What does ISO 27001 certification cost in India?

ISO 27001 certification in India typically costs ₹3–8 lakhs for consulting plus certification audit, depending on company size. MYITMANAGER delivers end-to-end ISO 27001 implementation with full ownership — from gap assessment to certification — at transparent pricing.

Who needs DPDP Act compliance in India?

Every organisation that processes personal data of Indian citizens must comply with India's Digital Personal Data Protection (DPDP) Act. This includes startups, SaaS companies, fintech, healthcare, and e-commerce businesses. Non-compliance penalties can reach ₹250 crore.

What is a vCISO and does my company need one?

A vCISO (Virtual CISO) provides strategic cybersecurity leadership without the cost of a full-time hire. MYITMANAGER's vCISO service delivers board-ready risk reporting, compliance roadmaps, and security program ownership for Indian companies at a fraction of in-house cost.

What do RBI Cybersecurity Guidelines 2026 require for banks and NBFCs?

RBI's 2026 cybersecurity guidelines require banks and NBFCs to implement annual VAPT by CERT-In empanelled firms, adopt a formal ISMS, conduct third-party risk assessments, and maintain incident response plans. MYITMANAGER helps financial institutions achieve full RBI compliance end-to-end.

Do Indian employers need employee consent under the DPDP Act?

Not always. The DPDP Act recognises 'legitimate use' under Section 7 for employment-related processing — including recruitment, onboarding, payroll, statutory compliance (PF/ESI/TDS), performance management, and workplace security. For these purposes, explicit consent is not required. However, if you use employee data for purposes outside the employment relationship — such as sharing with third parties for marketing, or using biometric data for unrelated AI training — explicit, purpose-specific consent is mandatory.

What is the 'legitimate use' basis for employee data under the DPDP Act?

Section 7 of the DPDP Act provides that a Data Fiduciary may process personal data for 'legitimate uses' without consent, including for employment purposes and to safeguard the employer from loss or liability. This covers: recruitment and background verification, onboarding and employment contracts, payroll and tax compliance, performance management, statutory filings (PF, ESIC, TDS), workplace safety and access control, and investigation of misconduct or corporate espionage.

What HR data requires explicit employee consent under the DPDP Act?

Explicit consent is required for processing that falls outside the employment relationship or legitimate use grounds — for example: sharing employee contact data with insurance brokers for cross-selling, using employee photos or biometric data for external commercial AI models, processing sensitive health data beyond what is necessary for statutory compliance, and sharing employee data with group companies for purposes unrelated to the employment contract.

What rights do employees have under the DPDP Act?

Under the DPDP Act, employees as Data Principals have the right to: (1) access information about what personal data the employer holds and how it is being used; (2) correct or update inaccurate personal data; (3) erase personal data that is no longer necessary for the purpose it was collected (subject to statutory retention obligations); (4) nominate a successor to exercise their rights in case of death or incapacity; and (5) raise a grievance with the employer's grievance officer, and escalate to the DPBI if unresolved.

Must employers give employees a privacy notice under the DPDP Act?

Yes. Even where processing is based on legitimate use (not consent), employers must provide a privacy notice explaining what data is collected, the purpose of processing, and how employees can exercise their rights. The notice must be concise, clear, and available in any of the 22 Indian languages listed in the Eighth Schedule to the Constitution if requested by the employee. A buried clause in the employment contract does not satisfy this requirement.

Do HR software vendors need a Data Processing Agreement under the DPDP Act?

Yes. Any HRMS, payroll system, attendance management software, or background verification service that processes employee personal data on your behalf is a Data Processor under the DPDP Act. Section 8(2) requires a written contract specifying the processing purpose, security obligations, breach notification requirements, and data return or deletion on contract termination. This DPA is mandatory — not optional — regardless of the vendor's own compliance claims.

What happens to employee data after employment ends?

After the employment relationship ends, the purpose for most HR data processing ceases. Under the DPDP Act's purpose limitation and data minimisation principles, data should be erased when no longer needed — unless a statutory retention obligation applies (e.g., Income Tax Act requires payroll records for 7 years; EPF records for 5+ years; gratuity-related records for longer). Employers must establish a data retention policy that maps each data category to the applicable legal retention period, followed by secure deletion.

