The DPDP Act and Hiring: Why Your HR Tech Stack Might Be Non-Compliant | Setidure Technologies

Introduction

April marks the start of India's most aggressive hiring quarter. New financial year budgets are released, headcount approvals come through, and talent acquisition teams go into overdrive. In the next 90 days, a mid-sized Indian enterprise will process anywhere from 5,000 to 50,000 candidate documents: resumes, Aadhaar copies, PAN cards, educational certificates, salary slips, offer letters, and background verification records.

Now ask a simple question: where does all of that data go?

For most Indian enterprises, the answer is uncomfortable. It goes to a cloud-hosted applicant tracking system with servers in the US or EU. It passes through third-party screening APIs that retain data for unspecified periods. It sits in shared Google Drive folders with no access controls. It lives in email inboxes of recruiters who left the company two years ago.

The Digital Personal Data Protection Act, 2023 (DPDP Act) makes all of this a compliance problem. Not a theoretical one. A legal one, with penalties of up to Rs 250 crore per violation.

This blog is a practical assessment of where most enterprise HR tech stacks fail on DPDP compliance and what the alternatives look like.

---

What the DPDP Act Requires for Hiring Data

The DPDP Act classifies candidate data as personal data. Aadhaar numbers, PAN details, contact information, salary history, health records from pre-employment checks, all of it falls under the Act's protections.

Here is what the law requires of any organisation processing this data:

1. Purpose Limitation

You can only collect candidate data for a stated purpose (hiring for a specific role) and must delete it once that purpose is fulfilled. Keeping rejected candidates' Aadhaar copies in your ATS for three years "just in case" is a violation.

2. Informed Consent

Candidates must be told exactly what data is being collected, why, how long it will be retained, and who will have access to it. A generic "by applying, you consent to our privacy policy" checkbox does not meet the standard.

3. Data Minimisation

Collect only what you need. If a role does not require address verification, collecting Aadhaar copies at the application stage is over-collection.

4. Storage and Retention Controls

Data must be stored securely, with defined retention periods, and deleted when no longer needed. The Act does not specify where data must be stored, but it requires the data fiduciary (your organisation) to maintain demonstrable control over it.

5. Data Principal Rights

Candidates have the right to access their data, request corrections, and demand deletion. Your systems must be able to locate, retrieve, and delete a specific candidate's data across all systems within a reasonable timeframe.

---

Where Most HR Tech Stacks Fail

Most Indian enterprises run some combination of the following: a cloud-hosted ATS (Darwinbox, GreytHR, Zoho Recruit, or an international tool like Greenhouse or Lever), email for document collection, Google Drive or SharePoint for storage, and third-party APIs for background verification.

Here is where the compliance gaps typically appear:

Gap 1: Data Residency and Third-Party Access

Cloud-hosted ATS platforms route data through servers in multiple jurisdictions. Even if the primary server is in India, backups, CDN layers, and AI features (resume parsing, candidate scoring) often process data on international infrastructure. You, as the data fiduciary, are responsible for knowing exactly where every copy of that data sits. Most organisations cannot answer this question.

Gap 2: Retention Without Policy

The default behaviour of most ATS tools is to retain all candidate data indefinitely. Rejected candidates from 2019 are still sitting in your database with full Aadhaar scans attached. Under the DPDP Act, this is a violation unless you have a documented, enforceable retention policy with automatic deletion.

Gap 3: Consent Collection Is Inadequate

A privacy policy link at the bottom of a job application form is not informed consent. The Act requires specific, informed, and freely given consent for each category of data processing. Most enterprise career pages do not come close.

Gap 4: No Mechanism for Data Principal Rights

If a rejected candidate emails you and says "delete all my data from your systems," can your HR team actually do it? Across the ATS, the email threads, the shared drives, the hiring manager's local downloads, the background verification vendor's records? For 95% of Indian enterprises, the honest answer is no.

Gap 5: Document Processing in Uncontrolled Environments

During peak hiring, documents often move through informal channels: WhatsApp groups for quick sharing with hiring managers, personal email forwards, temporary shared folders. None of this is logged, controlled, or deletable.

