HRPLANR · Whitepaper

The DPDP Act Implementation Guide for HR Teams.

A practitioner's playbook for operationalising India's Digital Personal Data Protection Act, 2023. Written for HR leaders and operations managers, not for legal counsel. Implementation-first, with checklists, vendor questions, and reference clauses you can apply directly.

Pages 18

Format PDF

Audience HR leaders, operations, IT

Read time 35-45 min

Download the whitepaper

Enter your work email below to receive the PDF. We respect inboxes — one follow-up email at most, no marketing spam.

Full name *

Work email *

Company domain email required. Free providers (Gmail, Yahoo, etc.) will be asked to use the request access path.

Company *

Role

You've switched to request access mode. Tell us briefly why you'd like a copy and we'll send it manually after a quick review (usually within 1-2 business days).

Reason for request

No company email? Request access instead →

By submitting, you agree to our privacy policy. We'll use your details to send the whitepaper and may follow up once with related Sphere resources. You can unsubscribe at any time.

✓

Thanks — your download is ready.

We've also emailed a copy to your inbox. The link below opens the PDF directly.

Download the PDF

Why this whitepaper exists

India's Digital Personal Data Protection Act, 2023 is in force. For HR teams, it is the most significant change to how employee data must be handled since the Information Technology Act, 2000. Yet the operational guidance available to HR practitioners is dominated by legal interpretations rather than implementation playbooks.

This whitepaper is the implementation playbook. It's written for HR leaders, HR operations managers, and the IT teams supporting them — not for legal counsel. It assumes you have already accepted that the Act applies to you and now need to know what to do, in what order, by when.

What's inside

What the DPDP Act is, in plain language
What HR data the Act covers
Six foundational requirements for HR teams
Practical implementation checklist (5 phases over 6 months)
Fifteen questions to ask every HR vendor
What your Data Processing Agreement should contain
Common pitfalls and how to avoid them
About Sphere and HRPLANR

Who this is for

HR leaders, HR operations managers, and the IT/security teams supporting them. We've assumed you have an HR function processing employee data in India — whether you're a ten-person startup or a thousand-person enterprise. The framework scales; the operational obligations don't materially change with size.

If you are a legal counsel evaluating the Act in detail, this is not the document you want. We have referenced the Act and its rules where relevant, but we have not attempted to substitute for qualified legal advice. We have tried to give your operating colleagues a clear, actionable view of what compliance looks like in practice — so the legal conversation can happen against a shared operational vocabulary.

A preview of what's inside

The six foundational requirements

Beneath the legal text, the Act asks HR teams to internalise six operational principles. Every implementation project worth doing is structured around these:

Consent and notice — purpose disclosure, freely-given consent, revocation tracking
Purpose limitation — what you collected for X cannot be used for Y without fresh basis
Data minimisation — only what's necessary for the stated purpose
Retention — defensible retention periods, with documented rationale
Rights of the data principal — access, correction, erasure, nomination, grievance redressal
Security safeguards — proportionate to data sensitivity, including for your vendors

For each, the whitepaper translates the legal requirement into the concrete operational obligation it creates for HR teams.

Why HR teams should read the Act before anyone else in the company does: HR holds the broadest and most sensitive set of personal data in most organisations. Salaries, family details, medical information, performance records, identification documents, banking details. If a DPDP compliance project gets prioritised by data sensitivity, HR will be either the first workstream or the first thing that goes wrong if compliance is neglected.

The five-phase implementation checklist

The whitepaper provides a realistic six-month implementation plan in five phases:

Audit (months 1-2) — inventory data, map flows, identify vendors, find shadow data
Foundations (months 2-4) — privacy notice, Grievance Officer, rights process, retention schedules
Vendor and contracts (months 3-5) — DPA negotiations, security assurance, transfer mapping
Process embedding (months 4-6) — training, system configuration, breach response, employee communication
Ongoing compliance — quarterly reviews, annual audits, vendor renewals, training refreshers

Fifteen vendor questions and reference DPA clauses

Most of your DPDP exposure runs through your HR software vendor. The whitepaper provides fifteen specific questions to ask any vendor before signing, covering data residency, sub-processors, encryption, audit logs, rights fulfilment, breach notification, cross-border transfers, and AI training. It also lists the thirteen reference clauses your DPA should contain — with the level of specificity that distinguishes a real DPA from a vague one.

About the authors

This whitepaper was written by the Sphere product team at Infomaze Sphere LLP, the product division of the Infomaze group. Infomaze has been building operational software for businesses in India and globally for fifteen-plus years, with substantial experience in HR systems specifically. HRPLANR — our workforce operations platform — was designed ground-up with DPDP compliance as a first-class priority. The implementation patterns and vendor evaluation framework in this whitepaper are drawn from that work.

This whitepaper is a practitioner's guide. It is not legal advice. Decisions about how the DPDP Act applies to your specific situation should involve qualified legal counsel.