How Does DPDP Act 2023 Impact HR Functions?

Introduction

The DPDP Act, short for Digital Personal Data Protection Act 2023, has become a pivotal element in India, promising to transform how organisations will be handling sensitive user data going forward. Its impact on HR functions is going to be substantial, reshaping the way companies manage employee information, recruitment, and more. In this article, we delve into the intricacies of how the DPDP Act can have a great influence on HR functions, exploring its implications and data management opportunities.

Want to skip the content?

Schedule a demo. 

Introduction to the DPDP Act: Empowering Digital Privacy in India

The DPDP Act of 2023, also known as the Digital Personal Data Protection Act, represents a pivotal milestone in India's legislative landscape. Passed by the Lok Sabha on August 9, 2023, and subsequently by the Rajya Sabha on August 11, 2023, this act stands as India's most comprehensive legal framework concerning protecting individuals' digital personal data. It addresses the pressing need for a structured approach to ensure individuals have visibility and control over their online personal information. Drawing inspiration from the European General Data Protection Regulation (GDPR) while incorporating unique features, the DPDP Act heralds a new era of digital privacy and data rights in the country.

Impact of the Digital Personal Data Protection Act 2023 on HR Functions

The Digital Personal Data Protection Act 2023, often referred to as the DPDP Act, is poised to usher in a new era of data protection and privacy in India. While its primary focus is safeguarding individuals' digital personal data, its implications will extend to various sectors, including Human Resources (HR). Here are key points on how this Act is set to reshape the way HR departments handle employee and candidate data, adding significant value in the process:

Ask for consent at every touchpoint related to data collection

HRs need to ask for consent while collecting employee or candidate data. This is one of the mandates of this new DPDP Act 2023. The consent will give the candidate and employee the ownership of their sensitive data to be used for a specific purpose. 

HRs can add a button or a disclosure remark whenever someone is filling out a form on their website, be it a client, employee, or candidate. 

Make exit management more reliable for references

HRs have to ask for the consent of their leaving or departing employees to store the data of the ex-employee at the backend. If the employee refuses, they will have to delete the data and maintain the privacy of their personal data. If and only if the employee gives consent, can the HR use the data for reference points and further analyse the company culture and the employee turnover rate. 

Data minimisation and purpose limitation

Each data the HR teams collect must have a purpose and be used only for that purpose. DPDP Act 2023 strictly focuses on the purpose for which the data is amassed or collected. To use the given or existing data for other purposes, which are not mentioned earlier in the consent, HRs will have to seek the consent of the concerned person again. 

There has to be a time-bound limitation on the data to be used. For instance, the employee data must only be used for audits and analytical purposes as long as that person is an employee of the firm. After they resign, HRs have to seek consent again from the same person to use the data, if needed. Otherwise, they will have to discard the data and never use it again.

Update the employment policy according to the DPDP Act terms and conditions

Recruiters and HR policymakers must mention clear terms and conditions for using the collected employee data. Employees must give digital consent along with the acknowledgement on that employee policy document to avoid any confusion later on. 

Candidates to have the rights to update or remove their data

Recruiters create a talent pool and often reach out to previous candidates whenever a new job opens. They draw several analyses of the efficiency of the job portal or job search engine by collecting various CVs against a job posted online. 

However, recruiters must be more cautious and concerned about this candidate data now. They will have to give options to the candidate to give consent to use the data even if their employment is rejected. If consent is not given, HRs cannot use their data for any analysis going forward. 

At the same time, they must add an RTI button or option on their website or portal for candidates to reach out and ask the recruiter to remove, edit, or update their existing information. 

Data transfer considerations

If HR departments transfer personal data outside India, they must ensure it complies with the Act's provisions. The Act's restrictions on data transfer could lead HR functions to reconsider outsourcing or offshoring practices and assess their data handling partners' compliance.

Enhanced data security

Data security is paramount under the DPDP Act, requiring data fiduciaries (including HR departments) to maintain robust security measures. HR functions will need to invest in stringent cybersecurity measures to protect sensitive employee and candidate information from potential data breaches, as per the Act's provisions. Later, they must hire a Data Protection Officer to help HR teams in seamless and timely audits in adherence to the latest guidelines published by the DPDP Act 2023. 

Conclusion

In conclusion, the Digital Personal Data Protection Act 2023 is set to redefine the landscape of data privacy and protection in India. HR departments must adapt swiftly, reshaping their practices and processes to align with the Act's provisions. While compliance may pose challenges, it presents an opportunity for HR to strengthen data management, bolster trust, and demonstrate commitment to data privacy in the digital age.

Contact us now. 

fShare

Tweet