DPDP Act 2023 and Background Verification: A Practical Guide for HR Teams

The Digital Personal Data Protection (DPDP) Act 2023 is India's first comprehensive data protection law — and it has significant implications for how employers and background verification platforms collect, process, and retain personal data. For HR teams, the Act isn't just a legal formality. It changes the procedural requirements for background verification in ways that have real operational consequences.

This guide breaks down the specific provisions that apply to employee and candidate background verification, what they require your process to do, and how to stay compliant without creating friction in your hiring workflow.

Key Definitions: Who Is the Data Fiduciary?

Under the DPDP Act, a Data Fiduciary is the entity that determines the purpose and means of processing personal data. In a background verification context, this is typically the employer — you, as the HR team or hiring manager, decide that a check is needed, what should be verified, and how the result will be used.

The background verification platform (such as Truvixx) acts as a Data Processor — it processes personal data on behalf of the Data Fiduciary, following the Fiduciary's instructions. This distinction matters because it determines who bears the primary legal responsibility for obtaining valid consent, defining the purpose of processing, and responding to Data Principal rights requests.

The Consent Requirement: What's Actually Required

Section 6 of the DPDP Act requires that consent for personal data processing be free, specific, informed, unconditional, and unambiguous. In plain terms, for a background verification check, this means:

• Free: The candidate cannot be coerced into consenting. Making employment strictly conditional on consent to check categories of data beyond what is necessary for the role may not meet this threshold. However, reasonable checks necessary for the role are generally defensible as a legitimate employment condition.
• Specific: The consent must specify what categories of data will be checked (identity, employment history, criminal records, etc.) — not just say 'we may conduct background checks'.
• Informed: The candidate must be told who will process their data, for what purpose, what databases will be queried, and how long the data will be retained.
• Unambiguous: Consent must be an affirmative act — a checkbox ticked, a form signed, a link clicked. Pre-ticked boxes, inferred consent, or blanket statements in an employment contract don't qualify.

The Right to Withdraw Consent

The DPDP Act gives Data Principals the right to withdraw consent at any time, with the same ease as giving it. For background verification, this creates an interesting operational question: what happens if a candidate withdraws consent mid-check?

The law is clear that withdrawal doesn't retroactively invalidate processing already done under valid consent. But it does mean you must stop further processing from the moment of withdrawal. In practice, a candidate who withdraws consent mid-check is effectively declining to proceed with the verification — and the employer must decide how to respond within the constraints of employment law.

Data Minimisation: The Principle You're Probably Violating

The DPDP Act requires that personal data collected must be limited to what is necessary for the specified purpose. In background verification terms: you should only check what is relevant to the role.

• A criminal records check for an office-based accounting role may be appropriate. For a remote content writing role with no access to sensitive systems, the same check may not meet the necessity threshold.
• Collecting a candidate's full Aadhaar number when only the last 4 digits are needed for identity confirmation violates data minimisation.
• Retaining full background check reports indefinitely, rather than for the period necessary for the employment relationship, is a retention violation.

Data Retention: The Rule Companies Are Getting Wrong

Most companies have no defined data retention policy for background verification reports. They store them indefinitely in an HR shared drive or buried in an email thread. Under the DPDP Act, this is no longer acceptable.

Background verification reports for candidates who did not join should be deleted within 6 months of the final hiring decision — or earlier if the candidate requests erasure. For employees who did join, reports should be retained for the duration of employment plus a defined post-employment period (typically 2–7 years depending on your legal hold requirements). After that, they must be deleted or anonymised.

What a DPDP-Compliant BGV Process Looks Like

1. 1Define role-based check packages that document the specific checks and their necessity for each role category. This is your 'specified purpose' documentation.
2. 2Use a standalone digital consent form that describes each check type, the databases queried, the BGV platform used, retention periods, and the candidate's rights. Obtain this before initiating any check.
3. 3Minimise data at every step — collect only what is necessary, query only what is relevant, and store only what retention policies require.
4. 4Establish a documented retention schedule for verification reports — separately for unsuccessful candidates, successful candidates, and employees after separation.
5. 5Create a process for data rights requests — candidates and employees may ask to access, correct, or delete their BGV data. Know who in your team handles this and what your SLA is.
6. 6Review your BGV vendor contract to confirm it includes a Data Processing Agreement that allocates responsibilities correctly under the DPDP Act.

The Enforcement Timeline

The DPDP Act received Presidential assent in August 2023. The rules and full enforcement regime are being phased in — the Data Protection Board of India is being constituted, and specific obligations are being brought into force in stages. The practical window to get your BGV process compliant is now, before enforcement becomes active and penalties (which can reach ₹250 crore for significant violations) come into play.