Follow us

DPDP Act 2023 – Implications On The Employer

DPDP ACT Post Picture

In this 2-part series, we examine the implications of the DPDP Act on the Employer and Employee. In the first part, let us look at the role of the Employer and the employer’s obligation towards ensuring the protection of the personal data of employees. 

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) received presidential assent on Aug 11, 2023. It aims to protect employee (Data Principal as defined under the DPDP Act) digital personal data and regulates the custodian (Data Fiduciary – employer) of such personal data and anyone who handles or processes such data on behalf of the employer (data Processors).  It regulates major aspects of handling personal data right from collection to storage to archival to erasure of personal data and imposes a significant compliance burden on the employer (Data Fiduciary as defined under the DPDP Act). Employers, management and most importantly, HR and legal teams across the industry spectrum are undoubtedly seeking clarity on several aspects of the DPDP Act.  This law has implications on the employer from the selection of the candidate till their separation from the system. It therefore becomes critical for the employer to contemplate the aspects related to People, Process & Technology before implementing the DPDP Act. Some questions that could be in the minds of employers and/or management teams are (not exhaustive); 

  •  Is my organization aware of the implications of the DPDP Act on the hiring process and exit process? 

  •  Is my organization taking the right measures to ensure the security of personal data of its employees? 

  • Does my organization have robust security systems and infrastructure in place to handle employee data? 

  • How is my organization handling and managing the personal data of exiting employees? Or how should my organization handle the personal data of ex-employees? 

  • What skills and tools should I equip my HR, Legal, Admin and Security teams with to implement and comply with the DPDP Act?  

  • Does my organization have personnel with the requisite skills and awareness of the DPDP Act and will be able to implement this in the organization? 

  • Does my organization know which policies and procedures need to be updated/created to comply with the DPDP Act? 

The employer may carefully consider the above and assess internally to determine its readiness to implement the DPDP Act.  

Implications of the DPDP Act 2023 on Employers

Compliance with the DPDP Act: The DPDP Act requires the employer to comply with the provisions of the DPDP Act regardless of any agreements or employee duties with respect to any processing undertaken by it or on its behalf (by a Data Processor). The employer will have to consider implementing appropriate technical and organisational measures to ensure effective adherence to the provisions of the Act and Rules.  

Further, the employer may achieve this by reviewing their current policies to check for the inclusion of privacy measures, data retention protocols, and data purging procedures. Additionally, they should reassess their agreements with data processors and other external parties who handle employee data. 

Data Processing: The employer has the option to involve a Data Processor to handle personal data on its behalf for activities related to providing goods or services to Data Principals/employees, but this must be done through a valid contract. The employer must ensure that the contract with the Data Processor includes clauses that align with the compliance requirements outlined in the DPDP Act. 

DPDP Act definitions

Data Retention: The DPDP Act obligates the employer to erase personal data once an employee withdraws their consent or when it becomes reasonable to conclude that the intended purpose is no longer relevant, except when retention is essential to adhere to current legal requirements. Additionally, the employer is responsible for ensuring that any personal data shared with a Data Processor for processing is also erased by the Data Processor. A Data Retention Policy may be formulated by the employer in line with applicable laws. 

Employee consent: Employee consent is one of the fundamental requirements under the DPDP Act. The Act requires the employer to obtain employee’s consent before processing the employee’s personal data.  The consent obtained from the employee to process the personal data must be ‘freely given, specific, informed, unconditional’, and an ‘unambiguous indication of consent’ through ‘clear affirmative action.’  

Further, the DPDP Act has also provisioned for the right to withdraw consent by the employee. In situations where personal data aligns with ‘legitimate purposes,’ such as adhering to legal requirements, court orders, and employment purposes, personal data can be processed without consent. 

The Act allows the employer to process employee personal data without obtaining consent in the following scenarios:  

  • For employment purposes 

  • For reasons related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information; or 

  • For provision of any service or benefit sought by an employee.

Notice to the employee: The request for consent shall be preceded or accompanied by a notice from the employer, informing the employee the intended purpose of processing the employee’s personal data. The employer may be required to provide notices to employees accessible in English OR in any of the official languages as outlined in the eighth schedule to the constitution. 

