The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a major shift in how organisations handle personal data in India. But rather than clarity, it has created one thing across industries: confusion.
From HR teams to BGV agencies, from startups to enterprises – many are asking:
- “What does this really mean for us?”
- “What should we fix right now?”
- “When does it apply – fully, partially?”
This piece is a simple, straightforward breakdown of why DPDP feels confusing, what it actually requires and what employers should do first.
1. What the DPDP Act Actually Is – in Simple Words
At its core, the DPDP Act is about respecting people’s data. It does three main things:
- Empowers individuals: Employees, candidates and data-subjects get more control over their personal data – who has it, why it’s collected, how it’s used and how long it’s kept.
- Holds companies accountable: Organisations must justify why they collect data, ensure secure handling and abide by clear consent and purpose-limitation norms.
- Imposes strict compliance rules: Consent, data minimisation, secure storage, breach reporting and time-bound deletion now become formal obligations.
In short: any organisation that collects or processes personal data digitally must run operations in a transparent, accountable and privacy-aware manner.
With the Digital Personal Data Protection Rules, 2025 officially notified on 14 November 2025, the Act now has practical, enforceable detail.
2. Why Even “Informed” Teams Are Still Confused
The DPDP framework sounds straightforward – but puts many common practices under question. Here’s why confusion persists:
✔ The Rules are out – but compliance rolls out in phases
Because obligations are phased over time, organisations are often uncertain about what needs to be implemented now vs later (consent mechanisms, retention policies, breach‑reporting workflows – some start immediately, others later).
✔ Everyday words have legal weight now
Terms like “consent”, “purpose limitation”, “data fiduciary” – familiar to most HR or operations teams – now carry strict, legal definitions. Practices like “blanket consent,” “store everything just in case,” or “keep everything forever” no longer pass muster.
✔ Old HR / BGV / hiring habits no longer fit
Common workflows – collecting multiple proofs, storing documents indefinitely, generic consent forms, broad background-check data retention – all must be re-evaluated. What used to be “just standard procedure” now may be non-compliant.
✔ Many compare DPDP to foreign laws (like GDPR) – often inaccurately
That leads to overdoing (or underdoing) compliance. DPDP is India-specific. While some principles overlap, several features differ – and assuming equivalence causes mistakes.
✔ Data scope misunderstandings confuse teams
Not all data is personal data as defined under DPDP. Aggregated analytics, anonymised or non-personal data and many internal business documents do not fall under the law. Applying DPDP rules everywhere leads to wasted effort and panic.
3. What DPDP Does Not Cover – Many Get This Wrong
DPDP’s scope is narrower than many realise. It does not apply to:
- Non-personal data (e.g. aggregated statistics, business-level metrics)
- Fully anonymised data or general analytics
- Offline-only records (unless digitised, with digital identifiers)
- Internal company documents that have no personal identifiers
- Generic business or operational data not tied to individuals
Recognising this helps companies focus efforts where they’re needed – rather than applying compliance everywhere unnecessarily.
4. Common Myths And Why They’re Wrong
Here are some of the biggest misunderstandings floating around – and the real picture as per DPDP:
| Myth | Reality under DPDP |
| DPDP is already fully enforceable | Rules have been notified – but obligations are phased over time |
| Employee/candidate data doesn’t need explicit consent | In almost all cases, clear, purpose‑specific consent is required |
| Once documents are collected, you can store forever | No – data must only be kept as long as needed and then deleted |
| Only background-verification vendors are accountable | Employers (data fiduciaries) and vendors jointly hold responsibility |
| One-time generic consent covers all future uses | Not sufficient – consent must specify purpose and allow withdrawal |
5. DPDP vs GDPR – Why They’re Not the Same
It’s common to draw parallels with international data-privacy laws, but important differences remain.
| Feature | DPDP | GDPR (for comparison) |
| Data Scope | Only digital personal data | All personal data (digital or not) |
| Consent Basis | Primarily consent-driven | Consent, contract, legitimate interest, etc. |
| Approach | Principle-based, simpler framework | Detailed, prescriptive rules |
| Enforcement Risk | Significant, but narrower | Typically heavier, broader |
| Applicability | India-based organisations & individuals | Global, broader geographic reach |
In short: DPDP is India’s own, focused framework – not a carbon copy of GDPR. Treating it like GDPR leads to unnecessary complexity or compliance gaps.
