Data Privacy in HR: Navigating India's Digital Personal Data Protection Act
India's Digital Personal Data Protection Act, 2023 (DPDP Act), passed by Parliament in August 2023, establishes a comprehensive legal framework governing the processing of digital personal data. For HR professionals, this legislation has far-reaching implications. HR departments are among the largest collectors of personal data within any organisation — from recruitment through payroll, performance management, and separation. The Act introduces penalties of up to Rs 250 crore for certain violations.
Key Terminology
The Act applies to digital personal data processed within India, and to processing outside India if it relates to offering goods or services to individuals in India. It establishes the Data Protection Board of India as the adjudicating body. Key roles include:
- Data Principal: The individual whose data is processed — the employee, applicant, or contractor.
- Data Fiduciary: The entity determining the purpose and means of processing — the employer.
- Data Processor: Any entity processing data on behalf of the Fiduciary — payroll vendors, background verification agencies, and HRMS providers.
Personal Data in the HR Context
Personal data encompasses any data about an identifiable individual. In HR operations, this includes name and contact details, Aadhaar and PAN numbers, salary and bank account information, performance appraisal records, health and medical records, biometric attendance data, CCTV footage, and monitored digital communications.
Consent Requirements
The Act requires consent that is free, specific, informed, unconditional, and unambiguous. However, a critical exemption exists under Section 7 — personal data may be processed without consent when necessary for employment purposes, including onboarding, payroll, statutory compliance, and benefits. This exemption covers only processing reasonably expected in the employment context. Processing for purposes beyond the employment relationship — marketing, selling data, or unrelated profiling — still requires explicit consent.
Rights of the Data Principal
The Act grants employees rights that HR teams must honour:
- Right to information: Employees may know what data is collected, its purpose, and which third parties receive it.
- Right to correction and erasure: Employees can request correction of inaccurate data and erasure of data no longer needed.
- Right to grievance redressal: Organisations must establish a mechanism for data processing concerns.
- Right to nominate: In the event of death or incapacity, a nominee may exercise the Data Principal's rights.
Cross-Border Data Transfer
The Act permits transfer of personal data outside India to any country not specifically restricted by the Central Government. This departs from earlier drafts that proposed mandatory data localisation. Organisations using global HRMS platforms or cloud-based payroll must monitor government notifications for future restrictions.
Practical Compliance Steps for HR Teams
- Data inventory: Map all personal data collected by the HR function, its purpose, and the legal basis for processing.
- Privacy notices: Draft clear notices for employees and applicants explaining what data is collected, why, and how long it is retained.
- Consent mechanisms: Where processing relies on consent rather than the employment exemption, implement systems to obtain and manage consent.
- Vendor assessment: Review contracts with third-party processors for data protection obligations and breach notification requirements.
- Data retention policy: Establish retention periods and erase data once its purpose has been fulfilled.
- Breach response plan: The Act requires notification to both the Data Protection Board and affected Data Principals.
Data privacy is not merely a compliance exercise — it is a matter of employee trust. Organisations that handle personal data with transparency strengthen the employment relationship. Those that treat it carelessly risk legal penalties and an erosion of workforce confidence.