Skip to main content
Back to all articles
DPDP & Compliance

DPDP 2023 Compliance for Recruiters: A Practical Guide

India's Digital Personal Data Protection Act 2023 changes how recruiters handle candidate data. A clear, actionable compliance guide for hiring teams.

Nischith KashyapApril 12, 20269 min read

If you run a recruiting team in India in 2026, the Digital Personal Data Protection Act, 2023 (DPDP) is no longer optional reading. It is the law that decides whether your candidate sourcing, your interview recording, and your shortlist sharing are legal or actionable. This guide is the version we wish existed when our own team set up Neuradesk Hire.

What DPDP actually requires from recruiters

DPDP treats every candidate's resume, profile, screening note, scorecard, and interview recording as personal data. Under the Act, you, as the recruiter or as the org running recruiters, are a data fiduciary. The candidate is a data principal. That gives the candidate seven concrete rights and you ten concrete obligations. Most teams know this in the abstract. Few have wired it into their actual hiring workflow.

The seven rights candidates can exercise:

  1. The right to access all personal data you hold about them.
  2. The right to correction of inaccurate data.
  3. The right to erasure when the purpose is fulfilled (e.g., role closed).
  4. The right to withdraw consent at any time.
  5. The right to grievance redressal through your DPO.
  6. The right to nominate another person to act on their behalf.
  7. The right to be informed of any breach that involves their data.

The Act levies penalties up to ₹250 crore per breach for failure to maintain reasonable security safeguards. The Data Protection Board of India started accepting complaints in 2025. Several mid-sized startups have already been served notices. This is no longer hypothetical.

The five workflow changes recruiters must make

Most recruiting tooling was built before DPDP. ATS platforms imported from US contexts assume CCPA or GDPR. Naukri RMS, Greenhouse, Lever, and Workday all need workflow patches to be DPDP-compliant in India. Here is the practical playbook.

1. Capture explicit, versioned consent before processing

Every candidate must explicitly agree to your processing purpose before you store their data. Implicit consent (uploading a resume to a public job board) does not qualify under DPDP. The consent must be:

  • Specific: tied to one purpose (this role, this company)
  • Free: no coercion, no unrelated bundling
  • Informed: candidate sees what data, what purpose, what retention
  • Versioned: when your privacy policy changes, you must re-collect consent

Operationally this means: a checkbox at apply time is the floor. The ceiling is a versioned consent record stored in your audit log, with the policy text the candidate saw at consent time. Neuradesk Hire stores dpdpConsentVersion on every visibility change and re-prompts when the policy version increments.

2. Record interviews only with prior, informed consent

DPDP §6 requires that recording cannot be a pre-condition of the interview. The candidate must be told before the call starts that recording is happening, what it will be used for, and how long it will be retained. They must be free to decline without penalty.

The recording-consent dialog is not a corporate formality. If a court or the Data Protection Board ever asks for proof of consent, you need a timestamped record showing the candidate clicked "I consent" or "I decline" before the recording started. Storing the recording without that record is the violation.

3. Implement a real retention policy

DPDP §8(7) requires you to delete personal data when the purpose is fulfilled. The default for hiring is:

  • Active candidates: keep until role closes
  • Rejected candidates: 90 days unless explicit consent for talent pool
  • Hired candidates: data moves to HRIS under different lawful basis
  • Interview recordings: 30 days unless candidate consents to longer

The 30-day default for recordings is what most Indian privacy lawyers we have spoken with recommend as the safe baseline. Going longer is fine if you get explicit consent. Going indefinite without consent is the kind of pattern that gets a notice from the Board.

4. Maintain a tamper-evident audit trail

§8(8) requires reasonable security safeguards. In practice, this means: when something goes wrong, you must be able to reconstruct what happened, when, by whom. A simple Postgres audit table is not enough — those rows can be edited.

The current best practice is an HMAC-signed event chain: each audit entry is hashed together with the previous entry's hash. Tampering with any historical entry breaks the chain forward and is detectable. Neuradesk Hire ships this as default. If you are using another ATS, ask the vendor explicitly: "is your audit log tamper-evident?" If they cannot answer in technical terms, assume no.

5. Designate and publish a Data Protection Officer

§10 requires every "Significant Data Fiduciary" (and most hiring teams qualify by data volume) to appoint a DPO whose contact information is publicly accessible. This is not a CEO-as-DPO situation. The DPO must be reasonably independent and reachable by candidates exercising their rights. Most Indian startups we have seen meet this requirement with a designated person in legal or operations, with a published email like dpo@yourcompany.com that goes to a real human.

What Neuradesk Hire ships out of the box

Because we built Neuradesk Hire in India after DPDP came into force, the compliance plumbing is not bolted on. It is the foundation:

  • Consent capture versioned at every visibility change
  • Interview recording consent dialog before any room provisioning
  • 30-day default retention on recordings, candidate-revocable any time
  • Tamper-evident HMAC audit chain for every action
  • CSV export of any candidate's full data within minutes of a §11 access request
  • Multi-tenant Postgres RLS ensuring no cross-org data leaks at the database layer

All of these ship in the Free tier so smaller teams are not gated out of being compliant.

What this costs to do well

Most ATS vendors will tell you their compliance is "industry-standard." That phrase usually means GDPR-ish, retrofitted for Indian customers. Real DPDP compliance is:

  • Engineering investment: 4-6 weeks for the audit chain alone, longer if your data model is multi-tenant retrofitted.
  • Legal investment: ₹3-5L for an India-specific DPDP review of your privacy policy, retention schedule, and consent flows.
  • Operational investment: ongoing — DPO time, breach response drills, candidate-rights ticket queue.

The alternative — getting served a notice — is more expensive than all of the above combined.

Our take on what hiring teams should do this quarter

If you do nothing else this quarter, prioritize these three audits:

  1. Consent log audit: pull every candidate consent record from the last 12 months. Confirm each has a versioned policy reference and a timestamp. If your ATS cannot produce this, that is a problem.
  2. Retention audit: list every interview recording older than 90 days. Either delete them or document the explicit consent that justifies retention.
  3. Audit log audit: ask your ATS vendor to demonstrate their audit log is tamper-evident. If they cannot, plan a migration path.

DPDP is not going away. The teams that get compliant in 2026 will hire faster, sign deals faster, and pass enterprise vendor reviews faster. The teams that don't will spend 2027 in remediation.

Neuradesk Hire was built to be the easy answer to all three audits. Start hiring free and see your audit log on day one.

DPDP 2023compliancerecruiter data handlingIndia hiring lawcandidate consent

Ready to supercharge your career?

Try Neuradesk's AI-powered tools — resume analyzer, interview coach, cover letter generator, and more.

Get Started Free