DPDPA Compliance Checklist for Indian Recruiters in 2026

DPDPA 2023: What Every Indian Staffing Agency Must Know

India's Digital Personal Data Protection Act (DPDPA) 2023, which entered enforcement in phases starting mid-2025, fundamentally changes how staffing agencies collect, process, store, and share candidate data. For an industry built on managing personal information at scale, the implications are significant. Agencies that fail to comply face penalties up to ₹250 crore per violation, and more practically, risk losing enterprise clients who now require data privacy compliance from their staffing partners.

This is not a theoretical exercise. In 2025, two mid-sized staffing agencies in Bangalore received compliance notices from the Data Protection Board for sharing candidate data with clients without proper consent documentation. Neither faced the maximum penalty, but both lost enterprise contracts during the subsequent audit period. The message is clear: compliance is now a business requirement, not a legal nicety.

Understanding the DPDPA in Recruitment Context

The DPDPA applies to staffing agencies in three key ways:

• As Data Fiduciaries: When you collect candidate data directly (through your website, job postings, or direct outreach), you are a Data Fiduciary with primary obligations for consent, purpose limitation, and data minimization.
• As Data Processors: When you process candidate data on behalf of a client (screening against their requirements, sharing profiles with their hiring managers), you are a Data Processor with obligations around processing agreements and security.
• As Data Sharers: When you share candidate profiles across your vendor network or with sub-vendors, you create data transfer obligations that require explicit consent and documentation.

The 20-Point DPDPA Compliance Checklist for Staffing Agencies

Consent Management (Points 1-5)

• 1. Informed Consent Collection: Before adding any candidate to your database, collect explicit, informed consent. This means explaining in clear language what data you collect, why, how long you keep it, and who you share it with. A generic "by submitting your CV you agree to our terms" is no longer sufficient.
• 2. Purpose-Specific Consent: Consent must be specific to each purpose. Collecting a CV for a Java developer role does not automatically authorize you to consider the candidate for a Python role or share their profile with a different client. Each new purpose requires fresh consent or a sufficiently broad initial consent statement.
• 3. Consent Withdrawal Mechanism: Candidates must be able to withdraw consent easily. This means providing a simple process (email, portal, or WhatsApp message) for candidates to say "remove my data." Your system must be able to action these requests within the statutory timeframe.
• 4. Minor Data Protection: If your database includes candidates under 18 (rare in IT staffing but possible for internship programs), verifiable parental consent is required before processing their data.
• 5. Consent Records: Maintain auditable records of when and how consent was obtained for every candidate. If challenged, you must be able to demonstrate that consent was valid at the time of data processing.

Data Collection and Storage (Points 6-10)

• 6. Data Minimization: Collect only the data you actually need. Many agencies routinely ask for Aadhaar numbers, PAN cards, passport details, and family information during initial screening. Under DPDPA, you cannot collect this data until it is specifically needed (e.g., background verification after offer acceptance).
• 7. Purpose Limitation: Data collected for one purpose cannot be repurposed without additional consent. A candidate's address collected for location-based matching cannot be used for marketing mailers without separate permission.
• 8. Retention Limits: Establish and enforce data retention policies. Candidate data should not be stored indefinitely. Industry best practice is 24-36 months for active candidates, with clear deletion procedures for inactive profiles.
• 9. Data Accuracy: Take reasonable steps to keep candidate data accurate and up-to-date. Encourage candidates to update their profiles, and flag stale data (profiles not updated in 12+ months) for review or deletion.
• 10. Secure Storage: Candidate data must be stored with appropriate security measures. This includes encryption at rest, access controls, and audit logging. Storing CVs in open shared folders or unprotected email inboxes is a compliance risk.

