India's DPDP Act 2023: What It Means for Your Background Verification Workflows

Why the DPDP Act Changes Everything for HR and Compliance Teams

India's Digital Personal Data Protection Act, 2023 — commonly called the DPDP Act — received Presidential assent in August 2023 and has been in phased enforcement since early 2025. For any organisation that collects, processes, or stores personal data of Indian residents, the implications are significant. For background verification specifically, where sensitive personal data is at the core of every workflow, the Act introduces obligations that go far beyond a simple policy update.

This post walks through the five most important changes DPDP introduces for verification workflows, what the compliance gaps typically look like in practice, and how you can close them without grinding hiring to a halt.

1. Consent Must Be Free, Specific, and Informed

The DPDP Act requires that consent for personal data processing be freely given, specific, informed, and unambiguous. For background verification, this means you can no longer bury a consent clause inside a 40-page employment contract and call it done.

Each verification type — identity check, criminal record search, address verification, employment history, education credentials — must be called out individually in the consent notice. The candidate must understand:

• What data is being collected and from which sources
• Who the data is being shared with (your background screening vendor)
• How long the data will be retained
• Their right to withdraw consent and what that means for the employment process

This pushes HR teams to build structured, purpose-specific consent flows — something that most legacy applicant tracking systems are not equipped to handle out of the box.

2. Data Minimisation Is Now a Legal Obligation

Section 6 of the DPDP Act codifies the principle of data minimisation: you may only collect personal data that is necessary for the stated purpose. In the context of background verification, this has a direct operational implication: running a full suite of checks on every hire, regardless of role sensitivity, is no longer compliant by default.

A practical checklist for data minimisation in BGV:

• Map each role to a risk tier (executive, operations, frontline, gig)
• Define the minimum checks required per tier
• Ensure your screening vendor does not retain raw data after the report is delivered
• Document your justification for each data point collected

3. Purpose Limitation Restricts Reuse of Verification Data

Data collected for pre-employment screening cannot be repurposed for other uses — including periodic re-screening — without fresh consent. This is a significant shift for organisations that have historically used onboarding data to run annual background refresh checks.

The practical fix is to build re-screening consent flows that are triggered separately from onboarding. Platforms like Profiden now support consent-linked case creation, so a re-screening workflow will not launch until a fresh, purpose-specific consent has been recorded and timestamped.

4. Rights of Data Principals (Candidates)

The DPDP Act grants candidates the right to access, correct, and erase their personal data. Your verification workflow must now support:

• Access requests: The ability to show a candidate exactly what data was collected, from where, and what was shared with whom
• Correction requests: A process to rectify inaccurate data that was used in a verification report
• Erasure requests: Deletion of personal data once the stated retention period has passed or on request, subject to legal hold exceptions

If you are using a third-party screening vendor, you need contractual assurance that they will support these rights within the mandated response window (currently 30 days for most requests).

5. Cross-Border Data Transfer Restrictions

The DPDP Act gives the central government powers to restrict transfer of personal data to certain countries. While the list of restricted jurisdictions has not yet been finalised, organisations using global background screening vendors who process data offshore should audit their data flows now.

Key questions to ask your vendor:

• Where are verification reports stored?
• Which subprocessors outside India have access to Indian resident data?
• Do you have data residency options for Indian clients?

What a DPDP-Compliant Verification Workflow Looks Like

A fully compliant workflow in 2025 looks something like this:

1. Candidate receives a structured consent notice, broken down by verification type
2. Consent is captured digitally, timestamped, and linked to the candidate's case record
3. Only the checks consented to are initiated — no bundled catch-all packages
4. Verification data is processed and stored within India (or in a jurisdiction approved under DPDP rules)
5. The report is delivered and the raw data is purged per the agreed retention schedule
6. Candidate can request access, correction, or erasure through a defined channel

Closing Thoughts

The DPDP Act is not a compliance checkbox — it is a structural change to how organisations must think about personal data. For background verification teams, the good news is that the core of the Act aligns with what good verification practice already looks like: purpose-specific, minimal, consented, and auditable. The work is in the tooling and documentation, not in reinventing your process from scratch.

Profiden's platform has been designed with DPDP principles built into every workflow — from candidate-facing consent capture to automated data purge schedules. If you would like a walkthrough of how we handle these requirements in practice, get in touch with our compliance team.