Step-by-step templates, do’s & don’ts to fix document collection practices fast
Most DPDP violations in HR do not happen because teams want to break the law.
They happen because document collection processes were built years ago and never questioned.
The DPDP Act forces HR and BGV teams to rethink one core habit:
✔ Collect only what you need
✔ Only for the purpose you need it for
✔ And delete it when that purpose ends
This playbook is designed to help you fix document collection fast, without legal jargon.
Includes:
• Step-by-step checklist
• Clear do’s & don’ts
• Ready-to-use templates
• HR + BGV-specific guidance
Who This Playbook Is For
✔ HR and People Ops teams
✔ Talent Acquisition leaders
✔ Background Verification teams
✔ HR compliance and operations managers
If your team handles resumes, IDs, certificates, or verification documents, this applies to you.
The One Rule That Drives This Entire Playbook
Before collecting any document, ask:
- Can we clearly explain why we need this document?
- How long we will keep it?
- What happens after that?
✖ If the answer is unclear → do not collect it.
Step 1: Map Every Document You Collect Today
Map documents collected during:
• Hiring
• Onboarding
• Background verification
Most teams discover they collect far more than they actually use.
Template: Document Mapping Table
| Stage | Document Collected | Purpose | Required |
| Hiring | Resume | Evaluation | Yes |
| Hiring | Aadhaar | Identity | No |
| BGV | Address Proof | Verification | Yes |
Step 2: Assign One Clear Purpose to Each Document
Under DPDP, one document must map to one purpose.
✔ Clear example:
“Address proof is collected only for address verification during hiring.”
✖ Avoid vague reasons such as:
“for HR use”
If you cannot clearly state the purpose → remove the document.
Step 3: Apply the Data Minimisation Test
Choose the least intrusive document available:
✔ PAN instead of Aadhaar
✔ One address proof instead of multiple
✔ Relevant degree certificate instead of full history
If two documents achieve the same purpose → collect only one.
Step 4: DPDP Document Collection Do’s & Don’ts (Critical)
Do’s for HR & BGV Teams
✔ Collect documents only for a clearly stated purpose
✔ Prefer PAN or alternative IDs over Aadhaar
✔ Limit BGV documents to the specific verification check
✔ Define retention and deletion timelines upfront
✔ Mask sensitive information wherever possible
Don’ts for HR & BGV Teams
✖ Do not collect documents “just in case”
✖ Do not store copies indefinitely
✖ Do not reuse BGV documents for unrelated purposes
✖ Do not assume vendors handle DPDP compliance
✖ Do not collect family or medical data without legal need
Step 5: Fix Your Background Verification Requests
For every BGV document request:
- Does it match a specific verification check?
- Is this document the minimum required?
- Will copies be deleted once verification is complete?
If a document is not required for that check → do not ask for it.
Step 6: Define Clear Retention & Deletion Timelines
Examples:
✔ Rejected candidate data → delete within a defined window
✔ BGV documents → delete after verification completion
✔ Payroll records → retain only as legally required
✔ No purpose = No storage
✔ Automate deletion wherever possible
Step 7: Update Consent & Candidate Communication
When requesting documents:
• Explain why the document is required
• State how long it will be retained
• Provide a contact for data-related queries
✖ Avoid generic wording like “for HR purposes”.
Step 8: Fix Vendor & BGV Contracts
✔ Vendor compliance = your compliance
Include DPDP clauses covering:
- Purpose limitation
- Data minimisation
- Retention and deletion obligations
- Breach reporting
Step 9: Train HR & TA Teams
Teams must know:
✔ What documents they can request
✔ What to avoid
✔ How to answer DPDP-related questions
A trained recruiter becomes the first compliance shield.
Step 10: Run a Quarterly DPDP Self-Audit
Audit checklist:
✔ Documents collected
✔ Storage locations
✔ Retention timelines
✔ Vendor compliance
Small audits prevent large penalties.
Ready-to-Use Templates (Copy-Paste Friendly)
Template 1: Document Purpose & Retention Mapping
| Document | Purpose | Stage | Retention Period |
| PAN Card | Payroll | Onboarding | As per law |
| Address Proof | BGV | Hiring | Till verification |
| Degree Certificate | Eligibility | Hiring | Till offer |
Template 2: Consent Communication (Sample)
We are collecting your [Document Name] solely for [Purpose].
✔ Your data will be stored securely
✔ It will be deleted according to our retention policy
Use in:
• emails
• portals
• forms
Template 3: BGV Vendor DPDP Compliance Checklist
✔ Purpose limitation defined
✔ Data minimisation followed
✔ Retention timelines agreed
✔ Deletion obligations documented
✔ Breach reporting clause included
Use for vendor evaluation and onboarding.
Template 4: HR Self-Audit Snapshot
DPDP HR DOCUMENT SELF-AUDIT SNAPSHOT
Document collected: ___________________
☑ Purpose defined clearly
☑ Consent collected where required
☑ Can purpose be legally justified
☑ Retention duration defined
☑ Deletion scheduled/automated
☑ Access minimised
☑ Vendor DPDP agreement in place
Risk level:
• Low
• Medium
• High
Action to take:
Template 5: Candidate FAQ (Copy-Paste)
DPDP Privacy FAQ – Why We Ask For Your Documents
What we collect:
• Only minimum required documents
• For defined purposes
• For limited retention periods
How your data is used:
✔ Identity verification
✔ Qualification verification
✔ Payroll processing
✔ Statutory compliance
We will NOT:
✖ Collect unnecessary documents
✖ Store data indefinitely
✖ Use for unrelated purposes
✖ Share with unauthorized parties
Your rights:
✔ Request access
✔ Request deletion
✔ Withdraw consent
Contact: 📩 [HR contact email]
Download all 5 DPDP HR Templates 👉 [DPDP_HR_Templates]
A Simple 10-Step DPDP Readiness Checklist for HR Teams
✔ Do we collect only purpose-linked documents?
✔ Are high-risk documents avoided?
✔ Is Aadhaar collection restricted?
✔ Are BGV requests minimised?
✔ Are retention timelines defined?
✔ Is deletion automated?
✔ Are vendors DPDP-compliant?
✔ Are consent notices clear?
✔ Are HR teams trained?
✔ Can we justify every document we collect?
Any “no” is a compliance gap.
Why This Playbook Matters
✔ Reduces DPDP penalty exposure
✔ Minimises breach and reputational risk
✔ Improves transparency and trust
✔ Creates future-ready HR operations
DPDP compliance does not start with technology. It starts with asking fewer questions and collecting fewer documents.
