The Digital Personal Data Protection (DPDP) Act, 2023 has now been operationalised, with rules notified in November 2025, marking a critical shift in how personal data must be handled in India.
While the intent of the law is clear, its practical interpretation remains challenging for many organisations. This confusion is most visible in HR, hiring and background verification (BGV) workflows, where large volumes of sensitive personal data are routinely collected, shared and stored.
According to a PwC survey, only 16% of consumers in India are aware of the DPDP Act and just 40% of organisations say they understand it. This gap between regulatory intent and operational understanding has created inconsistent practices across companies.
Below are the seven most common DPDP confusion hotspots that employers are struggling with today, explained through real HR and hiring scenarios, with clear takeaways for action.
1. Consent Requirements
Why this remains unclear
Many organisations still treat consent as a formality rather than a legal requirement with specific conditions. Under DPDP, consent must be clear, specific, informed and revocable and linked to a defined purpose.
Where HR teams go wrong
Statements such as “We may use your data for recruitment and other purposes” do not qualify as valid consent. The purpose must be communicated in plain language at the point of data collection.
What good practice looks like
- Separate consent for each purpose
- Simple language explaining how data will be used
- A clear mechanism to withdraw consent
Simple takeaway
One purpose = one clear consent.
2. Purpose Limitation – Data Can Be Used Only for Its Stated Purpose
Why companies struggle
There is a persistent assumption that once consent is obtained, data can be reused freely.
How this shows up in hiring and BGV
This mindset often leads to “just in case” data usage, for example, reusing address proof collected for background verification later for internal analytics or workforce planning, without fresh consent.
What DPDP expects
Data must be used only for the purpose stated at the time of collection.
Simple takeaway
Collect → Use → Delete.
There is no “keep it for later.”
3. Data Minimisation – Collect Only What Is Necessary
Why it is misunderstood
Legacy HR processes encouraged collecting as much data as possible. DPDP reverses this approach.
HR example
Collecting Aadhaar, PAN, passport and multiple address proofs when a single identifier would suffice increases both compliance and breach risk.
What to remember
If a data point cannot be clearly justified for the stated purpose, it should not be collected.
Simple takeaway
Less data collected means lower regulatory exposure.
4. Document Collection in Background Verification
Why this is a major hotspot
Traditional BGV workflows were designed for operational convenience, not data minimisation or purpose limitation.
Practical impact
If PAN is sufficient for a specific verification check, collecting additional identity documents adds unnecessary risk.
Common mistake
Storing multiple document copies indefinitely, even after verification is complete.
Simple takeaway
Verification does not require document hoarding.
5. Data Retention & Deletion – Keep Data Only While It Serves a Purpose
Why HR teams struggle
- Lack of documented retention policies
- Absence of automated deletion processes
- Fear of future audits or disputes, leading to indefinite storage
As a result, resumes, BGV reports and employee documents are often retained long after their purpose has ended.
DPDP expectation
Organisations must define clear retention timelines and delete personal data once the purpose is fulfilled.
Simple takeaway
No purpose = no storage.
Automation significantly reduces risk.
6. Vendor and Third-Party Responsibility
Why this causes confusion
Many organisations assume compliance responsibility shifts entirely to vendors.
DPDP reality
The organisation remains the Data Fiduciary and is accountable for how vendors handle personal data.
What this means for HR
- ATS, BGV partners, payroll providers must be DPDP-vetted
- Contracts should include DPDP clauses and audit rights
- Breach accountability must be clearly defined
Simple takeaway
Vendor compliance is still your compliance.
7. Data Breach Reporting (The 72-Hour Rule)
What qualifies as a breach
Any unauthorised access, disclosure or loss of control over personal data, accidental or intentional.
Common HR scenarios
- Candidate spreadsheets shared with the wrong recipient
- Resume databases exposed via unsecured links
- Emails containing visible personal information
DPDP expectation
Organisations must be prepared to notify authorities and affected individuals where required within prescribed timelines.
Simple takeaway
If personal data escapes your control, it is a breach.
Why These Confusion Hotspots Matter for HR & BGV Teams
DPDP is not merely a legal update. It requires a fundamental redesign of HR and hiring data practices from collection to deletion.
Addressing these hotspots helps organisations:
- Reduce accidental non-compliance
- Build candidate and employee trust
- Lower breach exposure
- Create future-ready HR operations
What’s Coming Next
Playbook: DPDP for Beginners : A 10-Step Readiness Checklist for HR Teams
A practical, action-oriented guide to help organisations start fixing these confusion hotspots immediately.