Protection and accuracy of personal data: When an employer anticipates using personal data in a manner that could influence a decision concerning the employee or sharing it with another employer, it is the duty of the employer to ensure that the processing of said personal data is complete, accurate and consistent. The employer is required to safeguard personal data under its possession or control, both during its processing activities and when processed by a Data Processor on its behalf. This may involve devising sensible security measures to prevent any breaches of personal data, which may include framing a privacy policy that may be published internally. 

Grievance Handling: The employer must put in place mechanisms for addressing employee grievances. The employer can choose to appoint a Data Protection Officer (DPO) to address employee concerns. More clarity may emerge on DPOs once the Rules are notified. A timely grievance mechanism aligned with evolving guidelines is recommended. 

Reporting of a data breach: In the event of a breach of any employee personal data, the employer shall inform the Data Protection Board and each affected employee in such form and manner as may be prescribed. 

Penalty: Non-compliance with the provisions of the DPDP Act may have a significant financial impact on the employer. The Act stipulates that the employer may be levied penalties of up to INR 250 crore for violation of its provisions. It is therefore recommended to always have a compliance-conscious approach while handling employee personal data and foster such mindset across all levels of the organisation. 

In summary, it is recommended that the employer review its existing policies and procedures concerning data privacy, retention, data purging, agreements with background verification (BGV) vendors and other external parties. The other critical component of compliance with the DPDP Act is ensuring that all the specific employees handling employee personal data are adequately trained and skilled in all aspects of the Act and its prescribed rules and compliances. This assessment is crucial to ensure alignment with the compliance mandates stipulated in the DPDP Act. While the employer may await the Rules for further directions on the manner of implementation of the provisions of the DPDP Act, the employer may work towards strengthening its privacy controls and standardizing its policies. 

Furthermore, any non-compliance by the Data processors may result in non-compliance by the employer. Thus, if the employer engages a Data Processor for processing of employee personal data, the employer may consider engaging Data Processors who have a strong ecosystem for managing employee personal data and at the same time, understand the compliance requirements under the DPDP Act. 

In the next part of this series, we will delve into the rules and its implications on the employer and any impact on employees once the rules are notified.

– Amrutha Ananth,

Advocate & Principal Associate

Share This Post

Leave a Comment

Your email address will not be published. Required fields are marked *

Share:

More Posts

bcp-associates-llp-logo white-bcp-associates (Legal Audit Vendor Audit POSH Training Legal Advisory Labour Law Employment Law HR Practice Human Resource Advisory Workplace Harassment Training Digital Compliance Document Manager Digital Legal Audit wage and lobour code in Bangalore Hyderabad Chennai Mumbai Delhi NCR)

Follow us

Subscribe

Sign up for our latest news & articles. 

Scroll to Top

Archana Madan – POSH Specialist & Advocate

Archana Madan Kohli is an advocate with close to 15 years experience in in-house and law firm roles. At BCP Associates, she specialises in providing various services to clients under the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 (“POSH Act”). Archana is the External Member of the Internal Committee of multiple organizations across sectors and is well versed in handling POSH inquiries. She also handles POSH queries, including drafting and reviewing policies and assisting in setting up Internal Committees.

Archana is also a trainer, delivering specialised sessions for Managers and Senior Management, Employee General Awareness sessions for all employees and Internal Committee training. Apart from English, Archana is fluent in delivering training sessions in Hindi, and Punjabi.

Archana started her career with Bharti Infratel Limited moved on to Wipro Limited, Adecco India Private Limited, Cloudnine Hospitals, Virinchi Limited and Medicover Hospitals in different capacities.

Archana holds a Bachelor of Law (LL.B.) degree from Himachal Pradesh University, Shimla. She has earned her Post Graduate Diploma in Drafting, Negotiation and Enforcement of Contracts from NALSAR University of Law, Hyderabad with distinction.

