DPDP Act & Background Checks: What Every HR Team Must Know in 2026

What Is the DPDP Act 2023?

The Digital Personal Data Protection Act 2023 (DPDP Act) is India's landmark data privacy legislation. It governs how organisations collect, process, store, and transfer personal data of Indian citizens. For HR teams, it has sweeping implications — particularly for background verification, where sensitive personal data of candidates is routinely collected and shared with third-party agencies.

How the DPDP Act Applies to Background Verification

Background verification is fundamentally a data processing activity. The employer (as Data Fiduciary) collects personal data from the candidate and shares it with a BGV vendor (as Data Processor) for verification purposes. Every step of this process must now comply with the DPDP Act.

Key Definitions Under DPDP for HR

• Data Fiduciary: The employer who determines the purpose and means of data processing.
• Data Processor: The BGV vendor who processes data on behalf of the employer.
• Data Principal: The candidate whose data is being processed.
• Personal Data: Any data that identifies or can identify an individual — including name, Aadhaar number, employment history, and criminal record.

7 DPDP Compliance Requirements for Background Verification

1. Lawful Consent

You must obtain free, specific, informed, unconditional, and unambiguous consent from the candidate before initiating background verification. Blanket consent buried in an employment contract does NOT satisfy the DPDP Act's requirements. Consent must be sought separately, specifically for BGV.

2. Notice Requirement

Before collecting data, you must provide the candidate with a clear notice stating: what personal data is being collected, the purpose of collection, how long it will be retained, and the candidate's rights under the Act. The notice must be available in English and may need to be in a language the candidate understands.

3. Purpose Limitation

Data collected for background verification cannot be used for any other purpose — for example, marketing, profiling, or future hiring rounds — without obtaining fresh consent.

4. Data Minimisation

Collect only the personal data that is strictly necessary for the BGV checks you are conducting. Collecting a CIBIL report for a candidate being verified for a non-financial role, for instance, would violate this principle.

5. Accuracy and Storage Limitation

Ensure data collected is accurate and not retained longer than necessary. Most HR teams should delete BGV records for rejected candidates within 3–6 months. For hired employees, retention should align with your documented data retention policy.

6. Data Processor Agreements

You must have a written contract with your BGV vendor (Data Processor) that specifies: the scope of processing, security obligations, prohibition on sub-processing without consent, data return or deletion obligations on contract termination, and breach notification timelines.

7. Candidate Rights

Under the DPDP Act, candidates have the right to: access their data, correct inaccurate data, erase data (in certain circumstances), withdraw consent (which stops further processing), and grieve any violation. Your BGV process must have mechanisms to honour these rights.

Creating a DPDP-Compliant BGV Consent Form

A compliant consent form must include:

• Clear identification of the Data Fiduciary (your company)
• The specific types of checks being conducted
• Names of BGV vendors who will receive data
• Retention period for verification records
• Candidate's rights and how to exercise them
• Contact details of your Data Protection Officer (or equivalent)
• A clear, affirmative opt-in mechanism (not pre-ticked boxes)

What Happens if You Don't Comply?

Non-compliance with the DPDP Act can result in:

• Financial penalties up to ₹250 crore for significant breaches
• Penalties up to ₹200 crore for failure to implement reasonable security safeguards
• Mandatory notification obligations in case of a data breach
• Reputational damage and candidate trust erosion

Practical Steps for HR Teams

1. Audit your current BGV consent process and identify gaps.
2. Update your candidate consent form to meet DPDP requirements.
3. Sign a Data Processing Agreement with your BGV vendor.
4. Review your data retention policy for BGV records.
5. Train your recruitment team on DPDP obligations.
6. Establish a process for handling candidate data rights requests.

VeridionQ is fully DPDP Act compliant. Our platform includes digital consent collection, transparent notice mechanisms, and candidate rights management built into the workflow.