DPDP Act Compliance for Recruitment Agencies: What You Need to Know

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive data privacy law. For recruitment agencies processing candidate PII — names, emails, phone numbers, resumes, salary data — compliance is not optional. Penalties reach ₹250 crore per violation.

Why Recruitment Firms Are Especially Vulnerable

Recruitment agencies are data-intensive businesses. Every candidate profile contains personal data. Every enrichment query processes PII through third-party APIs. Every WhatsApp message, email, and phone call involves data processing. And most firms have zero consent mechanisms — only 9% of Indian companies do.

The 7-Point Compliance Checklist

1. Consent capture — Get explicit opt-in before processing any candidate data. This means at application, enrichment, import, and outreach touchpoints.

2. Purpose limitation — Only process data for stated purposes (recruitment). Don't repurpose candidate data for marketing without separate consent.

3. Right to erasure — Respond to deletion requests within 7 days. Provide 48-hour advance notice before deletion completion.

4. Data portability — Allow candidates to export their data in a structured format on request.

5. Breach notification — Report breaches to the Data Protection Board within 72 hours.

6. Third-party DPAs — Sign Data Processing Agreements with every vendor that handles candidate data.

7. Grievance officer — Designate a point of contact for DPDP-related queries.

How SourceIQ Makes You Compliant

SourceIQ has DPDP compliance built into the platform: consent capture at every entry point, automated erasure workflows, data export functionality, breach notification processes, and audit trails for every data access. You don't need to build compliance from scratch — it comes standard.