B. Chandrashekar Shetty - Advocate

Mr. Chandrashekar Shetty is a Senior Labour Law Compliance Auditor at BCP Associates and has audited multiple client companies across India. He is also a member of our senior legal advisory practice. Previously he has worked as Deputy Controller, Manager-Industrial Relations and Industrial Relations Officer in KPTCL, Bangalore for more than 30 years. Prior to this, he has dealt with Legal, Personnel and IR matters including Wage Settlements, Grievance Machinery, Manpower Study and Social Security Compliances for about 10 years. He is a Faculty member of Labour Law, HRD Centre, KPTCL Bangalore.

Mr. Shetty holds a B.Com. and L.L.B. degree, Post-Graduate Diploma in Business Administration, Diploma in Public Relations from Bangalore University and PG Diploma in Industrial Relations & Personnel Management from Bharatiya Vidya Bhawan. He is enrolled as Advocate in Karnataka Bar Council and is a Govt. Arbitrator of Chit Funds in Karnataka.

S Venugopal Rao

S Venugopal Rao is an experienced labour law and service matters expert and is a member of the senior advisory team at BCP Associates. Having joined the chambers of Mr. B C Prabhakar in 2012, he is knowledgeable and well versed in multiple employment and labour law topics.

S Venugopal Rao holds a Bachelor’s degree in Science from Karnataka University, Dharwar and Bachelor of Law from Bangalore University. He enrolled as advocate in Karantaka State Bar Council in 1976. He joined the chamber of Sri. Kolachalam Srinivasa Rao a leading civil advocate. After practicing for 6 years at Ballari, he joined Orient Paper Mills, Orissa (of G P Birla Group). He was designated as Manager (Law) under the Factories Act in 1995. In 1999, he joined Andhra Pradesh Paper Mills Rajahmundry as Manager Legal and was subsequently elevated as Dy. General Manager (Legal). As Factory Manager & Legal Head, he oversaw compliance of Factories Act and Rules there under towards safety, health and welfare, including compliance under Pollutions and Environmental laws and Explosives Act, etc. Additionally, he is well acquainted with Environment Management System ISO 14001: 2004, Occupations, Health and Safety Series 18000:1999. As Legal head in APPM he has briefed and appeared along with Senior Advocate before Appellate Authority constituted under Water (Prevention & Control of Pollution) Act. He retired from the services of Andhra Pradesh Paper Mills in 2011.

As legal head he has handled important cases both in Labour and Civil and has experience in drafting and vetting Contracts, Agreements, Lease Agreement, Conveyance Deeds, , Affidavits and scrutiny of several legal and other documents, Preparing and settling Petitions, Appeals, Plaints, Written Statements, Rejoinders, Affidavits and Written Arguments etc. for submission/pleadings for various legal proceedings.

C K Devappa Gowda - Advocate

C.K. Devappa Gowda (CKD) is an Advocate and Labour Law expert. He holds a Bachelor’s Degree in Science from the University of Mysore and a Degree in Bachelor of Law from Bengaluru respectively. He also holds a Diploma in Social Service Administration from the National Institute of Social Science, Bengaluru. After completing his studies, he had enrolled as a Advocate and initially practiced in the Civil Code attached to the office of BCP. He then worked as Personnel Officer in Chemicals and Textile Manufacturing Industries for 5 years. Thereafter took up employment in one of the largest Public Sector Bank. He has worked in different parts of the country and has extensive experience in the cross country IR domain. The significant part of his service was at corporate level overseeing and implementing HR policies and practices and management of IR. He has been a member of personnel committee of Indian Bank Association.

After retirement from service, Mr. Gowda has been working with Mr. BC Prabhakar’s firm for the last 12 years. He has expertise in all areas of people management, drafting of documents relating to service matter including the settlements under the ID Act. He has dealt with all employment laws including appearance before the Courts, Tribunal and Authorities under the different Labour Laws. Mr. Gowda is one of the senior Labour Law experts at BCP Associates.

Srijatha Ghosh - POSH Specialist & Advocate

Srijata Ghosh serves as external member on the Internal Committee of several Companies across various sectors. She handles all kinds of POSH related matters including investigations and inquiries. She provides Training on Sexual Harassment across all verticals for Managers and Senior Management, General Awareness for all employees and Internal Committee members on the legislation (The Sexual Harassment of Women at Workplace Prevention, Prohibition and Redressal Act, 2013). She also formulates Policies for Prevention of Sexual Harassment at Workplace (“POSH”) and advises Companies on setting up of their Internal Committees. Srijata is involved in providing Legal Advisory services on POSH and other labour law matters for various clients.

