HR Advisory · Compliance
The DPDP Act and Employee Data: An HR Compliance Guide
HR holds more sensitive personal data than almost any other function. The DPDP Act and its 2025 Rules change what you may collect, how long you may keep it, and what consent must look like.
Every HR function is, whether it thinks of itself this way or not, a large repository of sensitive personal data. Salaries, health declarations, performance records, background checks, candidate histories. The Digital Personal Data Protection Act, and the DPDP Rules 2025 that flesh it out, have changed what counts as personal data, what consent must look like, and how long you may hold any of it. For HR, this is not a legal-department problem to delegate. It is operational.
What changed in plain terms
The DPDP framework treats employee and candidate information as personal data that you process on a lawful basis, with obligations around consent, purpose limitation, and retention. Three shifts matter most for HR:
- Consent must be verifiable and specific. Under the DPDP Act you need verifiable digital consent for employee data — not a buried clause in a handbook nobody read.
- Collection must be purpose-limited. You collect what you need for a stated purpose, not everything you might one day find useful.
- Retention is bounded. Candidate information in particular cannot be held indefinitely. How long you keep a rejected applicant's data is now a question with a wrong answer.
The most common exposure is the resume database — thousands of candidate records, collected over years, kept forever, shared freely across the team, with no consent trail. Under DPDP, that database is a liability until you can show consent, purpose and a retention policy.
The HR data lifecycle, re-examined
Walk your own data lifecycle and ask the DPDP questions at each stage:
- Collection. At application and onboarding, are you collecting only what the stated purpose needs? Is consent captured verifiably?
- Storage. Where does the data live, who can access it, and is access scoped to need?
- Use. Is the data used only for the purposes consent was given for? This is where HR AI tools create new exposure — feeding candidate data to a third-party model is a new use that may exceed the original consent.
- Retention and deletion. Is there a defined period after which data is deleted, and does it actually get deleted?
Where HR AI and DPDP collide
The fastest-growing risk is the intersection with AI tools. A screening agent that sends candidate CVs to an external model is processing personal data in a way the candidate likely never consented to, possibly transferring it outside controlled storage, often with no audit trail. Before deploying any HR AI tool, answer: what data does it touch, where does that data go, what is the lawful basis, and can you show the trail? We cover the AI side in our piece on what actually works in HR AI.
A pragmatic starting checklist
- Map what personal data HR holds, where, and why.
- Replace blanket handbook clauses with specific, verifiable consent at collection.
- Set and enforce retention periods — especially for rejected-candidate data.
- Scope access to need; not everyone in HR needs everything.
- Vet every HR AI tool for what it does with the data before it touches real records.
- Keep an audit trail you could actually produce if asked.
The bottom line
DPDP compliance in HR is not a one-time project; it is a discipline applied to a lifecycle you already run. The functions that handle it well are not the ones with the longest policies — they are the ones who can answer, for any piece of employee data, four questions: why do we have it, on what basis, who can see it, and when does it go. If you can answer those, you are most of the way there.
Frequently asked questions
Does the DPDP Act apply to employee data?
Yes. Employee and candidate information is personal data under the DPDP Act, processed on a lawful basis with obligations around verifiable consent, purpose limitation, and retention. HR is one of the most data-intensive functions, so the impact is significant.
What consent does HR need under the DPDP Act?
The DPDP Act requires verifiable digital consent for employee data — specific and purpose-linked, not a buried clause in a handbook. Consent should be captured at the point of collection for a stated purpose.
How long can recruiters keep candidate data?
Not indefinitely. Retention must be bounded and tied to purpose. A common exposure is a resume database kept forever with no consent trail or retention policy, which becomes a liability under DPDP.
Do HR AI tools create DPDP risk?
Yes. A tool that sends candidate or employee data to an external model is processing personal data, often beyond the original consent and outside controlled storage. Vet every HR AI tool for what data it touches, where it goes, and whether you can show the trail before deploying it.
Making employee data defensible under DPDP
Palo Santo helps HR functions map their data lifecycle, fix consent and retention, and vet HR technology for DPDP exposure — turning a compliance worry into a clean, auditable system.
Explore HR technology advisory →