- DPDP Act 2023 received presidential assent in August 2023; operational rules are being notified in phases
- Penalties can reach ₹250 crore for significant data fiduciary breaches
- Eight specific changes Indian HR and IT teams need to make — most have a 6-12 month implementation runway
- Granular per-purpose consent and a designated Data Protection Officer (DPO) are the two biggest operational shifts
The Digital Personal Data Protection Act 2023 is India's first comprehensive personal-data-protection law. It received presidential assent on 11 August 2023. Operational rules and the staged enforcement timeline are being notified by the central government in phases.
As of May 2026, most operational rules are still pending. Once fully in force, the headline penalties — up to ₹250 crore for significant data fiduciary breaches — apply directly to Indian employers handling employee personal data.
This post explains eight specific changes Indian HR and IT teams should start making now, in priority order. Most have a 6-12 month implementation runway; doing them in advance is significantly cheaper than scrambling at notification.
Who the DPDP Act applies to
The DPDP Act covers any "Data Fiduciary" that processes "Personal Data" of "Data Principals." In employer-employee terms:
- Data Fiduciary: your company (the entity deciding how and why employee data is processed)
- Personal Data: any information that identifies an employee — name, email, phone, address, PAN, Aadhaar, monitoring activity logs, screenshots, biometric attendance, anything else that ties to a person
- Data Principal: your employees, contractors, and consultants whose data you handle
The Act applies whether the data is processed inside India or outside — meaning Indian companies using offshore SaaS tools (Hubstaff, ActivTrak, US-hosted HRMS) are still bound by it.
The 8 changes Indian HR and IT teams need to make
1. Move from blanket consent to granular per-purpose consent
Most employment contracts today have a single "we may monitor IT resources" clause. Under the DPDP Act, that bundled consent will not be enough. Each distinct purpose needs its own consent.
Old (bundled): "Employee consents to monitoring of IT resources for business purposes."
New (granular): separate consent flags for productivity measurement, DLP, security investigation, performance management, regulatory compliance. The employee can accept some and decline others.
Most monitoring platforms (including Headx) already support per-capability consent flags — turn them on now rather than retrofit later.
2. Publish a clear, plain-English privacy notice
The DPDP Act requires you to publish a notice before collecting personal data, in clear and plain language, in English or any of the 22 scheduled Indian languages the data principal chooses.
Minimum content of the notice:
- What data is being collected (specifically, not vaguely)
- The purpose of processing each category
- How the data principal can exercise their rights
- How to contact the Grievance Officer and the Data Protection Board
Practical implementation: publish a "Privacy Notice — Employees" page on your intranet, refresh annually, and link it from every onboarding pack.
3. Appoint a Data Protection Officer (DPO) if you are a Significant Data Fiduciary
"Significant Data Fiduciary" (SDF) is a designation the central government will issue based on volume and sensitivity of personal data, risk to data principals, potential impact on sovereignty and integrity of India, and other factors.
If your company is designated an SDF (large BPOs, banks, fintechs, healthcare aggregators are likely candidates), you must:
- Appoint a Data Protection Officer based in India who reports to the board
- Conduct periodic data protection impact assessments (DPIAs)
- Conduct periodic data audits by independent auditors
- Carry out other measures as may be prescribed
Even if you are not yet designated an SDF, appointing a DPO now is good practice. The role takes about 12 months to establish credibility internally.
4. Implement data-principal rights workflows
Employees (Data Principals) get four rights under the DPDP Act:
- Right to information about processing
- Right to correction and erasure of personal data
- Right to grievance redressal via the Grievance Officer
- Right to nominate someone to exercise rights in the event of death or incapacity
Operational implication: build a request workflow that can fulfil any of these within 30 days. For monitoring data specifically, this means an employee can ask for a copy of all screenshots, keystroke summaries, and activity logs about them. Be ready to deliver.
5. Implement consent withdrawal and erasure
The DPDP Act gives data principals the right to withdraw consent. Once withdrawn, the data fiduciary must stop processing and erase the data unless retention is required by another law (e.g., RBI, IRDAI, SEBI cyber-security frameworks).
Practical implementation:
- Build an "erase my data" workflow that triggers within 7 days
- Document any data you cannot erase (and the statute that requires retention)
- Ensure your monitoring software supports per-employee data deletion (most do; verify yours)
6. Tighten retention policies
The DPDP Act says personal data must not be retained longer than necessary for the purpose. Indefinite retention is no longer defensible.
Recommended retention defaults for monitoring data:
| Data type | Recommended retention | Why this period |
|---|---|---|
| Screenshots, activity logs | 30-90 days | Operational need (productivity reporting cycle) |
| DLP alerts and investigation evidence | 3 years | Audit and investigation windows |
| Security incident records | 3-7 years | Regulatory cyber-incident reporting requirements |
| Aggregate productivity metrics | Indefinite if anonymised | No personal identifier means no DPDP applicability |
| Employment record data | 3 years post-separation | Common labour-law evidence window |
Configure retention in your monitoring tool and document the choice. Auditors will ask.
