Most HR teams in India have spent the last year hearing about the DPDP Act in one of two ways: as a compliance item sitting somewhere on the legal team’s to-do list, or as a vague threat involving large penalties. Neither framing is particularly useful when you’re the one actually running background checks on candidates every week.
So here’s the more practical version — what the DPDP Act 2023 actually changes for background verification, what it means for your day-to-day hiring process, and where most HR teams are quietly getting it wrong right now.
First, the Context
The Digital Personal Data Protection Act, 2023, was passed in August 2023. Its operational framework — the DPDP Rules, 2025 — was notified in November 2025 and is being rolled out in a phased manner through 2026. For HR functions specifically, full enforcement is no longer something to prepare for — it’s already underway.
Before the DPDP Act, background verification existed in a regulatory grey zone. India had the IT Act, 2000 and the SPDI Rules, 2011, which required consent before collecting sensitive personal data — but enforcement was patchy, and most employers treated BGV as an administrative formality rather than a data processing activity with legal obligations attached to it.
That framing no longer holds. Under the DPDP Act, background verification is unambiguously a personal data processing activity, and every check your team initiates — identity, employment history, education, criminal records, address — falls squarely within its scope.
What the DPDP Act & BGV Intersection Actually Looks Like
Let’s break this down by what the law actually requires, not in legalese, but in terms of what changes in your hiring workflow.
1. You Are Now a Data Fiduciary — Whether You Like It or Not
Under the DPDP Act, any organisation that determines the purpose and means of processing personal data is a “Data Fiduciary.” In a BGV context, that’s your company — not your BGV vendor.
This is the part that catches most HR teams off guard. The assumption that outsourcing verification to a third-party provider transfers legal responsibility is wrong. Outsourcing the check does not outsource the liability. If your BGV vendor mishandles a candidate’s data — shares it without authorisation, retains it longer than permitted, or doesn’t have adequate security protocols — you, as the Data Fiduciary, remain accountable to the Data Protection Board of India.
This means the choice of BGV partner is no longer just a commercial decision. It is a compliance decision with direct legal implications.
2. Consent Must Be Explicit, Specific, and Standalone
Under the DPDP Act, the basis for running background checks on a candidate is their explicit, informed, and purpose-specific consent. This is where most existing BGV processes — even those that technically obtained “consent” — fall short.
Here’s what doesn’t count as valid consent anymore:
A clause buried inside the offer letter asking the candidate to agree to “verification and related processes”
A broad “I agree to terms” checkbox on your careers portal
The assumption that submitting a job application implies permission to verify credentials with third parties, former employers, and government databases
What does count: a standalone consent document, separate from the offer letter, written in plain language, that specifies exactly which checks will be conducted, which agencies will be involved, how long the data will be retained, and what rights the candidate has. The DPDP Rules 2025 additionally require that this be available in regional languages for organisations operating pan-India.
If your current consent form was drafted before November 2025, there is a high chance it does not meet the updated standard. This isn’t a minor procedural gap — it’s the legal foundation of your entire BGV process.
3. Purpose Limitation and Data Minimisation Are Now Enforceable
One of the more consequential requirements of the DPDP Act for BGV is the principle of purpose limitation — data collected for background verification can only be used for that purpose. It cannot be repurposed for anything else.
The complementary principle is data minimisation — you can only collect what is genuinely necessary for the specific role being filled. Running a full-suite criminal check on every hire, regardless of role, without documented justification is now considered overcollection under the Rules.
In practice, this means HR teams need a role-risk matrix: a documented mapping of job categories to the checks those roles actually justify. A delivery executive, a software engineer, and a Chief Financial Officer don’t need the same set of checks, and running identical suites across all of them creates a compliance risk. That matrix needs to be available for regulatory review if required.
4. Data Retention Has a Hard Limit
Here is a practice that is almost universal in HR — and almost universally non-compliant: storing rejected candidates’ BGV reports indefinitely, “just in case.”
Under the DPDP Rules 2025, data on candidates who are not hired must be deleted within 180 days. There is no ambiguity here, and no “business need” exception that allows you to hold onto it longer without specific legal grounds. Background verification reports are personal data. Keeping them on a shared drive or in your HRMS because they might be useful someday is a data retention violation.
For hired candidates, retention periods must be defined, documented, and honoured. When an employee exits, their BGV records don’t automatically become yours to keep forever — they remain personal data subject to the Act.
5. The 24-Hour Breach Notification Requirement
If candidate or employee data processed during BGV is compromised — whether through a vendor breach, an internal systems failure, or unauthorized access — the DPDP Act requires breach notification to the Data Protection Board of India within 24 hours.
This is not a comfortable timeline. It means HR teams need clear internal protocols for identifying, escalating, and reporting data incidents, along with airtight Data Processing Agreements with BGV vendors that require them to notify you immediately upon discovering a breach on their end.
Where HR Teams Are Getting It Wrong Right Now
Having worked with thousands of organisations across industries in India, a few failure patterns show up repeatedly in how companies are managing the DPDP Act & BGV intersection:
The consent form hasn’t been updated. A form written in 2022 or 2023 was not written against the DPDP Rules 2025. Most pre-Rules consent forms don’t specify retention timelines, don’t clearly enumerate which third parties will receive candidate data, and don’t disclose candidate rights adequately.
There’s no signed Data Processing Agreement with the BGV vendor. This is mandatory under the DPDP Act, not optional. If you’re running checks through a provider and haven’t formalised this agreement, the liability gap is real.
Checks are being run uniformly regardless of role. Without a documented role-risk matrix, the data minimisation principle is being violated by default.
BGV records of rejected candidates are sitting in systems with no deletion workflow. The 180-day limit requires an active process to delete this data — it doesn’t happen on its own.
What a DPDP-Compliant BGV Process Looks Like
Getting this right doesn’t require rebuilding your hiring process from scratch. It requires updating four things:
Consent infrastructure — A standalone, purpose-specific, plain-language consent form, digitally executed and timestamped, with a full audit trail.
Vendor agreements — A signed Data Processing Agreement with your BGV provider that includes DPDP-compliant data handling, deletion timelines, breach notification obligations, and audit rights.
Role-risk documentation — A written matrix mapping roles to the checks they justify, maintained by HR or compliance and available for regulatory review.
Retention and deletion workflows — Active processes for deleting rejected candidate data within 180 days, and defined retention periods for employee BGV records tied to their employment lifecycle.
Platforms built for the current regulatory environment — like OnGrid — handle the consent collection, audit trails, and data processing architecture in ways that are already calibrated to DPDP requirements. That’s not a small thing when the Data Protection Board of India is now an active enforcement body with penalties reaching up to ₹250 crore for serious violations.
The Bottom Line for HR Teams
The DPDP Act 2023 didn’t change whether background verification is legal in India — it absolutely still is, and it’s more necessary than ever given how widespread resume fraud remains. What it changed is the conditions under which verification can legally take place.
Consent that was good enough in 2023 may not be good enough in 2026. A vendor relationship that felt secure two years ago may now be a liability gap without a Data Processing Agreement. A BGV process that ran smoothly without incident is not the same as a process that is legally defensible under the framework now in force.
The question for every HR team is not whether to comply, but how quickly you can close the gaps between your current process and what the law now requires. The organisations that treat this as a compliance upgrade — rather than a threat — will find that it also makes their hiring process more transparent, candidate-friendly, and trustworthy.
That’s not a bad outcome for anyone.
Leave a Reply