Why the DPDP Act matters for HR
India's Digital Personal Data Protection Act, 2023 (DPDP Act) is the country's first comprehensive data privacy law, and its impact on human resources operations is profound. HR departments routinely handle some of the most sensitive personal data in any organisation — Aadhaar numbers, PAN details, salary information, medical records, background verification reports, and biometric attendance logs. Under the DPDP Act, every piece of this data is classified as "digital personal data" and is subject to strict processing rules. Organisations that fail to comply face penalties of up to ₹250 crore per violation, making this a board-level priority rather than a back-office checkbox.
The Act introduces the concept of a "Data Fiduciary" — the entity that determines the purpose and means of processing personal data. For most companies, this means the employer itself is the Data Fiduciary for employee and candidate data. The law also establishes the "Data Principal" — the individual whose data is being processed — and grants them clear rights including the right to access, correct, and erase their personal data. HR teams must understand these roles because they translate directly into operational obligations: you need lawful grounds for every piece of data you collect, and you must honour data principal requests within prescribed timelines.
Consent and purpose limitation in recruitment
One of the most immediate changes HR teams will notice is around consent during recruitment. Under the DPDP Act, collecting a candidate's resume, running background checks, or storing interview recordings all require clear, informed, and specific consent. Generic statements like "by applying, you agree to our terms" are unlikely to pass muster. Instead, you need to tell candidates exactly what data you are collecting, why you are collecting it, and how long you will retain it. If you plan to use AI-powered tools for resume screening or video interview analysis, this must be explicitly disclosed. Platforms like Workro are already designed with consent capture built into the application flow, making it simpler to demonstrate compliance during audits.
Purpose limitation is equally important. If a candidate applies for a software engineer role, you cannot repurpose their data for marketing campaigns or share it with unrelated group companies without obtaining fresh consent. This means HR teams need to audit their existing data flows — especially if resumes are stored in shared drives accessible across departments, or if candidate data is being used to train internal AI models. The Act requires that data collected for a specific purpose must be deleted once that purpose is fulfilled, which means rejected candidates' data cannot be retained indefinitely "just in case" a future role opens up. Most legal experts recommend a retention period of 6 to 12 months post-rejection, with clear disclosure to the candidate at the time of collection.
Employee data lifecycle management
Beyond recruitment, the DPDP Act affects the entire employee data lifecycle. From onboarding documents and payroll processing to performance reviews and exit formalities, every stage involves personal data that must be handled according to the law. HR teams should conduct a data mapping exercise — cataloguing every type of personal data collected, where it is stored, who has access, and what the legal basis for processing is. This exercise often reveals surprising data sprawl: employee details in spreadsheets on personal laptops, old HRIS systems that no one has audited in years, or WhatsApp groups where sensitive documents are shared casually. The DPDP Act demands that reasonable security safeguards be in place for all personal data, and demonstrating this requires proper documentation.
Practical steps for compliance
Start with these five actions: First, appoint a Data Protection Officer or equivalent internal owner for HR data compliance. Second, update your privacy notices for both candidates and employees to meet DPDP Act requirements — they must be clear, specific, and in plain language. Third, implement consent management workflows in your recruitment and HRIS systems. Fourth, establish data retention schedules with automated deletion for recruitment data, and enforce them rigorously. Fifth, train your HR team on data handling best practices — the most common breaches come from human error, not sophisticated cyberattacks. Using recruitment platforms that are built with privacy by design, such as Workro, significantly reduces the compliance burden by centralising candidate data, enforcing access controls, and maintaining audit trails automatically.