DPDPsecured
Sign InSign Up Free
← All articles
DPDP in Practice · 5 min read

Your Employees' Data is Covered Too: What the DPDP Act Means for HR Teams

The Blind Spot

Ask most businesses what data they need to protect under the DPDP Act, 2023 and they will talk about customers. Website forms. App sign-ups. Marketing databases.

They will not mention HR.

But HR teams are sitting on some of the most sensitive personal data in the organisation — and in most cases, with the least compliance attention directed at it.

Offer letters. Salary details. Bank account numbers. Performance reviews. Medical records. Background check results. Emergency contact information. All personal data. All covered under the DPDP Act. All your legal responsibility.

The Exemption That Is Not What It Sounds Like

The Act recognises "legitimate uses" — situations where processing is permitted without explicit consent. Employment-related processing is one of them. This leads some businesses to conclude that employee data is simply exempt from the Act. It is not.

The legitimate use provision means that certain employment-related processing does not require the same explicit consent mechanism as customer-facing data collection. It does not mean that employee data is unregulated. The obligations of accuracy, security, retention limits, and breach notification still apply in full.

Read alsoWho is a Data Fiduciary Under the DPDP Act? Obligations, Risks, and What You Must Do Now

What HR Actually Holds

Walk through the employee data lifecycle and the volume becomes clear quickly.

At hiring: CVs, identification documents, academic certificates.

During onboarding: Aadhaar copies, PAN cards, passport details, bank account information, emergency contacts, and in many organisations, health declarations.

During employment: Performance records, salary history, attendance data, disciplinary records, training records, and any medical information related to leave or workplace accommodation.

At departure: Exit interview notes, final settlement details, reference check responses.

And then there is the data of the people who applied but were not hired. Dozens, sometimes hundreds of CVs sitting in inboxes, shared drives, and recruitment software — with no retention policy and no deletion process.

Where HR Teams Are Most Exposed

Onboarding. Most businesses collect significantly more information than they need. Date of birth, marital status, religion, and caste — frequently collected for form-filling purposes — are often not necessary for the employment relationship. The Act's data minimisation principle applies here.

Retention after departure. What happens to an employee's records five years after they leave? Ten years? Most businesses have no documented answer. The Act requires one.

Rejected candidates. A CV submitted for a role that was not offered is not a permanent addition to your talent database. If you retain it for future consideration, that retention requires a lawful basis — and the individual's knowledge.

Third-party vendors. Background verification agencies, payroll processors, group insurance providers, recruitment platforms — each of these receives employee personal data. Each requires a data processing agreement that meets DPDP standards.

Spreadsheets. Employee data living in unlocked Excel files on shared drives accessible to the entire company is both a security failure and a compliance gap.

What HR Teams Need to Do

Audit the data you collect. Go through every stage of the employment lifecycle and identify every data point collected. For each one, ask: do we need this? What is our lawful basis for holding it?

Build a retention schedule. Decide how long each category of data is kept and why. Write it down. Then build a process for actual deletion — not just a policy that no one follows.

Update vendor contracts. Any third party receiving employee data must be bound by a data processing agreement that reflects DPDP obligations. Review your contracts with your payroll provider, background verification agency, and recruitment platforms.

Lock down access. Employee data should not be accessible to everyone in the organisation. Restrict access to HR and those with a genuine need.

Create a rights response process. An employee can ask what data you hold about them, request corrections, and ask for their data to be deleted after they leave. When that request comes, you need a documented process for responding to it.

The Applicant Data Problem, Specifically

This deserves its own mention because it is almost universally overlooked.

When someone applies for a role and is not offered it, their data does not belong to your business indefinitely. If you want to retain their CV for future opportunities, you need their consent. And if they withdraw that consent — or if you never obtained it in the first place — the data should be deleted.

Most Indian businesses have never addressed this. It is a straightforward fix and a genuine area of exposure.

The Bottom Line

HR data compliance is not a separate workstream from your broader DPDP programme. It is the same law, the same obligations, the same regulator, and the same penalties.

The fixes are operational, not technical. A data audit, a retention policy, updated vendor contracts, and a rights-response process cover most of the gap. Start with the audit. The gaps will become clear quickly.

Read alsoThe DPDP Act Compliance Checklist: 10 Things Your Business Needs to Have in Place
Published by DPDPsecured — compliance intelligence for Indian businesses.
Published by DPDPsecured — compliance intelligence for Indian businesses.