What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Role Guide•4 min read

DPDP Workshop for HR: Mastering Employee Data Compliance

HR leaders in India: Understand DPDP Act's impact on employee data. Learn key compliance gaps, costs, and how MBS helps HR teams.

Sushant Pasumarty18 May 2026

What Does HR Need to Know About the DPDP Act?

The Digital Personal Data Protection Act, 2023 (DPDP Act) directly impacts how Indian businesses manage employee data. HR teams are responsible for collecting, storing, processing, and sharing vast amounts of personal data belonging to current, past, and prospective employees. Non-compliance can lead to significant penalties, impacting both the organization and its reputation.

Understanding the DPDP Act isn't just a legal matter; it's an operational necessity for HR. This page outlines key aspects for HR professionals, offering practical insights and solutions from Sushant Pasumarty, founder of Meridian Bridge Strategy (MBS).

What Role Does HR Own in DPDP Compliance?

HR teams are at the forefront of DPDP compliance due to their direct interaction with employee personal data. This data includes everything from recruitment applications and salary details to performance reviews and health records. Your responsibilities extend across the entire employee lifecycle.

Data Fiduciary: As the entity determining the purpose and means of processing personal data, your organization is a 'Data Fiduciary.' HR acts as a critical department in fulfilling these obligations for employee data.
Consent Management: Obtaining valid, specific, informed, and unambiguous consent from employees for various data processing activities is paramount. This includes processing for payroll, benefits, background checks, and even internal communications.
Data Protection Principles: Ensuring data minimisation, purpose limitation, storage limitation, and accuracy across all employee data records.
Data Principal Rights: Facilitating employees' rights to access, correction, erasure, and grievance redressal regarding their personal data.
Data Breach Management: Implementing protocols for identifying, reporting, and mitigating personal data breaches affecting employees.

Sushant's Tip: Many organizations overlook the granularity required for consent. A single blanket consent form for all employee data processing is unlikely to be compliant under the DPDP Act. Review each data processing activity independently.

Top 5 DPDP Gaps HR Teams Often Miss

Based on our work with numerous Indian businesses, MBS has identified common areas where HR teams often fall short in DPDP compliance:

Outdated Consent Forms: Generic consent clauses that don't specify the purpose, categories of data, or duration of processing are non-compliant. Explicit consent for each data use is now required.
Third-Party Vendor Management: Sharing employee data with payroll providers, background check agencies, or health insurers without robust data processing agreements (DPAs) or clear consent for third-party sharing.
Lack of Data Mapping for Employee Lifecycle: Not having a clear understanding of where employee data resides, who has access, and how it flows from recruitment to offboarding.
Inadequate Data Retention Policies: Retaining employee data beyond legal or business necessity, increasing the risk exposure in case of a breach or data subject request.
Insufficient Training & Awareness: Employees, especially those in HR, handling personal data daily, lack specific training on DPDP principles and their responsibilities.

Cost to Fix: MBS DPDP Services for HR Teams

Meridian Bridge Strategy (MBS) offers structured DPDP services to help your HR team achieve and maintain compliance. Our productized tiers are designed to provide clear scope and predictable pricing, guided by Sushant Pasumarty.

Tier	Includes	Price	Duration
Data Mapping	Map every personal data flow relevant to HR, from recruitment to offboarding.	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Detailed Gap Analysis specific to HR processes and employee data.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Audit + Tailored Recommendations for HR + 90-day roadmap for implementation.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation support for HR systems + DPO services for employee data + Readiness Opinion.	₹7L – ₹12L	3-6 months

The DPDP Workshop is particularly popular with HR teams looking for actionable insights and a clear path forward. It moves beyond just identifying problems to providing a strategic plan for compliance.

Key Questions to Ask Your DPDP Vendor

Before engaging a vendor, ensure they understand the unique challenges of HR data. Ask these questions:

How do you specifically address employee data consent requirements under DPDP?
Can you provide examples of HR-specific data flow maps you've created?
What experience do you have in drafting or reviewing HR policies (e.g., privacy notices, data retention) for DPDP compliance?
How do you train HR staff on their specific obligations under the DPDP Act?
What support do you offer for managing data principal rights requests from employees?

Your Next Step for DPDP Compliance

Addressing DPDP compliance for employee data is a critical and urgent task for HR. Starting with a clear understanding of your current state and the specific gaps is essential. MBS, led by Sushant Pasumarty, is equipped to guide your organization through this process effectively.

We recommend starting with a Data Mapping or a DPDP Readiness Audit to gain foundational clarity on your HR data landscape. This will provide the necessary insights to plan your next steps efficiently and cost-effectively.

Explore our DPDP Readiness Audit to identify your specific HR compliance gaps and receive actionable recommendations. Your organization's employee data protection starts here.

Frequently Asked Questions

What is the biggest change for HR under the DPDP Act?

The biggest change is the requirement for explicit, specific, and informed consent for nearly every instance of processing employee personal data. Generic consent forms are no longer sufficient.

Does the DPDP Act apply to prospective employee data?

Yes, the DPDP Act applies to all personal data collected from individuals, including job applicants and candidates, even if they don't become employees. Consent and data minimization principles apply from the first interaction.

How can MBS help with DPDP compliance for HR?

MBS offers tailored services ranging from Data Mapping to Full DPDP Consulting. We help HR teams identify gaps, develop compliant policies, establish consent mechanisms, and provide training specific to employee data management, ensuring actionable strategies for compliance.

Talk to Sushant About Your DPDP Needs

Book a 30-minute call to discuss your compliance requirements and get a clear next step.

Book a Call with Sushant →

Or estimate your cost first →