DPDP Act for HR and Employee Data India — Complete Employer Compliance Guide 2026

June 24, 2026

India’s DPDP Act 2023 applies to all digital personal data — and that includes the salary records, biometric data, health information, performance reviews, and PAN/Aadhaar numbers your organisation holds for every employee. With full enforcement due by May 13, 2027, HR and legal teams across India are now asking the same question: what, exactly, do we need to do?

This guide gives Indian employers a complete, legally verified answer. We cover when consent is required vs. when the legitimate use exemption applies, what rights employees gain as Data Principals, what your HRMS and payroll vendors need by way of contractual protection, and a six-step employer compliance action plan you can execute before the deadline.

1. Does the DPDP Act Apply to Employee Data?

Yes — unambiguously. The DPDP Act 2023 defines “personal data” as any data about an identifiable individual. Employee data fits squarely within this definition: names, PAN, Aadhaar, salary details, bank account numbers, biometrics (fingerprint, face scan), health records, performance assessments, disciplinary records, and communications.

There is no blanket exemption for employment data in the DPDP Act, unlike some jurisdictions (e.g., the UK GDPR has a specific Schedule 2 condition for employment processing). However, what the DPDP Act does provide is a legitimate use basis under Section 7 that removes the consent requirement for most routine HR processing — a distinction that many HR professionals conflate with an exemption. It is not an exemption from the Act; it is an alternative legal basis within the Act.

2. The Consent vs. Legitimate Use Framework

Understanding when you need employee consent — and when you don’t — is the central compliance question for HR teams. The DPDP Act provides two distinct legal bases that are relevant to employers:

Legitimate Use (Section 7) — No Consent Required

Section 7 of the DPDP Act permits Data Fiduciaries to process personal data for specified “legitimate uses” without requiring explicit consent. For employers, the relevant legitimate use grounds include:

Employment purposes: Processing necessary for recruitment, evaluation, onboarding, payroll, tax compliance, performance management, disciplinary proceedings, and termination
Statutory compliance: Filing PF, ESIC, TDS, and other regulatory returns that require employee personal data
Safeguarding the employer: Processing to prevent corporate espionage, protect trade secrets, maintain confidentiality of IP, and investigate suspected misconduct
Benefits administration: Managing employee insurance, gratuity, and other statutory or contractual benefits

For these purposes, the employer as Data Fiduciary does not need to obtain explicit consent before processing. However — and this is critical — the employer must still provide a privacy notice even under legitimate use. The absence of a consent requirement does not eliminate the notice obligation.

Consent Required — Processing Outside the Employment Relationship

Explicit, purpose-specific consent is required for any HR data processing that falls outside the legitimate use grounds. Common situations where employers get this wrong:

Processing Activity	Legal Basis	Consent Required?
Payroll processing and TDS filing	Legitimate use — statutory compliance	No
Background verification pre-joining	Legitimate use — employment purpose	No
PF and ESIC filings	Legitimate use — statutory compliance	No
Performance management and appraisals	Legitimate use — employment purpose	No
CCTV surveillance in workplace	Legitimate use — safeguarding employer	No (with notice)
Sharing employee data with group companies for unrelated marketing	Outside employment relationship	Yes
Using employee biometrics for external AI model training	Outside employment relationship	Yes
Sharing employee health data with insurer beyond statutory obligation	Outside employment relationship	Yes
Employee directory shared with third-party brokers	Outside employment relationship	Yes

⚠️ Proportionality Check: Even within legitimate use, the DPDP Act’s data minimisation principle applies. If you can fulfil the employment purpose with less data, you must use less. Collecting an employee’s entire medical history when only their fitness-for-work certification is relevant to the job would violate the Act, even if the processing has a legitimate use basis.

3. The HR Privacy Notice Obligation

Whether processing under consent or legitimate use, employers must provide employees with a clear privacy notice. The notice obligation under the DPDP Act is separate from and additional to the consent requirement — you cannot satisfy both with a single generic employment contract clause.

