Sector wise readiness
HR and employee data: the sector nobody picks and everybody is in
Most DPDP conversations start with customer data. Here is the one almost every company forgets: you hold employee data, and that alone puts the full baseline on you, whatever else your business does.
There is no size gate here. A five person company with five employees is processing personal data the moment it runs payroll. HR is the sector nobody picks, and everybody is in.
What applies from the start, whatever your size
- ✅ Notice to staff covering what data you hold, why, and their rights
- ✅ A lawful basis for every use of employee data
- ✅ Security safeguards on HR records
- ✅ Rights handling (access, correction, erasure)
- ✅ Grievance mechanism
- ✅ HR vendors under contract: payroll, background verification, benefits, EAP, all need a DPA
- ✅ Breach response
What may not apply to you yet
- ❌ SDF obligations. Workforce data alone rarely makes you an SDF.
- ❌ A dedicated DPO as a standalone hire
- ❌ Annual DPIAs, independent audits
- ❌ A dedicated DPDP product. HRIS access control, vendor DPAs and retention rules usually cover it.
Two things employers consistently get wrong
Consent is the wrong basis for employee data. Because of the power imbalance between employer and employee, consent is weak, an employee cannot freely refuse their boss. Rely on the employment legitimate use plus a clear notice, not blanket consent forms. This is the single most common HR mistake auditors flag.
Ex-employees do not vanish from your obligations. When someone leaves, the employment purpose ends and DPDP points toward erasure, but labour and tax law say retain. You need a documented reconciliation of how long you keep what, and why, not a default of keeping everything forever.
And one easy miss: workplace monitoring and CCTV need their own basis and notice, and should be minimised. Filming staff "for security" without a documented basis is a quiet gap.
The better question
The better question is not "does HR have this requirement?"
It is "have I actually mapped the employee data I already hold?"
Law creates obligations. Scale and risk influence implementation. But this one is not scale gated. If you employ people, the baseline already applies.
Which HR data obligation do you see companies missing most? Drop it in the comments.