What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Quick Answer•4 min read

DPDP Employee Data Rules: What Indian Employers Must Know

Indian employers must comply with DPDP for employee data. Learn what's required, when to act, and compliance costs from Meridian Bridge Strategy.

Sushant Pasumarty29 July 2024

DPDP Employee Data Rules: What Employers Must Know

Yes, the Digital Personal Data Protection (DPDP) Act, 2023, applies to all employee personal data collected and processed by Indian businesses. This includes everything from hiring information to payroll, performance reviews, and health records.

Employers are considered 'Data Fiduciaries' under DPDP, holding significant responsibilities for protecting their employees' personal data. Non-compliance can lead to substantial penalties, making readiness crucial.

What This Means Right Now for Employers

While the DPDP Act is enacted, the full enforcement framework, including specific rules and effective dates, is still being formulated by the Indian government. However, businesses should not wait for these final rules to begin preparing.

The underlying principles of data protection, consent, and accountability are clear. Proactive preparation allows employers to identify gaps, implement necessary changes, and mitigate risks before enforcement begins.

💡 Key Insight: The 'purpose limitation' principle under DPDP means you can only collect and use employee data for specific, lawful purposes. Over-collection or retention beyond necessity is non-compliant.

What Employers Actually Need to Do for DPDP Compliance

Compliance with DPDP for employee data is not a one-time task but an ongoing commitment. Here are the core actions employers must take:

Inventory and Map Employee Data: Understand every piece of personal data you collect about employees, where it's stored, who has access, and how it flows within your organization and to third parties (e.g., payroll providers, HR software vendors).
Establish Lawful Basis for Processing: For most employee data, the 'legitimate uses' clause under DPDP will be relevant, particularly for employment-related processing. However, explicit consent may be required for certain sensitive data or non-essential processing. Reviewing existing consent mechanisms is critical.
Implement Robust Security Measures: Protect employee data from unauthorized access, accidental loss, or breaches. This includes technical safeguards (encryption, access controls) and organizational measures (training, policies).
Define Data Retention & Deletion Policies: Establish clear policies for how long different types of employee data are kept and when they must be deleted. Data should not be retained indefinitely once its purpose has been served.
Set Up a Grievance Redressal Mechanism: Employees have the right to request access, correction, or deletion of their data. Employers must establish a clear process for handling these requests and appoint a Grievance Officer. Read more about DPDP Grievance Mechanism.

✅ Pro Tip: Treat employee data with the same (or even higher) diligence as customer data. Internal breaches can be just as damaging, both reputationally and financially.

What DPDP Compliance for Employee Data Costs

The cost of achieving DPDP compliance for employee data varies based on your organization's size, complexity, and current data maturity. Sushant Pasamarty, founder of Meridian Bridge Strategy, recommends a phased approach, starting with understanding your data landscape.

MBS offers structured services that directly address the requirements for employee data compliance:

Tier	What it includes	Price range	Duration
Data Mapping	Map every personal data flow: who collects it, where it goes, which vendors touch it. Essential for understanding your employee data footprint.	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis (consent, DPAs, grievance, breach, deletion). Identifies specific areas where your HR processes fall short.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Data Mapping + Gap Analysis + Prioritized Recommendations with a 90-day roadmap. Provides actionable steps for HR and IT to become compliant.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation Support + DPO Training + Final Readiness Opinion. Comprehensive support, including training your HR or compliance team for ongoing DPO functions.	₹7L – ₹12L	3-6 months

For organizations with significant employee data, especially those using multiple HRIS, payroll, or benefits platforms, a Full DPDP Consulting engagement often provides the most robust solution. This includes support for creating compliant HR policies and employee data processing agreements.

When to Start Your DPDP Employee Data Compliance Journey

The best time to start was yesterday. Since specific enforcement dates are pending, a proactive approach ensures your business isn't caught off guard. Starting with a Data Mapping or a full DPDP Readiness Audit allows you to understand your current state and build a robust compliance plan.

Next Step: Assess Your Readiness

Every organization's employee data landscape is unique. To get a tailored understanding of your compliance needs and associated costs, use our free calculator. It will help you determine which MBS service tier aligns with your current situation.

Frequently Asked Questions

Does DPDP apply to historical employee data?

Yes, DPDP applies to all personal employee data, regardless of when it was collected, provided it is still being processed or held by the employer. Retention must align with purpose limitation.

Do I need new consent from existing employees under DPDP?

Not necessarily for all data. DPDP introduces 'legitimate uses' which cover many employment-related processing activities. However, for sensitive data or processing beyond typical employment purposes, fresh, explicit consent may be required. A DPDP Readiness Audit helps determine this.

How does DPDP affect employee background checks?

DPDP requires a lawful basis for all data collection, including during background checks. This means clearly informing candidates what data is collected, why, and how it will be used. Data collected must be limited to what is necessary for the hiring purpose.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →