pPULSE
Sign in Book a demo

DPDP readiness checklist

Fourteen practical items HR teams need to confirm before the next compliance audit. Drawn from our plain-language explainer; print, tick, archive.

  • Fourteen items spanning offer letters, exits, applicant data
  • Each item maps to a specific DPDP Act provision
  • Print-ready output for archival
Use the tool
Checklist preview
☐ 1. Offer-letter consent clauses are DPDP-aligned
☐ 2. Retention period documented and enforced
☐ 3. Exit packet includes data-retention notice
☐ 4. Applicant resume retention documented (default six months)
☐ 5. Renewal mechanism for retained applicant data
☐ 6. Privacy policy refreshed with plain-language clauses
Eight more items in the printable output.

Use the checklist

Fill in the fields below. The tool runs entirely in your browser; no data leaves the page.

What DPDP requires of HR teams

The Digital Personal Data Protection Act, 2023 introduces consent as the default basis for processing personal data of Indian residents. For HR teams, three concrete shifts: offer letter clauses now need explicit consent language, exit processes must include data-retention disclosures, and applicant tracking has tighter rules.

Most HR functions touch DPDP-covered data continuously. The checklist captures the commitments that need to be confirmed annually.

How to use the checklist

Run through the fourteen items with your DPO and HR lead. Each item references the DPDP provision it addresses, so any disagreement on interpretation is grounded in the act's text.

Sign and archive at the end of each audit cycle. The archived output is what gets surfaced if the data protection board ever asks.

What to do with the gaps

Items that are not yet aligned (typically: automated deletion endpoints, applicant-data renewal flows, vendor data-handling agreements) become the work plan for the coming quarter. Document the gap, the owner, and the target close date.

Defer is fine; undocumented defer is not. The checklist is the audit trail.

Frequently asked questions

Is DPDP currently enforced?

The act is notified; enforcement rules are still being finalised. Companies that wait for full enforcement will find themselves behind. Treat current compliance as the prudent baseline.

Does this replace a formal DPIA?

No. The checklist is a high-level readiness check, not a Data Protection Impact Assessment. For high-risk processing, a formal DPIA is still required.

What is the right retention period for HR data?

Statutory retention varies: TDS records (7 years), PF records (lifetime of employment plus 7), POSH complaints (10 years). For non-statutory data, the consent-specified period applies. See our DPDP explainer for the full picture.

How often should the checklist be run?

Annually as a minimum, ideally aligned with the financial-year audit cycle. Major HR-tech changes (new HRMS, new ATS, new BGV vendor) should trigger an interim run.

More tools

Letter

Offer letter generator

Open the letter
 Letter

Appointment letter generator

Open the letter
 Letter

Welcome letter generator

Open the letter

Ready to get started?

Join the waitlist and try pPULSE the moment your slot opens, or talk to us about a custom rollout for your team.

Join the waitlist Talk to us

See what you'll pay

Clear per person pricing. No surprise setup or onboarding fees.

See pricing details

Book a demo

A 30 minute walkthrough, tailored to how your team actually works.

Schedule a demo