Back to Insights
Compliance7 min read20 May 2026

DPDPA 2023 for HR Teams: The Plain-Language Checklist Before Enforcement Begins

India's Digital Personal Data Protection Act 2023 is live. For HR leaders, this means performance data — review transcripts, OKR records, bias-signal reports — is now regulated personal data under Indian law. Here is exactly what you need to do.

India's Digital Personal Data Protection Act 2023 (DPDPA) is the most significant data legislation the country has ever enacted. For HR leaders, its implications are immediate and practical: the personal data your HR systems process — employee names, performance ratings, review transcripts, OKR records, bias-signal reports from AI-assisted tools — is now regulated personal data under Indian law.

This is not a legal briefing. This is a plain-language operational guide for HR teams who need to understand what DPDPA means for their performance management processes and what they need to do before enforcement timelines are set.

What DPDPA Classifies as Personal Data in HR

  • Employee identity data: Name, employee ID, work email, job title, department.
  • Performance data: OKR scores, review ratings, competency assessments, feedback text, performance improvement plan records.
  • AI-generated data: TARA session transcripts, bias-signal flags, sentiment analysis outputs — all classified as personal data because they relate to an identifiable individual.
  • Consent records: When, how, and to what scope an employee provided consent for data processing.

The Consent Requirement Is Non-Negotiable

Under DPDPA §7, consent must be free, specific, informed, unconditional, and unambiguous. This has direct implications for AI-assisted HR tools. If you use an AI system that records or analyses employee conversations — even for bias detection — you must obtain explicit consent from each employee before the session begins. Pre-ticking a box in the employment contract does not satisfy DPDPA's consent standard.

TalentSpotify's TARA agent handles this by presenting a plain-language consent screen at the start of every session, in the employee's preferred language. The consent is timestamped, stored, and linked to the session record. This is what DPDPA-compliant AI-assisted HR looks like in practice.

The HR Compliance Checklist

  1. 1Audit your data inventory: List every category of personal data your HR systems collect and process. Include your HRIS, performance management tool, payroll system, and any AI tools.
  2. 2Identify your role: For employee data, you are the Data Fiduciary (Controller). Your HR software vendor is the Data Processor. Your vendor agreement must include a Data Processing Agreement (DPA).
  3. 3Implement granular consent: Ensure consent for AI-assisted tools is obtained separately from general employment consent, in plain language, with a clear opt-out mechanism.
  4. 4Appoint a Grievance Officer: DPDPA §13 requires every Data Fiduciary to designate a GRO with a response SLA of 30 days.
  5. 5Review your retention policy: DPDPA requires data to be deleted when the purpose for which it was collected is complete. Review how long you retain performance records and establish deletion workflows.
  6. 6Train your HR team: Every HR team member who processes employee personal data needs to understand their obligations under DPDPA.

DPDPA compliance is not a one-time project. It is an ongoing operational commitment. The organisations that treat it as infrastructure — built into their HR processes and vendor agreements from the start — will be far better positioned than those who retrofit compliance after enforcement begins.

All Insights

See these principles in action

TalentSpotify applies evidence-led performance management, AI bias detection, and structured OKR cascades to your real workforce — in India and the GCC.

Book a Demo
DPDPA 2023 for HR Teams: The Plain-Language Checklist Before Enforcement Begins — TalentSpotify Blog