An DPDP-compliant HR Privacy Notice must include:

What personal data is collected — specify categories (name, Aadhaar, PAN, bank details, health records, biometrics, etc.)
The purpose of each processing activity, in clear and plain language
The legal basis — whether processing is based on consent or legitimate use, and for which activities
Third parties with whom data is shared (HRMS vendor, payroll processor, background check company, statutory authorities)
Retention periods — how long each category of data is retained and why
Employee rights — how to access, correct, or erase their data, and how to raise a grievance
Contact details of the grievance officer or DPO

Language requirement: The DPDP Act requires notices to be available in any of the 22 Indian languages listed in the Eighth Schedule to the Constitution, upon request. For organisations with large workforces across multiple states, this is a material operational obligation — particularly for blue-collar and manufacturing workforces where employees may not read English.

4. Employee Rights Under the DPDP Act

Employees become “Data Principals” under the DPDP Act and acquire four enforceable rights against their employer as Data Fiduciary:

Right to Access and Summary

Employees can request confirmation of whether personal data is being processed, and a summary of the data held and the processing activities. The employer must respond with a summary of the personal data being processed, including the categories, purposes, and third parties with whom it is shared.

Right to Correction and Erasure

Employees can request correction of inaccurate data and erasure of data that is no longer necessary. However, the erasure right is subject to statutory retention obligations — an employer cannot erase payroll records needed for Income Tax Act compliance simply because an ex-employee requests it. The DPDP Act’s erasure right yields to legal retention requirements.

Right to Grievance Redressal

Employees can raise a grievance with the employer’s designated grievance officer. If unresolved within the prescribed period, they can escalate to the Data Protection Board of India (DPBI). This creates a direct regulatory complaint pathway from employee to regulator — making HR data compliance a governance risk, not just a legal formality.

Right of Nomination

Employees can nominate a successor to exercise their data rights in case of death or incapacity — a provision particularly relevant for organisations managing gratuity, PF, and survivor benefit data for deceased employees.

5. HRMS and Payroll Vendors as Data Processors

Every HR technology vendor that processes employee personal data on your behalf is a Data Processor under the DPDP Act — and you need a written Data Processing Agreement with each of them.

Common HR tech vendors that require DPAs:

HRMS platforms (Darwinbox, Keka, GreytHR, SAP SuccessFactors, Workday) — employee records, leave management, org data
Payroll processors (ADP, Ramco, Sage) — salary, bank details, TDS, statutory deductions
Background verification companies (AuthBridge, IDfy, HireRight) — candidate identity, criminal, educational, employment history
Attendance and biometric systems — fingerprint data, face recognition (biometric data is implicitly sensitive under the Act)
Learning management systems — training records, assessment scores
Employee engagement and survey tools — potentially sensitive sentiment and mental health-adjacent data

Each DPA must at minimum specify: the processing purpose, security safeguards required (Rule 6 of DPDP Rules 2025), immediate breach notification to the employer, restrictions on sub-processing, and data return or certified deletion at contract termination. See our Data Processing Agreement under the DPDP Act guide for the full DPA clause requirements.

6. Data Retention for HR Records

One of the most practically complex HR compliance challenges is data retention. The DPDP Act requires that personal data be erased once it is no longer necessary for the purpose collected — but multiple labour and tax laws impose minimum retention periods that override this. Employers must navigate both obligations simultaneously.

HR Data Category	Applicable Law	Minimum Retention Period
Payroll and salary records	Income Tax Act 1961	7 years from end of relevant assessment year
PF contribution records	Employees’ Provident Funds Act 1952	5 years after last entry
ESIC records	Employees’ State Insurance Act 1948	5 years
Gratuity records	Payment of Gratuity Act 1972	Until gratuity is paid + disputes resolved
Employment contracts	Contract Act + limitation period	3 years post-termination (safe: 7 years)
Background verification reports	No specific law (business need)	Duration of employment + 3 years
CCTV footage	No specific law	30–90 days unless an incident occurred
Disciplinary records	Industrial Disputes Act	Until any dispute is time-barred (typically 3 years)

For data beyond its statutory retention period with no further business justification, the DPDP Act’s purpose limitation principle requires secure deletion. “We might need it someday” is not a valid retention basis under the Act.

