The Digital Personal Data Protection (DPDP) Act, 2023 (the “Act”), is India’s first comprehensive legislation dedicated to safeguarding digital personal data, regulating how entities (Data Fiduciaries) process information while granting individuals (Data Principals) control over their privacy. DPDP is India’s GDPR in some sense, though not as strong as GDPR.
It was enacted on August 11, 2023, and its operational framework kicked in only recently, when the government notified the DPDP Rules on November 13, 2025. As I write this (on January 20, 2026), organisations are in the early stages of a mandatory 18-month phased compliance window, designed to give businesses time to align their systems before the Act comes into full enforcement by ~May 2027, after which strict penalties (up to Rupees 250 crores) will apply.
Most HR departments have considered employee data, including resumes and payroll information, to be company assets for many years. This story is, well, affected by the Act. In this article, I am trying to examine how the Act affects HR Professionals/Employers with respect to the employment particulars/data of employees.
According to the definitions in the Act, your organisation is the Data Fiduciary and the employee is the Data Principal.
What Immediately Changes for HRs?
Offer Letters No Longer Use “Blanket Consent”
A data privacy clause on an employment contract can no longer be hidden/avoided. Now, consent needs to be clear, independent, and reversible. If we are gathering health information for insurance purposes, that must have its own unambiguous “Yes.”
The Landmine of “Legacy Data”
The information we gathered before the law’s passage is covered by the Act. That enormous 2021 resume database? The records of former workers? We are now required by law to send these people a new notice outlining what we have and why. We have to remove it if we don’t need it (disclaimer: this is my reading of the Act; legal experts may have another opinion).
“Legitimate Use” is Limited
The Act is not a free pass, even though it permits processing for “employment purposes” in certain circumstances without express consent. Without strictly obtained consent, we cannot use employee data for secondary purposes (such as internal analytics unrelated to their role or third-party marketing).
Vendor Risk is Our Risk
Many of us outsource payroll, background verification, and health benefits. If the payroll vendor leaks employee data, the Employer/Fiduciary is liable for the penalty, which can go up to Rupees 250 crores. The vendor contracts need an immediate audit to cover the relevant clauses.
Key Deadlines
With the rules notified in Nov 2025, we are in the transition period.
- Immediate: Map your data. Audit it.
- ~Nov 2026: Registration of Consent Managers begins.
- ~May 2027: Full enforcement. By this date, everyone must have re-consented existing employees if their previous consents didn’t meet the new high standards.
Yes, We Need to Act!
Data privacy is now a core competency for HR. We are the custodians of the most sensitive personal data in our organisations. It’s time to audit our folders, update our handbooks, issue privacy notices to our employees/ex-employees, and train our teams. The core idea is to collect only the necessary data from our employees (and not those “just in case” data) and let the employees know the privacy clauses.
Disclaimer: I am not formally educated in law, nor do I have the lawyer-like wisdom to interpret laws of the land. The above is a reading/comprehension of the Act and hence may not be treated as professional advice, and is not comprehensive. Please consult your legal advisor before taking action for changes under the Act. Opinions are personal and may not necessarily reflect the views of my employer(s).
Join the HR Community of HR Bro here: www.hrbro.com
Also published on LinkedIn.