7. Map data flows and identify processors
Under the DPDP Act, you remain liable for data your processors (sub-processors in our world) handle on your behalf. You need to know exactly who has access to employee personal data.
Build a "data processing register" listing:
- Each category of employee personal data you handle
- The legal basis (consent, performance of contract, legal obligation)
- Internal teams and individuals who access it
- External processors (SaaS vendors, payroll providers, monitoring tools) who handle it
- Where the data is stored (Indian data centre, US data centre, on-premise)
- Retention period and erasure trigger
This register is the single most useful artefact for DPDP compliance. It also accelerates response to audit and customer security questionnaires by 70-80%.
8. Update vendor contracts with DPA addenda
Every SaaS vendor that processes employee personal data on your behalf needs an updated Data Processing Agreement (DPA) reflecting DPDP Act obligations:
- Vendor must process data only on your written instructions
- Vendor must implement reasonable security practices
- Vendor must notify you of any breach within a contractually agreed window (typically 24-72 hours)
- Vendor must facilitate data-principal-rights requests
- Vendor must erase or return data on termination
Most enterprise SaaS vendors (including Headx Monitor) provide a standard DPA on request. Smaller vendors may need to be pushed. Add DPA signature as a procurement requirement for any new vendor handling personal data.
The 250-crore penalty trap
The DPDP Act's penalty schedule has six categories. The two most relevant to employers:
- Up to ₹250 crore — for failure to take reasonable security safeguards to prevent personal data breach
- Up to ₹200 crore — for failure to comply with general obligations of a Significant Data Fiduciary (DPO appointment, DPIA, audit)
- Up to ₹150 crore — for failure to notify the Data Protection Board and affected data principals of a breach
- Up to ₹50 crore — for failure to comply with duties of a data fiduciary
These are upper limits. The Data Protection Board has discretion to assess actual penalty based on the nature, gravity, and duration of the breach, the type of personal data affected, and remedial action taken.
The pattern from similar regimes (GDPR in EU, comparable Asian laws) is that well-documented good-faith efforts at compliance significantly reduce penalties when something does go wrong. The data processing register, retention policy, DPO appointment, and DPA addenda all serve this defensive purpose.
Timeline: what to do by when
This quarter
- Build the data processing register
- Tighten retention defaults in your monitoring tool
- Update employee consent forms to be granular (see our consent form template)
- Publish a plain-English privacy notice on the intranet
Next quarter
- Appoint a Data Protection Officer (or designate one if SDF status not yet conferred)
- Request DPA addenda from your top 10 SaaS vendors handling personal data
- Build the data-principal-rights request workflow
- Run a tabletop exercise on breach notification (within 72 hours of detection)
Within 12 months
- Complete first Data Protection Impact Assessment for any high-risk processing activity
- External data audit by an independent firm
- Training programme rolled out to all employees handling personal data
- Annual review of retention policy and processing register
FAQ
When does the DPDP Act actually become enforceable?
Different provisions will be notified on different dates by the central government. As of May 2026, the operational rules have not been fully notified. Best estimate: significant operational requirements (rights workflows, DPO appointment for SDFs) will be enforced over the next 12-18 months. Plan as though full enforcement is 12 months away.
Does this affect on-premise monitoring deployments?
Yes. The DPDP Act applies to data processing, not the deployment model. On-premise simplifies sub-processor management (you have fewer parties handling the data) but the rights, consent, and retention obligations apply identically.
What is the relationship between the DPDP Act and the existing IT Act 2000?
The DPDP Act sits on top of the existing IT Act framework. Section 43A of the IT Act and the IT Rules 2011 remain in force. Where they conflict, the DPDP Act prevails on personal data matters. In practice, comply with the stricter of the two.
Are international standards like GDPR equivalent?
Mostly, yes — for a GDPR-compliant organisation, the gap to DPDP compliance is small. Notable differences: DPDP penalties are framed in Indian Rupees, the Data Protection Board's structure differs from the European Data Protection Board, and DPDP allows certain government processing exemptions not present in GDPR.
Where can I see the consent form template?
See our DPDP-aligned employee monitoring consent form template for ready-to-use consent clauses and standalone forms.
Does my BPO client contract supersede DPDP obligations?
No. Client contracts may add obligations on top of DPDP but cannot override statutory data-principal rights. Build compliance around the strictest of the three: DPDP Act, client contract, and any sector regulator (RBI, IRDAI, SEBI).
Want to put this into practice?
Headx ships every capability mentioned in this post on every plan. Cloud (SaaS) at ₹1,900/PC/mo or On-Premise at ₹1,499/PC/mo. 30-day money-back guarantee.
Get Started