What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Checklist•5 min read

DPDP HR Compliance Checklist: Employee Data in India

Ensure your HR operations are DPDP compliant. Use this checklist for employee data, covering collection, processing, and retention.

Sushant Pasumarty7 June 2026

DPDP HR Compliance Checklist: Employee Data

The Digital Personal Data Protection Act (DPDP) impacts how Indian businesses manage employee personal data. This checklist helps HR teams identify and address critical compliance areas, ensuring you meet legal obligations for collecting, processing, and retaining employee information.

Sushant Pasamarty, founder of Meridian Bridge Strategy (MBS), has structured this guide to be actionable. Each item includes a recommended owner, a time estimate, and potential costs if external support is required. This makes the checklist scannable and practical for immediate implementation.

Phase 1: Data Inventory & Consent Foundation

Action: Map all personal data collected from employees.
- Owner: HR Head, IT Security
- Time Estimate: 1-2 weeks
- Cost (External): ₹1.5L – ₹3L (MBS Data Mapping)
- Details: Document every piece of personal data (e.g., name, address, PAN, Aadhaar, bank details, medical records, performance reviews) collected during recruitment, onboarding, employment, and exit. Identify where it's stored, processed, and who has access.
Action: Review and update employee consent mechanisms.
- Owner: HR Head, Legal
- Time Estimate: 1 week
- Cost (External): Included in MBS DPDP Readiness Audit
- Details: Ensure consent is free, specific, informed, unambiguous, and affirmative. Update offer letters, employment contracts, and privacy notices to clearly state data processing purposes. Provide an easy withdrawal mechanism.
Action: Establish a clear 'Notice of Purpose' for all data processing activities.
- Owner: HR Head, Legal
- Time Estimate: 3-5 days
- Cost (External): Included in MBS DPDP Readiness Audit
- Details: For each type of personal data collected, clearly articulate the specific, lawful purpose. Communicate this to employees at the point of collection or before.
Action: Implement 'Data Minimisation' principles.
- Owner: HR Head, Process Owners
- Time Estimate: Ongoing review (initial 1 week)
- Cost (External): Part of MBS DPDP Workshop recommendations
- Details: Only collect personal data that is strictly necessary for the stated purpose. Review existing forms and processes to eliminate superfluous data collection.

💡 Key Insight: Consent under DPDP is not a one-time event. It requires ongoing management and a clear process for withdrawal.

Phase 2: Data Processing & Security Measures

Action: Identify and vet all third-party vendors processing employee data.
- Owner: HR Head, Procurement, IT Security
- Time Estimate: 2-3 weeks
- Cost (External): ₹2L – ₹6L (MBS DPDP Readiness Audit for DPA review)
- Details: This includes payroll providers, background check services, HRIS/ATS platforms, and benefits providers. Understand what data they process and where. For a deeper dive, see our DPDP Vendor Audit Checklist.
Action: Draft or update Data Processing Agreements (DPAs) with all vendors.
- Owner: Legal, HR Head
- Time Estimate: 2-3 weeks
- Cost (External): Included in MBS DPDP Readiness Audit or Full DPDP Consulting
- Details: Ensure DPAs include DPDP-compliant clauses on data security, purpose limitation, audit rights, and breach notification.
Action: Implement robust data security measures for employee data.
- Owner: IT Security, HR Head
- Time Estimate: Ongoing
- Cost (External): Potentially part of Full DPDP Consulting (implementation support)
- Details: This includes access controls, encryption, pseudonymisation, regular security audits, and data breach response plans.
Action: Define data retention policies based on legal and business needs.
- Owner: HR Head, Legal
- Time Estimate: 1 week
- Cost (External): Included in MBS DPDP Workshop recommendations
- Details: Establish clear periods for how long different types of employee data will be kept, and a process for secure deletion once the purpose is served.
Action: Design and implement an internal grievance redressal mechanism for employees.
- Owner: HR Head, Legal
- Time Estimate: 1-2 weeks
- Cost (External): Included in MBS DPDP Workshop
- Details: Appoint a Grievance Officer and publish their contact details. Ensure a clear process for employees to exercise their rights (e.g., right to access, correction, erasure).

