Article 2

DPDP Compliance Checklist for HRMS (India)

A practical article for understanding privacy-first controls in HR systems without slowing operations.

Data Protection HR Security Legal Compliance
DPDP compliance checklist for HRMS illustration

DPDP Article Highlights

The main compliance areas covered in this article.

Consent

Collect only when lawful, record consent context, allow withdrawal.

Access

Role-based access, MFA, session rules, and account lockouts.

Data controls

Encrypt sensitive data and keep complete audit logs.

Retention

Apply legal and business retention rules, not indefinite storage.

Core DPDP Points Covered in This Article

Employee Consent

  • Obtain clear consent before collection
  • Capture consent purpose and date
  • Allow withdrawal under policy

Data Collection

  • Collect only required HR fields
  • Exclude unnecessary personal data
  • Review field list every quarter

Purpose Limitation

  • Use data only for HR and payroll purposes
  • Block cross-functional misuse
  • Log purpose mismatch for exceptions

Secure Authentication

  • Strong password policy
  • Multi-factor authentication
  • Role-bound views and manager visibility

Encryption & Logs

  • Protect data in transit with HTTPS/TLS
  • Secure password storage
  • Audit login and salary updates

Backup & Recovery

  • Scheduled backups
  • Documented recovery flow
  • Controlled restore process

Implementation Notes

Use these notes to understand which HRMS controls should be reviewed before going live.

Third-Party Integrations

Recheck access controls and data scope before enabling biometric, payment, SMS, email, and cloud services.

Employee Rights

Enable view, correction, and request deactivation workflows with internal policy guardrails.

Conclusion

DPDP compliance is not a one-time checklist. Build review cycles for consent, access, integration security, and data retention every month.

DPDP compliance checklist for HRMS illustration