In her previous experience, she has extensively dealt with End-to-End Contract Management, Due Diligence, POSH Compliances, Legal Advisory, etc. Srijata worked with Companies like Accenture India Private Limited, Quess Corp., Capgemini Business Services (India) Limited and Pramata Knowledge Solutions Private Limited. Srijata has handled varied legal issues including drafting, vetting and negotiation of contracts, drafting policies of various organizations. She has resolved issues relating to employment laws and has worked closely with the HR teams. She has provided legal advisory services to senior management. She was also associated with Kolkata High Court in counselling clients with legal matters such as Property, Due Diligence etc. Srijata has worked in an LPO Service Firm, Manthan Legal Services Private Limited for Legal Research, depositions, medical summaries, demand drafting etc.

Srijata completed her B.A.LL.B from M. S. Ramaiah College of Law, Bangalore University in 2009. Srijata is a member of the Karnataka Bar Council since 2010. She is also a member of the Gender Sensitivity Sub Committee of Karnataka Employer Association (KEA).

Caroline Lobo - POSH Specialist & Advocate

Caroline Lobo has been with BCP Associates for the past 2+ years. She has been handling matters and Inquiries related to the POSH Act including conducting inquiries and trainings/awareness programmes for Senior Management, employees as well as members of the Internal Committee on the POSH Legislation (The Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 (“Act”) to address Workplace Harassment of Women. She is a member of the Internal Committee for many varied companies and organisations and has reviewed and scrutinized numerous hearings and inquiries on matters relating to sexual harassment at workplace.

She has also handled matters relating to employer-employee related Enquiries, wherein she has reviewed and conducted hearings and enquired into the matters and has guided the Internal Committee and provided guidance in providing recommendations to the management. She is also a Member of the Gender Sensitivity Sub-committee of Karnataka Employer Association (KEA).

Prior to joining BCP Associates, Caroline has has a wide range of experience in corporate, commercial and contract law, mergers and acquisition and has undertaken drafting, vetting, negotiating and finalizing legal and commercial transactions. She started her career in litigation then moved onto the Corporate sector. In the span of 13 years, she has worked at Chambers of Advocate Jayashree Murali, Krishnamurthy and Co. Legal Consultants, Colt Technology Services and Oracle India Pvt. Ltd. She always had a keen interest in Women and Child related issues. She has worked with Child Welfare Committee and NGOS’s. In addition, she has worked with Swasthi Health Resource and Centre, where she was the External member to the Internal Committee (IC). She worked closely with the committee in strategizing, planning, reviewing and implementing the assigned tasks, which included building material to raise awareness against sexual harassment at workplace. Further, she has been involved in conducting inquiries into matters related to sexual harassment at workplace.

Caroline earned her Law degree from University Law College, Bangalore, from where she graduated in the year 2005.

Manoj Kumar – Senior Associate

At BCP Associates, Manoj Kumar is involved in managing and conducting labour law compliance audits of principal employer and contractors. He is also involved in client co-ordination and conducting labour law training programs for vendors. He has conducted on-ground labour law audit for factories. Manoj also provides support in advising vendor clients on labour law queries. He completed B.A., LL.B. from BMS College of Law, Bangalore in 2016.

Rashmitha Venkatachalam Das - POSH Specialist & Advocate

Rashmitha Venkatachalam Das is an advocate with more than 15 years’ varied experience including both law firm and in-house roles. As an expert on BCP Associates’ POSH team, she specialises in providing a broad range of services under the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 (“POSH Act”). Currently, Rashmitha is the External Member of the Internal Committee of multiple organizations across sectors and has deep expertise in handling POSH inquiries. She also supports these organisations on a regular basis with queries related to sexual harassment, including drafting and reviewing POSH policies and assisting in setting up Internal Committees.