7. Special Considerations: Large Employers and Significant Data Fiduciaries

Organisations that process very large volumes of employee data may be designated as Significant Data Fiduciaries (SDFs) by the Central Government under Section 10 of the DPDP Act. While the formal SDF notification list has not yet been published, the Act specifies that factors including the volume and sensitivity of data processed will be considered.

SDFs face additional HR-relevant obligations:

Mandatory Data Protection Officer (DPO) based in India — for large employers, this means the DPO must have oversight of HR data processing, not just customer data
Annual Data Protection Impact Assessments (DPIAs) covering high-risk processing activities — biometric attendance systems and AI-driven performance management tools are likely candidates
Independent annual data audits — by a qualified independent data auditor

Even for organisations that do not qualify as SDFs, implementing DPO and DPIA practices proactively is considered best practice and demonstrates good faith in any DPBI proceeding.

8. The Employer Compliance Action Plan — Six Steps Before May 2027

HR Data Inventory: Map every data flow — what employee data is collected, from which sources, for which purposes, shared with which vendors, retained for how long. This inventory is the compliance foundation.
Classify by Legal Basis: For each processing activity, determine whether it falls within legitimate use (no consent needed) or requires explicit, purpose-specific consent. Document this in your Data Processing Register.
HR Privacy Notice: Draft a standalone, DPDP-compliant privacy notice for employees. Deploy to all current staff. Integrate into the onboarding process. Make it available in relevant Indian languages.
DPAs with All HR Vendors: Issue DPA addenda to every HRMS, payroll, background verification, and attendance vendor. Ensure each DPA includes breach notification (within 6 hours of detection), security obligations (Rule 6), and data deletion on termination.
Employee Rights Mechanism: Establish and publish a process for employees to exercise access, correction, and erasure rights. Designate and publish the grievance officer’s contact details.
Retention and Deletion Policy: Map each HR data category to its applicable legal retention period. Implement automated deletion or anonymisation at the end of the retention period. Test and document the deletion process.

Need Help Making Your HR Function DPDP-Ready?

MYITMANAGER delivers end-to-end DPDP compliance for HR teams — data inventory, privacy notice drafting, vendor DPA execution, employee rights mechanisms, and DPO support. Founder-led, CISM + CIPP/E qualified, with experience across India’s largest consumer brands.

Get a Free HR Compliance Assessment →

Frequently Asked Questions: DPDP Act and Employee Data

Does the DPDP Act apply to employee data?

Yes. There is no blanket exemption for employment data. The DPDP Act applies to all digital personal data, including salary, Aadhaar, PAN, biometrics, health records, and performance data held by employers.

Do Indian employers need employee consent for HR processing?

Not for most routine HR processing. Section 7’s legitimate use basis covers recruitment, payroll, statutory compliance, and performance management without requiring consent. Consent is required for processing outside the employment relationship — sharing data with unrelated third parties, using data for commercial purposes, or processing sensitive data beyond what the employment contract justifies.

Must employers issue a privacy notice to employees even under legitimate use?

Yes. The privacy notice obligation is independent of the consent requirement. Even where legitimate use applies and no consent is sought, employees must receive a compliant privacy notice explaining what data is processed, for what purposes, with which third parties, for how long, and how to exercise their rights.

Can employees demand their data be deleted after leaving the company?

The erasure right under the DPDP Act yields to statutory retention obligations. Payroll records must be retained for 7 years (Income Tax Act), PF records for 5 years, and employment contracts for at least 3 years. Data beyond statutory retention periods with no further business justification should be deleted — but legal minimums take precedence over erasure requests.

Do we need DPAs with our HRMS vendor?

Yes. Every vendor that processes employee personal data on your behalf — HRMS, payroll, background verification, biometric attendance — is a Data Processor under Section 8(2) of the DPDP Act, and a written Data Processing Agreement is mandatory. A vendor’s own privacy policy or ISO 27001 certificate does not substitute for a DPA.

MYITMANAGER

Cyber Security & Risk Advisory

Digital Trust & Privacy

IT Compliance