6. Why HR, Recruiting & BGV Teams Are Most Affected
These are the teams that collect and handle most sensitive data:
- IDs and proofs (Aadhaar, PAN, address, bank details)
- Candidate histories & resumes
- Background check documents (police verification, references, past employment)
- Third-party vendor data transfers
- Long-term storage of resumes, KYC files, BGV reports
Under DPDP, they will need to:
- Collect only what’s essential (data minimisation)
- Use purpose-specific consent flows, not generic forms
- Maintain retention + deletion policies
- Ensure secure storage and controlled access
- Put vendor agreements in place with compliance clauses
- Enable consent withdrawal and data erasure
- Build breach response & reporting systems
In short: many of the existing HR & BGV workflows will need significant redesign.
6. Real-World Examples: What DPDP Means for HR / BGV in Practice
📄 Example 1: Resume Database Clean-up
Before DPDP (common practice): Many companies kept every CV ever submitted, indefinitely.
With DPDP: They must now ask -“Do we need to keep this resume forever?” If no ongoing recruitment or legal reason – the data should be deleted after a reasonable retention period.
This protects candidate privacy and reduces liability.
🔍 Example 2: Vendor-Based Background Verification
Before DPDP: Employers shared candidate documents (IDs, address proofs, past employment data) with a BGV vendor via a broad “one-time consent” form.
With DPDP: Consent must be specific and purpose-linked (e.g. “For background verification only”), vendor contracts must include DPDP compliance clauses and deletion/retention timelines must be clearly defined and respected.
These are small processes today – but every such touchpoint becomes a compliance mandate under DPDP.
7. How the Market Is Reacting Right Now – The Early Signals
Even before full enforcement, the shift is visible:
- Startups are rethinking data collection – cutting down on excessive documentation
- Large enterprises are mapping data flows end-to-end (who collects, who stores, who accesses)
- BGV firms are reworking consent and storage practices
- HR-tech platforms are building privacy dashboards and consent logs
- Candidates and employees are asking tougher questions: “Why do you need this data?” / “How long will you keep it?”
The privacy-first mindset is gaining ground – but compliance work is just beginning.
8. What Companies Should Do Right Now – A Practical, Actionable Checklist
Here’s a simple “start-now” checklist for any company preparing for DPDP compliance:
- Map all data you collect – What info, who collects it, where it’s stored, why you collect it.
- Stop collecting unnecessary data – If it’s not essential, don’t collect it.
- Rewrite consent forms – Use clear, purpose-specific language; avoid blanket forms.
- Define a retention & deletion policy – Decide how long to keep data and when to delete.
- Update vendor / BGV contracts – Add DPDP compliance clauses; define responsibilities & audit rights.
- Train HR / BGV / Recruitment teams – On consent, minimisation, purpose limitation, secure handling.
- Plan for breach response & reporting – Create SOPs, logging and notification mechanisms.
Starting these steps now will prepare companies well – and avoid last-minute pressure later.
9. What’s Coming Next – What Companies Should Expect & Plan For
With DPDP now real, companies should gear up for:
- A likely shift in candidate expectations: more questions, requests to delete data, consent withdrawal
- Internal audits of data flows, vendor compliance, storage practices
- Regular reviews of data-collection templates, consent forms, data-storage and deletion logs
- Ongoing training for HR, compliance, BGV and vendor management teams
- A mindset shift – seeing data privacy not just as compliance, but as trust and risk management
10. Why This Shift Matters – Even Beyond Compliance
Adopting DPDP-compliant data practices isn’t just about avoiding penalties. It’s about building trust.
For employees and job‑seekers, knowing their data is handled responsibly builds goodwill.
For companies – especially HR, talent acquisition, BGV-heavy firms – it strengthens employer branding, reduces legal risk and creates operational discipline.
In many ways, DPDP compliance is also good risk management + good reputation management.
Conclusion
The DPDP Act signals a transformative change in how data is handled in India – especially personal, sensitive, candidate and employee data. For many organisations, it means rethinking basic HR, hiring and BGV workflows.
Yes – confusion is natural. But with a clear, practical approach (map data, minimise collection, get proper consent, plan retention & deletion, update vendor contracts), companies can turn DPDP from a compliance burden into a trust-building exercise.
It’s time to treat data as a responsibility – not just paperwork.
