DPDP Act 2023: The Complete Compliance Guide for Indian HR Teams
India's data protection law creates specific obligations for any platform that collects, stores, or processes candidate and employee data. This guide tells you what is required, what to check, and how to prepare.
April 2026 | Updated for DPDP Act 2023 enforcement
2023
Year DPDP Act passed
6
Core HR compliance obligations
₹250 Cr
Maximum penalty under the Act
In this guide
What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 (DPDP Act) is India's primary legislation governing the collection, processing, and storage of digital personal data of Indian residents.
It was passed by the Indian Parliament in August 2023 and applies to any organisation, or platform operating on their behalf, that processes personal data of individuals in India.
For HR operations, the Act applies directly to:
- Candidate data collected during recruitment
- AI-generated assessments, interview recordings, and evaluation scores
- Employee and contractor personal records
- Third-party data processors (your HR platform vendor)
The Act establishes rights for data principals (candidates and employees) and obligations for data fiduciaries (your organisation) and data processors (your HR platform).
The 6 core obligations for HR operations
Consent before processing
What it requires: Explicit, specific consent must be obtained from the candidate before their personal data is processed. Consent cannot be bundled with other terms. It must be revocable.
What compliance looks like: A documented consent collection step before any application processing begins. Consent records stored with timestamp, scope, and candidate identity.
Age verification
What it requires: Processing of personal data of minors requires parental consent. Organisations must have a mechanism to verify that candidates are adults.
What compliance looks like: An age verification step built into candidate intake, with the result logged per candidate.
Purpose limitation
What it requires: Data collected for recruitment may only be used for recruitment. Using candidate data for other purposes requires separate, specific consent.
What compliance looks like: Platform-level restrictions on cross-purpose data use. No using candidate data for marketing, benchmarking, or product development without separate consent.
Data minimisation
What it requires: Only data necessary for the stated purpose should be collected.
What compliance looks like: Intake forms that capture only relevant professional data. No excessive personal data collection beyond what is needed to assess job fit.
Data rights (access, correction, deletion)
What it requires: Candidates have the right to access their data, correct inaccuracies, and request deletion. Organisations must respond within the Act's prescribed timeframe.
What compliance looks like: A structured data rights workflow in your HR platform. Every request logged with handler, action taken, and resolution date.
Data localisation
What it requires: Personal data of Indian residents must be stored in India or in adequacy-approved jurisdictions.
What compliance looks like: Confirmed data residency for your HR platform's data storage. Cloud-hosted platforms must disclose and document their data storage locations.
Additional requirements when AI is used in hiring
When AI is used to evaluate candidates, for screening, ranking, or interviewing, additional transparency requirements apply.
AI disclosure
Candidates must be informed that AI is being used to evaluate them, before evaluation begins. This is typically implemented as an AI disclosure banner at the start of an AI interview or assessment, with acknowledgment captured and stored.
Explainability
AI scoring systems should produce explainable outputs. A score without traceable evidence is legally indefensible and creates risk if challenged. Every AI evaluation score should reference specific candidate inputs, transcript quotes, qualification checks, that generated it.
Human reviewability
Automated decisions affecting candidate progression should be reviewable by a human and subject to challenge. Fully automated rejection without any human oversight is higher-risk under the Act's transparency requirements.
A compliance checklist for your HR platform
Use this to assess whether your current hiring platform meets DPDP Act 2023 requirements.
How NeoHireX is built for DPDP Act 2023 compliance
Consent management
Consent collected and logged before processing begins; consent withdrawal supported and logged
Age verification
Built into candidate intake; result logged per candidate
AI disclosure
Mandatory AI disclosure banner at start of every AI interview; acknowledgment captured and stored
Data rights workflows
Structured access, correction, and deletion request handling with full audit log
AI explainability
Every score backed by transcript evidence; no opaque outputs
Data localisation
Configurable for Indian data residency requirements
Audit logging
Full tamper-evident audit log; exportable for legal discovery
Purpose limitation
Platform-level restrictions on cross-purpose data use
Frequently asked questions
Need help with DPDP Act compliance?
Our team can walk you through how NeoHireX addresses each obligation, with a demo built around your specific hiring operation.