Data Sharing and Processing (Points 11-15)

• 11. Client Data Sharing Agreements: Before sharing candidate profiles with clients, establish a Data Processing Agreement (DPA) that specifies what data is shared, how it can be used, and retention requirements on the client side.
• 12. Sub-Vendor Data Controls: If you share candidate data with sub-vendors, the same consent and processing requirements apply. Your sub-vendors must have equivalent data protection measures, and you remain responsible for ensuring compliance.
• 13. Resume Masking: Consider implementing resume masking, removing identifying information (name, gender, photo, age indicators) before sharing with clients. This simultaneously addresses bias reduction and data minimization requirements. CVPRO's resume masking feature automates this process.
• 14. Cross-Border Data Transfer: If you share candidate data with clients or offices outside India, additional safeguards apply. The DPDPA requires government-notified countries or contractual safeguards for cross-border transfers.
• 15. Data Breach Notification: If candidate data is compromised, you must notify the Data Protection Board and affected candidates within the statutory timeframe. Have an incident response plan ready before a breach occurs.

Candidate Rights and Agency Obligations (Points 16-20)

• 16. Right to Access: Candidates can request a copy of all data you hold about them. Your system must be able to generate this report efficiently.
• 17. Right to Correction: Candidates can request corrections to inaccurate data. Establish a process for handling these requests promptly.
• 18. Right to Erasure: Upon valid request, you must delete a candidate's data. This is more complex than it sounds in a staffing context: you may need to retain certain records for legal compliance (tax records, contract documentation) even after deleting the CV and profile.
• 19. Grievance Redressal: Appoint a Data Protection Officer or grievance officer and publish their contact details. Candidates must have a clear escalation path for data-related complaints.
• 20. Staff Training: All recruiters handling candidate data must be trained on DPDPA requirements. Document this training as evidence of organizational compliance efforts.

How Technology Helps: CVPRO's Built-In Compliance Features

Manual compliance with DPDPA across thousands of candidate records is practically impossible. Modern ATS platforms built for the Indian market should have compliance features built in:

• Automated Consent Tracking: CVPRO records consent timestamps, consent text, and communication channel for every candidate interaction. This creates an auditable trail without recruiter effort.
• Data Retention Automation: Set retention policies by category. Active candidates retain data for 36 months; inactive candidates are flagged at 12 months and auto-deleted at 24 months unless re-engaged.
• Right to Erasure Processing: One-click candidate deletion that cascades across all linked records, submissions, and assessment data. The system generates a deletion certificate for your records.
• Resume Masking: Automatically strip identifying information before client sharing, reducing both bias and data exposure.
• Access Controls: Role-based access ensures recruiters see only the candidate data relevant to their assignments. Sub-vendors see only the requirements and candidates assigned to them.

The Business Case for Compliance

Beyond avoiding penalties, DPDPA compliance is increasingly a business differentiator. Enterprise clients in BFSI, healthcare, and government sectors now include data protection requirements in staffing vendor RFPs. Agencies that can demonstrate DPDPA compliance win contracts that non-compliant competitors cannot even bid on.

The cost of compliance is modest compared to the business risk. A basic DPDPA audit and remediation typically costs ₹50,000-200,000 for a mid-sized agency. Compare this to the ₹250 crore maximum penalty, or more realistically, the revenue loss from failing an enterprise compliance audit.

Action Plan: Getting Compliant in 90 Days

• Week 1-2: Audit your current data practices. Map what data you collect, where it is stored, who has access, and how long you retain it.
• Week 3-4: Update your consent mechanisms. Revise your candidate registration forms, privacy policy, and data sharing agreements.
• Week 5-6: Implement technical controls. Deploy encryption, access controls, and automated retention policies. Consider migrating to a DPDPA-compliant ATS like CVPRO.
• Week 7-8: Train your team. Conduct DPDPA awareness sessions for all staff who handle candidate data.
• Week 9-12: Test and document. Run a mock audit, test your right-to-erasure processes, and document everything for regulatory evidence.

DPDPA compliance is not optional, and it is not something you can address later. The agencies that treat it as an opportunity to build trust with candidates and clients will emerge stronger. Those that ignore it are taking an increasingly dangerous gamble with their business.