With the Digital Personal Data Protection (DPDP) Act now operational and detailed rules notified, India finally has a clear framework for how organizations must handle people’s data. Over the next 12–18 months, employers are expected to align with this new reality.
For HR teams, this is not an “IT-only” change. It directly affects how you collect, store, use and share employee and candidate information at every stage of the lifecycle.
What the DPDP Act really means for HR
In simple terms, the DPDP Act is about two things:
a) Respecting people’s privacy
b) Making organizations clearly responsible for how they use personal data
It covers any digital information that can identify a person – names, emails, phone numbers, ID proofs, bank details, HR and payroll records, performance data and more. Almost every employer in India is covered.
The law expects organizations to:
a) Collect only what they genuinely need
b) Use data only for clear, lawful purposes
c) Keep it accurate and secure
d) Delete it when it’s no longer required
e) Be transparent and responsive when people ask questions or raise complaints
Your organization becomes the “data caretaker” of this information, and employees and candidates are the people whose data you hold and must protect.
Why HR sits at the center of compliance
HR deals with some of the most sensitive data in the company:
Hiring: CVs, assessments, background checks
Onboarding: ID proofs, PAN, Aadhaar, bank and family details
During employment: payroll, performance, benefits, health and disciplinary records
Exit: notice letters, exit interviews, relieving and full-and-final data
All of this – whether in HRMS, payroll tools, emails or Excel – falls under the DPDP framework.
The Act recognizes that many HR activities are part of “legitimate use”, so you don’t need consent for every normal employment task. But you still must:
Inform employees clearly
Use their data only for appropriate purposes
Put strong safeguards and access controls in place
This makes HR both a guardian of employee trust and a key partner to the privacy function.
The DPO: the privacy role HR should not ignore
For larger or higher-risk organizations, the law allows the government to classify them as “Significant Data Fiduciaries”. These entities must appoint a Data Protection Officer (DPO) and carry out impact assessments and audits. Even if you are not formally classified yet, having a DPO-style role is rapidly becoming a mark of maturity and trust.
In simple terms, the DPO is:
The internal champion for data protection and privacy
The bridge between business teams (like HR), IT, legal and leadership
The point of contact for individuals and the regulator when it comes to data issues
This is where HR plays a critical, strategic role:
Defining the DPO role and seniority so it is not “buried” under routine operations
Designing a clear reporting line with enough independence and access to leadership
Hiring the right profile – someone who understands law, risk, technology, and people
Supporting the DPO with resources, training budgets and cross-functional access
Choosing the right DPO is not just a compliance checkbox; it is a talent decision that shapes how seriously your organization is seen to take privacy. As a firm that specialises in helping organizations identify and place DPO and privacy talent, we are already seeing HR teams move early to secure strong candidates in a market that will quickly become competitive.
What HR needs to do next
a) Create a small “Privacy Squad” around HR
Bring together a senior HR leader, your DPO or privacy lead, IT and Legal/Compliance. Agree who owns HR-related DPDP work and outline a simple 12-month roadmap for HR data.
b) Map your HR data
List your main systems (HRMS, payroll, ATS, LMS, shared drives, email) and note: what data you store, why you store it, who has access, which vendors are involved, and how long you keep it. This becomes your HR data inventory.
c) Refresh HR documents and practices
Update offer letters, handbooks, privacy/IT policies and career site forms so they explain in plain language what you collect, why, and where employees can go to access, correct or delete their data or raise concerns. At the same time, cut unnecessary data fields, restrict access on a need-to-know basis, stop casual sharing of sensitive information, and avoid “forever” retention of CVs and records without a clear reason.
d) Strengthen your HR vendor ecosystem
Identify all vendors handling HR data and ensure contracts require them to protect that data, comply with DPDP, and notify you promptly of any breach.
From compliance to trust
DPDP is not just about avoiding penalties. It is an opportunity for HR to modernise old practices, position the organization as a privacy-mature employer, and partner with a well-chosen DPO to build a culture where people know their data – and their dignity – truly matter.