The Digital Personal Data Protection Act, 2023 (DPDPA) can be regarded as one of the most decisive policy interventions by the policymakers of India to safeguard digital privacy and protect the multiple interconnected data nodes associated with citizens.

The DPDPA implementation phases, as outlined by policymakers, are expected to progress as follows:

Phase1: 3-November-2025 —Board Establishment and Governance Framework

Phase2: November-2026–Consent Management Implementation

Phase3: 13-May-2027–Full Compliance Implementation

I have frequently encountered the views by organizations that they are not subject to DPDPA compliance. In my considered opinion, however, many such organizations clearly fall within the scope of the Act

As part of an ongoing series, I will be publishing DPDPA cases across different industries, sectors, and domains.

The Vision of DPDPA

The fundamental vision of the Digital Personal Data Protection Act (DPDPA) is to ensure that all stakeholders collecting personal data of individuals working or residing in India adhere to transparent and accountable data governance practices.

The Act intends to ensure that data owners are fully aware of:

• The purpose for which their personal data is stored
• The location where their data is processed or maintained
• Their MACD rights (Modify, Access, Correct, Delete)
• The permitted scope of data usage
• Activities that cannot be carried out without explicit consent

DPDPA establishes a framework in which Data Principals retain visibility and control over their digital information, ensuring that personal data cannot be processed beyond the scope of informed consent.

Talent Acquisition: A Critical DPDPA Use Case

One of the most relevant yet under-examined domains from a DPDPA compliance perspective is the Talent Acquisition ecosystem.

Candidates routinely share extensive personal and professional information with the expectation that resume aggregators and recruitment platforms will safeguard their digital information and will not monetize it without informed consent.

In the current operating environment:

• Talent acquisition teams obtain licenses from resume aggregators
• Resume aggregators obtain consent from candidates
• Consent is typically captured through fine-print digital agreements and checkbox declarations
• Most candidates accept these terms without fully understanding the implications

From this point onward, candidate data typically flows through multiple layers:

• Resume Aggregators
• Corporate Talent Acquisition Teams
• HR Departments
• HR Consulting Firms
• Recruitment Service Providers

This results in a multi-layered personal data distribution ecosystem.

Fundamental DPDPA Compliance Questions

The following foundational questions provide clarity regarding DPDPA compliance liabilities:

• Did the resume aggregator obtain valid consent through verifiable channels such as voice, SMS, or email?
• Were candidates adequately informed about all possible scenarios in which their digital data may be used?
• What is the defined data retention period?
• What mechanisms exist for exercising the Right to be Forgotten?
• Were Data Principals informed about support and grievance redressal mechanisms?
• Who serves as the designated point of contact or Data Protection Officer (DPO)?
• Are Level 2 and Level 3 escalation mechanisms defined if initial concerns remain unresolved?

Data Distribution Risks and Compliance Challenges

Under DPDPA:

• Resume aggregators function as Data Fiduciaries
• Candidates act as Data Principals
• Organizations utilizing the data function as Data Processors or Joint Fiduciaries

The moment digital information is shared or monetized, several practical compliance challenges emerge.

Key Risk Areas

1. Who is ultimately accountable and responsible for digital personal data protection?
2. If a Data Principal exercises the Right to be Forgotten, whom should they approach?
3. Does the repeated positioning of candidate information by Talent Acquisition teams to multiple clients constitute a potential DPDPA violation?
4. How does the Data Fiduciary ensure that Level 0 through Level 3 downstream entities maintain compliant data protection mechanisms?
5. What are the implications if candidate data is used for advertising or profiling purposes?
6. Who bears responsibility if candidate information is shared or sold to third-party marketers?

DPDPA and the Protection of Digital Currency

Personal data is increasingly becoming the digital currency of the modern economy, attracting interest from global organizations as well as malicious actors.

The Digital Personal Data Protection Act (DPDPA) represents one of the most important regulatory frameworks for protecting India’s digital assets and citizen privacy.

It is particularly noteworthy that many global organizations demonstrate strong adherence to GDPR compliance standards in Europe, while simultaneously exploiting regulatory gaps within India.

With the progressive implementation of DPDPA, organizations must reassess their recruitment processes, data governance frameworks, and consent management practices.

Author Disclaimer

The author is a B. Tech, M. TECH, Business Continuity, and GDPR-certified professional with more than two decades of industry experience.

The views expressed in this article are purely personal and are not intended to disrespect any company, policy framework, or legal jurisdiction.