---

A 10-Point DPDP Compliance Audit for Your Hiring Pipeline

Use this as a practical self-assessment. Score your organisation against each point.

| # | Check | Compliant? |

|---|---|---|

| 1 | Can you identify every system and location where candidate data is stored? | |

| 2 | Do you have a documented retention policy with automatic deletion for rejected candidates? | |

| 3 | Is consent collected per data category (identity docs, salary history, references) with clear purpose statements? | |

| 4 | Can you fulfil a data deletion request across all systems within 72 hours? | |

| 5 | Do you know the data residency (country) of every server your ATS uses, including backups and AI features? | |

| 6 | Are background verification vendors contractually bound to delete data after a defined period? | |

| 7 | Is document sharing restricted to controlled, audited channels (no WhatsApp, no personal email)? | |

| 8 | Do hiring managers have role-based access, or can anyone in the team view all candidate documents? | |

| 9 | Is there an audit trail for who accessed which candidate's data and when? | |

| 10 | Can you generate a complete data inventory for a specific candidate within minutes? | |

If your organisation scores below 7, you have material compliance exposure during hiring season.

---

What the Alternative Looks Like

The compliance challenge is not about hiring less or collecting less data. Enterprises need candidate data to make informed hiring decisions. The challenge is about where that data lives, who controls it, and whether you can prove that control.

On-premise AI infrastructure solves the residency and control problem at the architecture level:

All data stays on your servers. Candidate documents are ingested, parsed, scored, and stored on infrastructure you own and control. No data leaves your network. No third-party server touches a candidate's Aadhaar copy.

Retention policies are enforceable. When the system controls the entire data lifecycle, automatic deletion after defined periods is a configuration setting, not a manual process dependent on someone remembering to clean up a shared drive.

Audit trails are built in. Every document access, every search query, every candidate data retrieval is logged with timestamps and user identity. When a regulator asks "who accessed this candidate's data and when," the answer is one query away.

Data principal rights are operationally feasible. Locating and deleting a specific candidate's data across all systems takes minutes, not days, because all systems are unified on the same infrastructure.

Document processing happens in a controlled environment. Resume parsing, ID verification, offer letter generation, all of it runs locally. No document is routed through an external API.

Setidure Technologies builds exactly this: private, on-premise AI systems for enterprise document processing and workflow automation. Our document intelligence platform, Granthik, handles OCR, semantic search, and structured data extraction for thousands of documents, entirely on your own servers.

---

Real-World Scenario

Consider a financial services firm in Mumbai onboarding 150 new hires in Q1. Their existing process involves collecting KYC documents via email, storing them in a cloud-hosted HR portal, and sending them to a third-party background verification vendor via API.

Under the DPDP Act, this creates at least three compliance gaps: data residency uncertainty with the cloud HR portal, no contractual deletion clause with the verification vendor, and no mechanism to track or delete documents shared via email.

After shifting to an on-premise document processing pipeline:

• All KYC documents are uploaded to an internal portal running on company servers
• AI-powered OCR extracts and validates document data without external API calls
• Background verification is run against government databases via direct integrations, with no third-party data retention
• Rejected candidate data is automatically purged after 90 days with full audit logs
• A data deletion request can be fulfilled in under 15 minutes across all systems

The compliance posture shifted from "we think we are compliant" to "we can prove we are compliant."

---

Common Myths

Myth: The DPDP Act does not apply to hiring data because candidates are not customers.

Reality: The Act applies to all personal data processed by any organisation, regardless of the relationship. Candidate data is explicitly covered. Aadhaar, PAN, salary history, and contact information are all personal data under the Act.

Myth: Our cloud vendor says they are DPDP compliant, so we are covered.

Reality: The data fiduciary (your organisation) bears primary responsibility, not the data processor (your vendor). If your vendor's subprocessor routes data through an international server, the compliance burden is on you.

Myth: We only need to worry about this when the penalties are actually enforced.

Reality: The Data Protection Board of India is operational. Enforcement is not a future event. More importantly, the reputational cost of a data breach involving thousands of candidate Aadhaar copies is immediate and severe, regardless of regulatory action.

Myth: On-premise infrastructure is too expensive for mid-sized companies.

Reality: Modern on-premise AI deployments using open-source orchestration tools and lightweight local models can run on existing server infrastructure. The cost is a fraction of per-seat SaaS licensing, and the compliance benefit eliminates a category of legal risk entirely.

---

Conclusion

Hiring season is when Indian enterprises process the highest volume of personal data all year. Aadhaar copies, PAN cards, salary slips, medical records, background verification documents, all flowing through systems that were never designed with the DPDP Act in mind.

The risk is not abstract. It is quantifiable: up to Rs 250 crore per violation, plus the reputational damage of a breach involving candidate data.

The fix is not to hire less or collect less. It is to process candidate data on infrastructure you control, with retention policies you can enforce, and audit trails you can produce on demand.

If your organisation is hiring at scale this quarter and you are not confident about where candidate data lives, that is worth a conversation.

Reach out to admin@setidure.com to see how Setidure builds DPDP-compliant AI infrastructure for enterprise hiring workflows, on your servers, under your control.

---