Publications

How India’s Data Privacy Law Will Transform HR Practices

An article titled “How India’s Data Privacy Law will transform HR Practices” authored by our Partner, Akshayy S Nanda, has been published by BWPeople.

The enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) marks a transformative milestone in India’s approach to data privacy and governance, bringing sweeping changes to how organizations and HR departments in particular handle employee information. This new law, passed in August 2023 but yet to come into force as the rules to operationalise the legislation is awaiting notification, aims to give individuals greater control over their personal data in a digitalised economy.

For HR professionals, who manage some of the most sensitive and comprehensive sets of employee data, the provisions of the DPDPA require a strategic reassessment of daily processes and policies.

In practice, HR departments process a wide array of personal data that are all brought under the DPDPA’s regulatory umbrella. Basic identifiers like names, addresses, contact details, identity proofs etc. are collected throughout the employee lifecycle, forming the foundation of employment records. Sensitive information such as bank account details, health and medical records and biometric data is critical for payroll management, insurance and security protocols but demands robust protection.

HR departments also routinely process performance appraisals, disciplinary records, background checks and other employment-related data, all of which fall within the purview of personal data.

Furthermore, as digital platforms become the backbone of organisational workflows, HR departments collect significant personal data such as digital footprints, including system access logs, communication records and device usage metrics, increasing the complexity of compliance.

Each interaction point with employee data recruitment, onboarding, payroll, benefits administration, performance evaluations, exit procedures and internal investigations, now falls under the DPDPA’s purview.

During recruitment, organisations collect and process resumes, identification proofs, assessment results and background verification outcomes. Onboarding generates a wealth of personal data, while payroll and benefits administration demands the ongoing processing of financial and family details. Performance management involves periodic reviews, feedback collection and documentation of achievements and areas for improvement, while exit formalities trigger requirements to securely transfer, delete or anonymise ex-employee data in accordance with both statutory and business needs.

Under the DPDPA, consent is generally required before processing an individual’s personal data. However, the legislation carves out specific exceptions termed “legitimate uses” where data may be processed without the explicit consent of the individuals.

Processing for employment purposes is one such legitimate use, meaning that, in many ordinary HR contexts, employers can process employees’ data without first obtaining their consent, provided such processing is strictly for purposes of employment or to safeguard the employer from loss or liability (for example, ensuring confidentiality, preventing corporate espionage) or providing benefits and services sought by employees.

Employers must ensure, however, that this non-consent based processing is necessary and proportionate for the stated employment purpose and they should not use employee data for unrelated activities (such as unrelated third-party marketing) without consent. Notably, if processing goes beyond the defined “purposes of employment” such as for optional wellness programs, social activities or uses unrelated to core HR activities, explicit employee consent is still mandatory.

The DPDPA does not define “purposes of employment” in express terms.

As such, it is debatable whether this phrase can also potentially extend to all stages necessary for making an employment offer, especially since background checks are a standard, bona fide employment practice crucial for workplace integrity and compliance. Accordingly, it can be argued that processing personal data for background verification after a candidate has applied or been shortlisted can be viewed as an activity closely tied to fulfilling the organisation’s human resource’s function.

In practice, this would mean that employers may not need to request additional, explicit consent to perform candidate background checks if the data subject (applicant) voluntarily submitted their resume and information for hiring consideration. Voluntary submission of personal data through an application or resume is generally considered to carry implied permission for the organisation to process that data for all activities directly related to pursuing employment, including employment screening and reference checks.

Nevertheless, several important caveats apply. Organisations should not interpret the employment exemption so broadly as to subsume all pre-employment and recruitment data processing, particularly where personal data is collected from third-party sources or where the checks are not reasonably necessary for the role in question. Employers are advised to develop internal compliance standards and clearly communicate to candidates (via privacy notices or at the application stage) the processing activities undertaken, including what background information may be sought and retained.

Even though consent of the employees may not be required for processing personal data for employment purposes, there are several requirements that employers are required to comply with in respect of employees personal data including ensuring all processing by third party data processors is governed by valid contracts, maintaining accuracy and completeness of data used for employee-related decisions or disclosures, personal data to be only used for employment purposes, only necessary personal data to be collected and implementing robust technical and organisational safeguards to prevent personal data breaches.

Employers must also promptly notify the Data Protection Board and affected employees in the event of a personal data breach, erase personal data of employees within a reasonable period of time of the employment coming to an end unless retention is required by law and guarantee that the same erasure is completed by their third party data processors as well. Employers are also obliged to maintain an effective grievance redressal mechanism for addressing employees’ privacy concerns.

Another critical compliance that HR departments must be aware of is in respect of engaging third-party data processors for essential HR functions such as payroll, background checks, recruitment, etc. HR departments must carry out rigorous due diligence before onboarding service providers, ensure that each processor operates under a robust data processing agreement and monitor ongoing compliance through audits and have a clear oversight of any sub-processors that the vendors may use.

Under the DPDPA, third-party data processors have no direct statutory liability for breaches or misuse of employee data; instead, the data fiduciary (i.e., the employer) bears the full burden of compliance and penalties, even for breaches or lapses attributable to a third-party vendor. This places HR departments at far greater risk and requires heightened caution in vendor selection, contract negotiation and ongoing management.

Failure to comply with the DPDPA could have severe repercussions for employers. The penalties set forth in the law are significant, escalating to INR 250 Crores in cases of major breaches, alongside regulatory and reputational consequences. Beyond fines, non-compliance can erode employee trust, a less tangible but equally serious risk that can damage workplace morale, recruitment brand and the organisation’s reputation.

To navigate these complexities, HR departments must take a proactive, systematic approach. A comprehensive data audit is essential to map all the data flows involving personal data within the organisation’s HR processes. All HR staff, from front-line recruiters to senior managers, must be trained and retrained regularly to internalize data protection principles and practices, especially given the frequent updating and use of HR databases.

Secure, access-controlled platforms must be used for storing and transferring data, with encryption, audit logs and backup protocols implemented to defend against breaches. Surveillance, data profiling or extensive monitoring should be avoided unless absolutely required for legal compliance or security and even then, must be narrowly tailored, time-limited and transparent to employees.

Finally, a privacy-first culture supported by leadership and operationalised through continuous improvement will be key to building employee trust and sustaining compliance over the long term.

In conclusion, the DPDPA’s arrival places data privacy at the strategic center of HR management in India. Compliance will require more than tick-box exercises; it demands a rethinking of HR’s role as a steward of employee trust, transparency and well-being. By adopting an employee-centric approach, human resource teams can not only avoid legal and business risks but also set themselves apart as forward-thinking partners in organisational value creation.

Published On:

  • August 27, 2025

Counsel Involved:

DISCLAIMER AND CONFIRMATION

Current rules of the Bar Council of India impose restrictions on maintaining a web page and do not permit lawyers to provide information concerning their areas of practice. Saraf and Partners is, therefore, constrained from providing any further information on this web page.

The rules of the Bar Council of India prohibit law firms from soliciting work or advertising in any manner. By clicking on ‘I AGREE’, the user acknowledges that The user wishes to gain more information about Saraf and Partners, its practice areas and its attorneys, for his/her own information and use;

The information is made available/provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site is not intended to, and will not, create any lawyer-client relationship; and None of the information contained on the website is in the nature of a legal opinion or otherwise amounts to any legal advice.

Saraf and Partners, is not liable for any consequence of any action taken by the user relying on material/information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.

Please Read & Accept our website's Privacy Policy & Terms of Use.

Agree Disagree

Scroll to Top