Rashmitha is also a seasoned POSH trainer, having delivered a multitude of specialised sessions for Managers and Senior Management, Employee General Awareness sessions, and focused training for Internal Committee members. In addition to English, she is fluent in Hindi and Kannada, ensuring meaningful training sessions and effective inquiries.

Having started her career at law firm of Krishnamurthy and Co, Rashmitha moved to in-house roles with Biocon Limited, Columbia Asia Hospitals Private Limited and Adecco India Private Limited. 

Rashmitha holds an LL.M. in Labour and Employment Laws from University Law College, Bangalore, graduating in the year 2018 with Two Gold Medals. She is also a Rank Holder at the University. She obtained her BA, LL.B. degree from Bangalore Institute of Legal Studies, Bangalore University in 2009. Rashmitha is registered with the Karnataka Bar Council since 2009 and is also a member of the Gender Sensitivity Sub Committee of Karnataka Employer Association (KEA), an industry association of employers with over 700 members.

Manisha Vidyadhar – Senior Associate

At BCP Associates, Manisha Vidyadhar is involved in managing and conducting labour law compliance audits of principal employer and contractors. She is also involved in client co-ordination and conducting labour law training programs for vendors. She has conducted on-ground labour law audit for factories. Manisha also provides support in advising vendor clients on labour law queries.  She completed B.A., LL.B. from BMS College of Law, Bangalore in 2016.

Amrutha Ananth – Principal Associate

At BCP Associates, Amrutha is a part of the Legal Advisory practice, Legal Audit practice and Labour Code Alignment Programme (LCAP). Amrutha specialises in Labour and Employment Laws and compliance having advised some of India’s leading companies for some of their most complex labour law matters.

Amrutha has more than seven years of experience in labour and employment law and has conducted several audits for both, principal employer and contractor for various leading IT/ITES companies, manufacturing sectors like pharma, automobile, construction and start-ups.

She is actively involved in drafting and reviewing employment contracts, HR policies, Employee Handbook, show cause notice, etc. for various organizations spread across diverse sectors. As a part of the Labour Code Alignment Program, she assists companies in review and alignment of their existing wage and employment policy with the provisions of the Labour Codes.

Sunil Arya – Principle Associate

At BCP Associates, Sunil Arya is part of the labour and employment law advisory and HR Policy practice and is actively involved in drafting and reviewing of employment contracts, opinions, HR policies, employee handbook, show cause notice, etc. for various clients spread across diverse sectors. He conducts training on labour and employment laws. Sunil is also involved in labour law compliance audits of principal employer and contractors and has conducted on-ground labour law audit for factories. In addition, he is engaged in knowledge creation and management of the firm and keenly writes on developments in labour and employment laws.

Prior to joining BCP Associates, Sunil has 10 years of post-qualification experience in diversified portfolios of advisory, drafting, policy analysis and dispute in the domains of contracts, general civil matters, employment law, competition law and construction arbitration matters. Sunil started his career as a Law Researcher in Delhi High Court. He moved on to be part of regulatory analysis team of CIRC, a unit of CUTS International. In addition, Sunil has been part of legal team of Jindal India Thermal Power Limited. He has also taught competition law, tax law and investment law at VIPS, Delhi.

Sunil holds LL.M. from The Indian Law Institute, Delhi. He is First Rank Holder in his thesis. He completed B.A, L.L.B. (Hons.) from I.P. University, Delhi. He also holds First Rank in P.G. Diploma in Competition Policy and Laws from The National Law University, Delhi.

Chandrakala K A – Principle Associate

At BCP Associates, Chandrakala has 12+ years of experience in conducting and managing labour law compliance audits of principal employer and contractors. She is also involved in co-ordination with many clients. She has conducted on-ground labour law audit for factories. She also provides support in advising vendors on labour law queries. Chandrakala is actively involved in research and providing valuable inputs to the firm pertaining to updation in labour law audit function.

Chandrakala started her career in litigation in chamber of Sri. Ashok where she was involved in drafting, pleading and appearance before Karnataka High Courts and lower courts on the criminal side.

Chandrakala completed B.A in Arts from Kuvempu University, Shimoga in 2003 and LL.B. from Mangalore University in 2006.