India's Digital Personal Data Protection Act 2023 came into force with specific implications for every organisation that collects, stores, or processes candidate and employee data. For HR teams and hiring platforms, the obligations are precise, and the consequences of non-compliance are significant.
This article explains what the DPDP Act requires from the perspective of a hiring operation, what your HR platform must do to be compliant, and how to assess whether your current tools meet the standard.
What the DPDP Act covers for HR operations
The DPDP Act governs the processing of digital personal data of Indian residents. For HR and hiring operations, this includes:
- •Candidate data collected during application and screening
- •Interview recordings and AI-generated assessments
- •Employee personal and professional records
- •Contractor and placement data
Any organisation that collects this data, and any platform that processes it on their behalf, must comply.
The 6 obligations that matter most for HR platforms
Obligation 1 - Consent before processing: Consent must be obtained from the data principal (the candidate or employee) before their personal data is processed. The consent request must be clear, specific, and separate from other terms. Consent for recruitment purposes cannot be bundled with consent for marketing.
Obligation 2 - Age verification: Processing of personal data of minors requires parental consent. HR platforms must have a mechanism to verify that candidates are adults before collecting or processing their data.
Obligation 3, Purpose limitation: Data collected for recruitment may only be used for recruitment. Using candidate data for other purposes, marketing, benchmarking against external datasets, product development, requires separate consent.
Obligation 4, Data minimisation: Only data necessary for the stated purpose should be collected. Collecting excessive candidate data, beyond what is needed to evaluate job fit, is a compliance risk.
Obligation 5 - Data rights: Candidates have the right to access, correct, and delete their personal data. HR platforms must support these requests through a documented process. Every request must be logged and resolved within the timeframe the Act requires.
Obligation 6 - Data localisation: Personal data of Indian residents must be stored on servers located in India or in countries approved under the Act's adequacy framework. Cloud-hosted HR platforms must confirm their data residency configuration.
Automate Screening Without Automating Away Accountability
NeoHireX gives enterprise teams AI-powered screening with human-in-the-loop governance, audit trails, and multi-tenant isolation.
Book a compliance walkthrough with NeoHireX and we will summarise how each DPDP Act obligation is addressed, so your legal team has what they need before procurement sign-off.The additional requirements specific to AI-powered hiring
When AI is involved in hiring decisions, resume screening, interview scoring, candidate ranking, additional transparency obligations apply. These are not explicitly enumerated in the DPDP Act but are implied by the consent and transparency requirements and should be treated as mandatory best practice:
- •Candidates must be informed that AI is being used to evaluate them, before the evaluation begins. This is commonly implemented as an AI disclosure banner at the start of an AI interview.
- •AI scoring systems must be explainable. A score without evidence, a number with no reference to what generated it, is legally and ethically indefensible. Every AI score should be backed by specific, retrievable evidence from the candidate's interaction.
- •Automated decisions that affect a candidate's progression, such as automatic rejection below a score threshold, should be reviewable by a human and subject to challenge by the candidate.
What to look for in your HR platform
When assessing whether your current hiring platform is DPDP Act 2023 compliant, ask these questions:
- •Consent: Does the platform collect and store candidate consent before processing begins? Is consent scope documented?
- •Age verification: Does the platform check and log age before collecting candidate data?
- •Data rights: Can candidates submit access, correction, and deletion requests? Are these logged and trackable?
- •AI disclosure: If AI is used in screening or interviews, does the platform show a disclosure banner and capture acknowledgment?
- •Audit log: Is every data handling action logged with timestamp and user attribution?
- •Data residency: Where is candidate data stored? Is it within India or in an approved jurisdiction?
- •Retention policy: Can the platform enforce data retention limits and automate deletion after the defined period?
If your platform cannot confirm compliance on each of these points, the compliance gap is a legal exposure for your organisation, not just the platform vendor.
How NeoHireX addresses DPDP Act 2023
NeoHireX was built for DPDP Act 2023 compliance from the ground up, not retrofitted:
- •Consent is collected and logged before any candidate data processing begins
- •Age verification is built into the candidate intake flow
- •AI disclosure banners appear at the start of every AI interview, with acknowledgment captured and stored
- •Candidates can exercise data rights through a structured workflow with full audit logging
- •Every AI decision is logged with the evidence that generated it, no black-box outputs
- •Data residency is configurable for Indian organisations
- •Audit logs are tamper-evident and exportable for legal discovery