked automatically.
• How to Avoid: Enforce quiet-hour controls in your send pipeline to prevent after-hours campaigns.
  (Source: smscountry.com)

Pitfall 5: Using Unregistered Headers/Templates in India

• Why It’s a Problem: Messages sent with unregistered IDs or templates are rejected by operators under DLT.
• How to Avoid: Always register headers and templates in advance before launching campaigns.
  (Source: Telecom Regulatory Authority of India)

Pitfall 6: Under-Estimating Security Requirements

• Why It’s a Problem: GDPR’s Article 32 requires “appropriate technical and organizational measures.” Poor documentation or weak controls increase breach risk and liability.
• How to Avoid: Implement and document strong security: encryption at rest/in transit, access controls, key rotation, and incident response drills.
  (Source: GDPR)

Most compliance failures come from shortcuts—skipping consent proof, reusing wrong templates, ignoring time rules, or underplaying security. By embedding safeguards into workflows, teams can prevent costly mistakes

The table below maps message categories to their lawful basis in the EU/UK, the matching DLT category in India, and key notes for compliance.

Always match the right lawful basis with the correct DLT category. Promotional traffic has the strictest conditions.

Use this checklist to self-audit your messaging setup.

Governance

• Identify controller and processor roles; sign Data Processing Agreements (Art. 28). (GDPR)
• Maintain a Record of Processing Activities (RoPA, Art. 30). (GDPR)
• Define data retention policies for contact data and logs (Art. 5). (GDPR)

Consent & Channel Rules

• Capture explicit opt-in for EU/UK marketing SMS/OTT and log proof.
• If relying on soft opt-in, confirm conditions are met; always include opt-out. (ICO)
• Provide a simple opt-out mechanism and honor objections immediately. (ICO)

India (DLT Rules)

• Register Principal Entity (PE), headers, templates, and consents.
• Whitelist CTAs/links where required. (msg91.com)
• Enforce 9 a.m.–9 p.m. IST window for promotional SMS.
• Apply DND scrubbing for registered numbers. (TRAI, smscountry.com)

Security

• Apply encryption in transit and at rest.
• Rotate API keys and enforce role-based access control (RBAC).
• Log all data access and run incident response drills.
• Document Article 32 security measures. (GDPR)

International Transfers

• Use Standard Contractual Clauses (EU) or IDTA/Addendum (UK).
• Complete and record Transfer Risk Assessments (TRA/TIA). (European Commission, ICO)

Summary: This checklist covers governance, consent, DLT compliance, security, and international transfers—ensuring your messaging is defensible across audits and regulatory reviews.