✅ Pro Tip: Regular training for HR staff on DPDP principles is crucial. Employee data is often high-risk and requires constant vigilance.

Phase 3: Ongoing Compliance & Accountability

Action: Conduct regular internal DPDP compliance audits for HR processes.
- Owner: Internal Audit, HR Head
- Time Estimate: Quarterly/Bi-annually
- Cost (External): ₹5L – ₹10L (MBS DPDP Workshop includes audit framework)
- Details: Periodically review compliance with consent, data minimization, security, and retention policies.
Action: Establish a Data Breach Notification Protocol specific to employee data.
- Owner: IT Security, HR Head, Legal
- Time Estimate: 1 week
- Cost (External): Included in MBS DPDP Workshop recommendations
- Details: Define steps for identifying, containing, assessing, and notifying the Data Protection Board of India and affected employees in case of a breach.
Action: Appoint a Data Protection Officer (DPO) or designate an equivalent.
- Owner: Leadership Team
- Time Estimate: 2-4 weeks (for selection/appointment)
- Cost (External): Included in MBS Full DPDP Consulting (DPO Training)
- Details: For Significant Data Fiduciaries, this is mandatory. For others, it's a best practice to have a dedicated point person for data protection. Consider whether to hire internally or outsource this function.
Action: Review and update employee privacy policies annually.
- Owner: HR Head, Legal
- Time Estimate: 2-3 days
- Cost (External): Part of ongoing support in MBS Full DPDP Consulting
- Details: Ensure policies reflect any changes in DPDP regulations, business operations, or data processing activities.

What This Costs: DIY vs. MBS Services

Implementing this checklist requires significant internal resources, especially legal and technical expertise. Sushant Pasamarty notes that while DIY is possible, it often consumes substantial internal time and carries higher risk if not executed perfectly.

MBS Service Tier	What it includes (Relevant to HR Compliance)	Price Range	Duration	Benefits for HR Compliance
Data Mapping	Map every personal data flow: who collects it, where it goes, which vendors touch it.	₹1.5L – ₹3L	1-2 weeks	Establishes the foundational understanding of all employee data.
DPDP Readiness Audit	Data Mapping + Gap Analysis (consent, DPAs, grievance, breach, deletion).	₹2L – ₹6L	2-4 weeks	Identifies specific gaps in your HR data practices against DPDP requirements.
DPDP Workshop	Data Mapping + Gap Analysis + Prioritized Recommendations with a 90-day roadmap.	₹5L – ₹10L	4-6 weeks	Provides a clear, actionable plan for HR teams to achieve DPDP compliance.
Full DPDP Consulting	Workshop + Implementation Support + DPO Training + Final Readiness Opinion.	₹7L – ₹12L	3-6 months	Comprehensive support for HR to implement recommendations, including DPO training relevant to employee data.

For organizations with significant employee data or complex HR systems, engaging with experts like Meridian Bridge Strategy can significantly de-risk the compliance process and accelerate readiness. Use our free calculator on dpdpworkshop.com to understand which tier fits your needs.

Next Step: Assess Your Current HR Data Landscape

The first step towards compliance is understanding your current state. Use this checklist to begin an internal review. For a structured approach and expert guidance, consider how MBS can support your journey. Sushant Pasamarty and the MBS team bring a wealth of experience from identity verification and cybersecurity, which are critical for robust HR data protection.

Frequently Asked Questions

What is the biggest DPDP challenge for HR departments in India?

The biggest challenge for HR departments is accurately mapping all personal data collected from employees, ensuring valid consent for each processing purpose, and managing the lifecycle (retention and deletion) of this data in a compliant manner.

Does DPDP require specific security standards for employee data?

DPDP requires Data Fiduciaries to implement 'reasonable security safeguards' to prevent a data breach. While it doesn't specify technologies, it implies measures proportionate to the risk and volume of data, such as access controls, encryption, and regular security audits.

How does DPDP affect employee background verification processes?

DPDP mandates explicit, informed consent from the employee for background verification, clearly stating what data will be collected, why, and who it will be shared with. Data minimisation also applies, meaning only necessary information should be collected for the stated purpose. Data Processing Agreements with verification vendors are crucial.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →