Digital Personal Data Protection Act 2023
A practical guide for Indian businesses to understand and comply with the Digital Personal Data Protection Act, 2023. From key principles to HR-specific action items and a free penalty estimator.
Penalty Estimator
Estimate your penalty exposure under the DPDP Act based on your current compliance posture and candidate data volume.
OpenKey Principles
The six foundational principles of the DPDP Act that every data fiduciary must follow.
Jump to sectionHR Compliance Checklist
Actionable steps for HR teams to align recruitment and employee data processes with the DPDP Act.
Jump to sectionKey Principles of the DPDP Act
The DPDP Act, 2023 is built on six foundational principles that govern how organisations collect, process, and store personal data of Indian citizens.
Purpose Limitation
Personal data must only be collected for a specific, clear, and lawful purpose. HR teams cannot repurpose candidate data collected for one job opening to market unrelated services or share it beyond the stated hiring process.
Data Minimisation
Only collect the minimum personal data necessary for the stated purpose. Recruitment forms should not ask for Aadhaar numbers, religion, caste, or family details unless legally required for the specific role.
Storage Limitation
Personal data must not be retained beyond the period necessary to fulfil its purpose. Candidate resumes and interview recordings should be deleted or anonymised once the hiring decision is made and any statutory retention period expires.
Accuracy
Data fiduciaries must ensure personal data is accurate and up-to-date. HR teams should provide candidates a way to review and correct their information during the hiring process.
Security Safeguards
Reasonable security measures must protect personal data from breaches, unauthorised access, and accidental loss. This includes encryption, access controls, and secure storage for recruitment databases.
Accountability
The data fiduciary (your organisation) is responsible for demonstrating compliance. This means maintaining records of consent, data processing activities, and breach response protocols.
What HR Teams Need to Do
Recruitment involves processing large volumes of personal data — resumes, identity documents, interview recordings, and background checks. Here are five priority actions for HR teams preparing for DPDP compliance.
Audit data collection practices
Map every touchpoint where you collect candidate personal data — application forms, resume uploads, interview recordings, background checks, and third-party recruiter handoffs. Identify what data you collect, why, and where it is stored.
Update privacy notices
Draft clear, accessible privacy notices in English and relevant regional languages. Each notice must specify the purpose of data collection, retention period, candidate rights, and how to file a grievance. Display these before any data is collected.
Implement consent management
Build explicit, informed consent flows into your ATS and career pages. Consent must be freely given, specific to each purpose, and easily withdrawable. Pre-ticked checkboxes do not constitute valid consent under the DPDP Act.
Establish data breach protocols
Create an incident response plan that can notify the Data Protection Board of India within 72 hours of a breach. Document escalation procedures, assign a breach response team, and conduct regular drills.
Train your team
Ensure every member of the HR and recruitment team understands their DPDP obligations. Cover consent requirements, data handling procedures, breach reporting, and candidate rights in regular training sessions.
Built for DPDP compliance from day one
Workro handles candidate consent collection, data retention policies, and secure processing out of the box. Every resume, interview recording, and candidate record is managed with DPDP-ready workflows so your HR team can focus on hiring, not compliance paperwork.
Get started free