Why HR Teams Should Care About DPDP
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection law. For HR and payroll teams, it fundamentally changes how you collect, store, and process employee personal data — including Aadhaar numbers, PAN cards, bank details, and health information.
Key Obligations for Employers
As a "Data Fiduciary" (the legal term for any organisation that determines the purpose of data processing), you must:
- Obtain explicit consent before collecting employee personal data, with clear purpose specification
- Provide data portability — employees can request their data in a machine-readable format within 30 days
- Implement data minimisation — only collect data necessary for the stated purpose
- Report breaches to the Data Protection Board within 72 hours
- Appoint a Data Protection Officer if you process data of more than a threshold number of individuals
Aadhaar Data Handling
Aadhaar numbers require special handling. Under the DPDP Act and UIDAI guidelines:
- Aadhaar numbers must be stored in an encrypted vault (not in your main database)
- Application databases should only store reference tokens, not actual numbers
- Access to the vault must be logged and auditable
- Display only the last 4 digits (XXXX-XXXX-1234) in any UI
How PeopleOS Ensures Compliance
PeopleOS was built with DPDP compliance from day one:
- Aadhaar Data Vault — HSM-backed encryption with tokenisation. Your database never sees raw Aadhaar numbers.
- Consent management — Built-in consent tracking for each data processing purpose
- Data portability API — One-click employee data export in JSON format
- Audit trail — Every data access logged with user, timestamp, and purpose
- PII redaction — Personal data is automatically redacted before being sent to AI providers (ORIS AI)