DPDP readiness checklist for HR and IT teams on a desk with HR Employee Records folder and laptop, Sirius Star DPDP audit prep

DPDP Readiness Checklist for HR and IT Teams: The 14-Item Audit Your Auditor Will Ask For

ByPriya Sharma

The first DPDP audit I sat through, the HR director was the one sweating. Not the CIO. She had built a perfectly fine offer letter template in 2019, copy-pasted it 800 times since, and nobody had updated the consent clause once. The auditor flagged it in nine minutes flat. That is the pattern I keep seeing across mid-size Indian companies. The cybersecurity stack is fine. The HR file is the trap door.

If you are reading this in 2026, the auditor letter has either arrived or you can feel it coming. The Data Protection Board is now staffed, the consent-manager deadline is November 2026, and the first cohort of show-cause notices has been served. This is the DPDP readiness checklist for HR and IT teams that I run with clients before the formal audit. Fourteen items, split by owner, defensible on Friday afternoon.

Why DPDP is half an HR problem

Most Indian compliance leads still treat the Digital Personal Data Protection Act as an IT-security project. The Act does not read that way. Look at Section 4, Section 5, and Section 8 together: the bulk of the obligations are about how you collect, notify, and dispose of personal data, not how you firewall it. Employee data sits squarely in scope. Job applicants, exited employees, contract staff, payroll vendors. Every record HR touches is a Data Principal record under DPDP.

Three of the four show-cause patterns the Data Protection Board is testing in its first cohort of orders involve HR data: late breach notification on a payroll vendor leak, missing consent withdrawal logs for ex-employees, and notices that were never translated into the Data Principal’s language. The CIO can hold up a SIEM dashboard. The HR head needs to hold up paperwork. Most HR teams cannot, yet.

The DPDP readiness checklist for HR and IT teams, split by owner

This is the working version. We have walked 30+ Indian businesses through it in the last six months. Mark each line green, amber, or red against your file room today. Amber and red are your weekend.

HR side: 7 items, HR head owns each one

  1. Offer letter consent clause is current. Section 5 says the notice must be given “on or before” data is collected. Check the template you sent your last hire. If the consent language predates 2024, it is stale.
  2. Privacy notice exists in the Data Principal’s language. Hindi, Tamil, Marathi as relevant. An English PDF is not a notice for a hire in Madurai.
  3. Background check vendor has a written DPA. Section 8(2) makes you liable for processors. If your BGV vendor cannot produce a signed Data Processing Agreement in 48 hours, that is a finding.
  4. Exit checklist revokes all access in writing. This is the one HR keeps thinking is IT’s job. The Board treats failure-to-revoke as an HR control. Document it in the exit form.
  5. Withdrawal of consent has a registered channel. Section 6(4) gives every employee and ex-employee the right to withdraw consent. If your only channel is “email HR”, that is not a register.
  6. Payroll vendor breach notification is rehearsed. A tabletop drill on the assumption that your payroll provider gets breached, and you have 72 hours to notify the Board. Most teams have never run this.
  7. Sensitive HR records have separate retention rules. Health declarations, disciplinary records, background checks. Treat them as a higher-trust tier with stricter retention than ordinary employee data.

IT side: 7 items, CIO or IT manager owns each one

  1. Asset inventory of every system holding employee data. Workday, Darwinbox, GreytHR, Excel sheets on personal laptops. If it is not on a list, the auditor will find it and you will not.
  2. Access logs retained for at least 180 days. CERT-In Direction April 2022 sets the floor. DPDP audits will treat anything shorter as a red flag.
  3. Data Loss Prevention on email and endpoint. USB, email upload, cloud sync. Our USB device control playbook is the cheapest first move here.
  4. Encryption at rest for HR systems. Not “the laptop has BitLocker” alone. The database holding payroll, the backup tape, the SharePoint folder.
  5. Role-based access, reviewed quarterly. Section 8(4) requires “reasonable security safeguards”. Quarterly access reviews are the cheapest proof point.
  6. Breach detection and reporting playbook, tested. Not a Word document. An actual drill, with the CIO, the CFO, and the legal lead.
  7. Vendor inventory with risk tier. Every SaaS that touches employee data. Tier them. Audit the top 5 every year.
Rs.250 Cr is the DPDP penalty cap. The Board reaches it through repeated failure of the 14 lines above. Your auditor is 60 days away. Free 24-hour exposure audit before they land.

Get my free 24-hour DPDP exposure audit

What the auditor will actually look at first

I will save you the suspense. The auditor opens with three files. Your offer letter template, your last exit form, and your access log from your HRIS for the last 90 days. If those three are clean, the rest of the conversation goes calmly. If any one of them is messy, the audit expands into a four-day exercise and the findings get long.

This is the same pattern as the breaches the IBM Cost of a Data Breach Report 2024 keeps surfacing. The average Indian breach in 2024 cost Rs.19.5 crore, and the single largest contributing factor was misconfigured access. Not zero-days. Not nation-state actors. Just an ex-employee who still had a working login on Day 47.

The HR-side traps I see most often:

  • Offer letters with a consent line copy-pasted from 2018, well before the Act existed
  • Exit forms with no asset-and-access tick box at all
  • Internal complaints register with personally identifying information stored in a shared SharePoint
  • Background check files emailed as attachments to three internal copies

The good news is that all four are 30-minute fixes once HR and IT sit at the same table.

See the 10-question DPDP readiness check

What to do this Friday, in order

Run the 14-item list against your current file room. Mark amber and red. If you have more than five red items, the right move is the DPDP audit India playbook, not a software purchase. If your HR data sits across more than three systems, get the MSME compliance roadmap on the same desk. And if you want a second pair of eyes before the Board’s letter, take the free audit slot. We have done this for 200+ Indian businesses. 30+ are in BFSI, where the IRDAI overlay makes the HR side even tighter.

Every week you delay, the cost of remediation compounds. Slots are open until end-of-month, 11 firms have booked this month, and the audit produces a written findings doc you can defend in front of the Board. Reply on WhatsApp to start.

Book my free 24-hour DPDP exposure audit

The how to stop data leaks over email in India guide is the email-specific companion to this HR/IT checklist.

*P.S. Priya here. We ran this exact checklist last week for a Mumbai broking house with 240 staff. They flagged 6 amber and 2 red within a Friday afternoon. The 2 reds were both HR side. Offer letter, exit form. Both fi

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *