DPDP Act - Digital Personal Data Protection Act (India)

India's Digital Personal Data Protection Act, 2023 (DPDP Act) is the country's first dedicated data protection law governing the processing of digital personal data, establishing rights for data principals, obligations for data fiduciaries, and penalties up to Rs 250 crore for non-compliance.

What Is the DPDP Act?

Key Takeaways

  • The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first dedicated data privacy law, applicable to digital personal data processed within India and to processing outside India if it involves offering goods or services to people in India.
  • It introduces the concepts of 'Data Fiduciary' (organizations that determine the purpose and means of processing) and 'Data Principal' (the individual whose data is being processed).
  • Consent is the primary legal basis for processing personal data. It must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action.
  • The Act creates a Data Protection Board of India (DPBI) to adjudicate complaints, investigate breaches, and impose penalties up to Rs 250 crore per violation.
  • HR departments are directly impacted because they process large volumes of employee personal data: Aadhaar numbers, bank details, health records, biometric data, performance reviews, and background verification reports.

India tried to pass a data protection law for five years before succeeding. The Personal Data Protection Bill, 2019 (based on the Justice B.N. Srikrishna Committee report) was withdrawn in August 2022 after extensive criticism. The DPDP Act, 2023 replaced it with a leaner, more principles-based approach. For HR teams, this isn't an abstract regulatory exercise. Every HRIS, payroll system, applicant tracking system, and employee database processes personal data. Employee Aadhaar numbers used for PF registration. Bank account details for salary payments. Medical records for insurance enrollment. Biometric data for attendance. Background check reports. All of it falls under the DPDP Act. The Act doesn't distinguish between customer data and employee data. An employer processing employee data is a Data Fiduciary, and each employee is a Data Principal with enforceable rights. Getting this wrong can cost up to Rs 250 crore per violation.

Rs 250 CrMaximum penalty for a single violation under the DPDP Act (approximately $30M USD)
Aug 2023Month the DPDP Act received Presidential assent after five years of drafts and deliberation
7 RightsNumber of rights granted to data principals (individuals) under the DPDP Act
30 DaysMaximum response time for data fiduciaries to act on a data principal's rights request

Key Definitions HR Teams Must Know

The DPDP Act uses specific terminology. Understanding these terms is the first step toward compliance.

TermDefinitionHR Context
Data PrincipalThe individual to whom the personal data relatesEvery employee, candidate, contractor, and former employee
Data FiduciaryThe entity that determines the purpose and means of processingYour company, as the employer processing employee data
Data ProcessorEntity processing data on behalf of the Data FiduciaryHRIS vendors, payroll providers, background check companies, cloud storage providers
Consent ManagerA registered entity that manages consent on behalf of Data PrincipalsMay become relevant for large employers managing consent across multiple HR systems
Significant Data FiduciaryA Data Fiduciary designated by the Central Government based on volume, sensitivity, or riskLarge employers processing data of thousands of employees may be designated
Personal DataAny data about an individual who is identifiable by or in relation to such dataName, email, phone, Aadhaar, PAN, salary, health records, biometrics, performance data
Personal Data BreachUnauthorized processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal dataData leaks from HRIS, unauthorized access to payroll files, ransomware affecting HR databases

Employee Rights as Data Principals

Every employee has seven rights under the DPDP Act. HR teams must build processes to handle these requests within 30 days.

  • Right to access: Employees can request a summary of all personal data being processed and the processing activities. HR must be able to pull this information from HRIS, payroll, benefits, and all other HR systems.
  • Right to correction: Employees can request correction of inaccurate or incomplete personal data. This goes beyond just updating an address; it could include correcting performance review records or background check data.
  • Right to erasure: Employees can request deletion of personal data that's no longer necessary for the purpose it was collected. However, legal retention requirements (PF records, tax records) override this right.
  • Right to withdraw consent: Employees can withdraw consent at any time for processing that was based on consent. The withdrawal doesn't affect the legality of processing done before withdrawal.
  • Right to grievance redressal: Employees have the right to an accessible grievance mechanism. Every Data Fiduciary must publish the contact details of a Data Protection Officer or equivalent.
  • Right to nominate: Employees can nominate another person to exercise their rights in case of death or incapacity.
  • Right to complain to the Data Protection Board: If the employer doesn't address the employee's request satisfactorily, the employee can file a complaint with the DPBI.

DPDP Act Compliance Steps for HR Departments

HR departments can't delegate data protection compliance entirely to the legal or IT team. Much of the compliance work sits squarely within HR operations.

Data mapping and inventory

Start by mapping every type of personal data HR collects, where it's stored, who has access, and how long it's retained. This includes HRIS databases, payroll systems, recruitment platforms (ATS), benefits administration, attendance and biometric systems, employee files (physical and digital), exit interview records, and background check reports. Most HR teams discover they're collecting more data than they realized, and storing it longer than necessary.

