For years, HR teams have followed an unspoken rule:
Collect more data, just in case.
The intent was good – smoother onboarding, fewer follow-ups, faster payroll.
But under the DPDP Act, 2023, this habit is no longer safe.
Today, HR teams must be able to justify every data field they collect.
If you can’t clearly explain why a piece of data is needed, you probably shouldn’t be collecting it at all.
That’s what data minimisation is really about.
What Data Minimisation Means Under DPDP
Data minimisation means:
✔ collect only what is necessary
✔ collect it only when it is required
✔ keep it only for as long as the purpose exists
Under DPDP:
- “Nice to have” data ❌
- “We might need it later” ❌
- “This is how we’ve always done it” ❌
If the purpose is unclear, the collection itself becomes non-compliant.
Why HR Forms Are the Highest-Risk Area
Most DPDP violations in HR don’t come from intent – they come from legacy forms.
Typical reasons:
- forms were designed years ago
- fields were added and never questioned
- vendors reused generic templates
- no periodic form audit happened
High-risk areas include:
- application forms
- onboarding forms
- background verification (BGV) checklists
- internal HR trackers
👉 Redesigning forms is the fastest way to reduce DPDP risk.
What Data Minimisation Actually Looks Like (Before vs After)
Before: Over-Collecting Application Form
- Full residential address
- Date of birth
- Aadhaar number
- Marital status
- Emergency contact
- Bank account details
Problem: None of this is required to evaluate a candidate.
After: DPDP-Minimised Application Form
- Full name
- Email address
- Phone number
- Resume upload
Everything else is deferred to later stages with a clear purpose.
Impact:
- lower compliance risk
- smaller breach surface
- better candidate trust
The 3-Question Field Test
Before keeping any field in an HR form, ask:
✔ Does this field support a real decision at this stage?
✔ Can the same outcome be achieved with less personal data?
✔ Can we clearly defend this field to an auditor or employee?
If the answer to any one is “no” → remove the field or move it to a later stage.
This test alone eliminates most over-collection.
How HR Should Redesign Forms & Workflows (DPDP-Ready)
Redesigning for DPDP does not mean rebuilding everything from scratch.
It means cleaning, splitting and sequencing what already exists.
Use this simple 4-step approach:
1️⃣ Audit every field and document collected
Review all application forms, onboarding forms and BGV checklists using the 3-question field test:
- Why is this data needed?
- At which stage is it truly required?
- When does its purpose end?
Any field without a clear answer must be removed or deferred.
2️⃣ Split single large forms into stage-based forms
Instead of one long form, redesign into:
- Application form (evaluation-only data)
- Offer / pre-onboarding form (role-specific proofs)
- BGV consent + document form (verification-only data)
- Onboarding form (payroll, compliance, benefits)
This prevents premature and unnecessary data collection.
3️⃣ Defer high-risk data to purpose-specific steps
High-risk data like Aadhaar, address proof or ID documents should:
- never appear in early-stage forms
- be collected only when the exact purpose arises
- be tied to fresh, explicit consent
Deferral is a core DPDP-safe design principle.
4️⃣ Attach retention and deletion triggers to each workflow
Every redesigned form or workflow must clearly define:
- how long the data will be retained
- what event ends the purpose
- when deletion must be triggered
No retention rule = incomplete workflow.
Redesigning forms and workflows this way ensures HR collects less data, later and for shorter durations – exactly what DPDP expects.
Data Minimisation by HR Stage
Application / Shortlisting Stage
✔ Resume
✔ Contact details
✔ Role-relevant portfolio
❌ ID proofs
❌ Address documents
❌ Certificates
Reason: Evaluation ≠ identity verification.
Offer / Pre-Onboarding Stage
✔ Role-relevant certificates
✔ Experience letters (if required)
❌ Aadhaar unless legally mandated
Reason: Verification should follow intent, not precede it.
Background Verification (BGV) Stage
✔ Documents mapped to specific checks
✔ One ID per verification purpose
❌ Blanket vendor checklists
❌ Multiple IDs “just in case”
📌 BGV is where data minimisation fails most often.
A Real Situation HR Teams Don’t Expect
During a DPDP readiness review, HR was asked:
“Why do you collect Aadhaar at the application stage?”
Answer:
“This has always been our form.”
There was:
- no documented purpose
- no legal requirement
- no stage-based justification
Outcome:
- field flagged as non-compliant
- immediate redesign required
- legal and IT escalation triggered
The fix took one week – but only after the risk surfaced.
Data Minimisation Must Extend to Retention & Deletion
Collection is only step one.
Every data point must also have:
✔ a retention period
✔ a deletion trigger
| Scenario | Deletion Trigger |
| Candidate rejected | After defined retention window |
| Offer declined | Immediately |
| BGV completed | Post-verification |
| Employment ends | As per statutory retention |
No purpose → no retention → no storage.
Practices That Feel Normal but Violate DPDP
❌ “We might need it later”
❌ “Vendor requires it”
❌ “Company policy says so”
❌ “Everyone collects this”
DPDP recognises only:
✔ legal necessity
✔ clearly defined purpose
Habit is not compliance.
Why Data Minimisation Helps HR
Done right, data minimisation:
- reduces legal exposure
- simplifies audits
- limits breach impact
- builds candidate trust
- cleans up HR systems
Less data = less risk.
Quick Data Minimisation Checklist for HR
✔ Every field has a purpose
✔ Fields are stage-appropriate
✔ High-risk IDs are deferred
✔ Vendor requests are reviewed
✔ Retention & deletion defined
✔ Forms audited annually
Final Takeaway
Data minimisation is not about slowing hiring.
It’s about:
- collecting less
- collecting later
- deleting faster
Under DPDP, less data is safer data.
HR teams that redesign forms and workflows now will avoid panic, penalties and rushed clean-ups later.