Update employment contracts and policies

Employment contracts need a clear privacy notice explaining what personal data is collected, the purpose of processing, third parties with whom data is shared (payroll vendor, insurance company, background check provider), and the employee's rights. Update the employee handbook with a data protection policy. Include the procedure for exercising data principal rights and the contact details of the person responsible for data protection in your organization.

Vendor assessment

Every HR tech vendor that processes employee data is a Data Processor under the DPDP Act. Review contracts with HRIS vendors, payroll providers, ATS platforms, background check companies, and cloud storage providers. Ensure contracts include data processing agreements that specify the purpose and scope of processing, security measures, breach notification obligations, data return or deletion upon contract termination, and restrictions on sub-processing.

Personal Data Breach Notification

The DPDP Act requires Data Fiduciaries to notify both the Data Protection Board and affected Data Principals in case of a personal data breach.

What constitutes a breach

Any unauthorized processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data. In HR context: an employee's salary data emailed to the wrong person, a ransomware attack on the HRIS, an unauthorized person accessing employee health records, or a laptop containing employee data being stolen. Even accidental exposure counts.

Notification process

The Data Fiduciary must notify the Data Protection Board and each affected Data Principal 'without delay.' The Act doesn't specify an exact timeframe (unlike GDPR's 72 hours), but the rules will likely prescribe one. The notification must describe the nature of the breach, the personal data affected, and the measures taken to mitigate the impact. HR teams should have a breach response plan that includes identifying the scope of the breach, containing it, assessing the impact, notifying the Board and affected employees, and documenting lessons learned.

Penalties Under the DPDP Act

The penalty amounts are significantly higher than any previous Indian data-related regulation.

ViolationMaximum Penalty
Non-fulfillment of obligations for children's dataRs 200 crore (~$24M)
Failure to take reasonable security safeguards to prevent data breachRs 250 crore (~$30M)
Failure to notify the Board and affected individuals of a data breachRs 200 crore (~$24M)
Non-compliance with additional obligations for Significant Data FiduciariesRs 150 crore (~$18M)
Breach of any other provision of the Act or rulesRs 50 crore (~$6M)
Data Principal furnishing false information or suppressing material informationRs 10,000

Data Protection Statistics in India [2026]

Data on India's data protection readiness and the scale of personal data processing.

Rs 250 Cr
Maximum penalty for a single violation under the DPDP Act, among the highest globallyDPDP Act, 2023
800M+
Internet users in India whose digital personal data is now protected under the ActTRAI, 2024
5 Years
Duration of India's journey from the Srikrishna Committee draft to the final DPDP Act (2018-2023)MeitY
72%
Indian organizations that reported at least one data breach in the past 12 monthsIBM Cost of Data Breach Report, India, 2024

Frequently Asked Questions

Is the DPDP Act fully operational?

The Act received Presidential assent on August 11, 2023, but the rules haven't been fully notified yet. The Central Government is expected to bring different sections into force on different dates. The Data Protection Board has been constituted. Organizations should start compliance preparation now because the Act will apply retroactively to existing data processing activities once the relevant sections are notified.

Do I need employee consent for processing payroll data?

Not for statutory obligations. Processing employee data for PF, ESI, TDS, and other legally mandated purposes falls under the 'performance of any function under any law' exemption. You don't need separate consent for these activities. However, processing employee data for non-statutory purposes, like wellness programs, satisfaction surveys, or social media monitoring, requires explicit consent.

How does the DPDP Act compare to GDPR?

The DPDP Act is simpler and less prescriptive than GDPR. It doesn't include concepts like legitimate interest, data portability, or a formal Data Protection Impact Assessment requirement (though Significant Data Fiduciaries must conduct periodic audits). Penalties under the DPDP Act are fixed maximums, not percentage-of-revenue based like GDPR. The DPDP Act also doesn't distinguish between controllers and processors to the same degree as GDPR. Overall, GDPR compliance gives you a head start, but it's not a complete substitute for DPDP Act compliance.

Can employees request deletion of their HR records?

Yes, but with important exceptions. Employees can request erasure of data that's no longer necessary for the purpose it was collected. However, statutory retention requirements override the erasure right. PF records, tax records, ESI records, and other data that must be retained under Indian law can't be deleted on request. Once the retention period expires and there's no legal basis for keeping the data, the employer should delete it.

What should HR teams do to prepare right now?

Three priority actions: First, map all employee personal data across every HR system and identify the legal basis for each processing activity. Second, update employment contracts and the employee handbook to include DPDP Act-compliant privacy notices. Third, review contracts with all HR tech vendors to ensure they include data processing agreements covering security, breach notification, and data deletion. Don't wait for the rules, as these foundational steps take months and the compliance window after notification may be short.
Adithyan RKWritten by Adithyan RK
Surya N
Fact-checked by Surya N
Published on: 25 Mar 2026Last updated:
Share:
Previous
Next