In this 2-part series, we examine the implications of the DPDP Act on the Employer and Employee. In the first part, let us look at the role of the Employer and the employer’s obligation towards ensuring the protection of the personal data of employees.
India’s Digital Personal Data Protection Act, 2023 (DPDP Act) received presidential assent on Aug 11, 2023. It aims to protect employee (Data Principal as defined under the DPDP Act) digital personal data and regulates the custodian (Data Fiduciary – employer) of such personal data and anyone who handles or processes such data on behalf of the employer (data Processors). It regulates major aspects of handling personal data right from collection to storage to archival to erasure of personal data and imposes a significant compliance burden on the employer (Data Fiduciary as defined under the DPDP Act). Employers, management and most importantly, HR and legal teams across the industry spectrum are undoubtedly seeking clarity on several aspects of the DPDP Act. This law has implications on the employer from the selection of the candidate till their separation from the system. It therefore becomes critical for the employer to contemplate the aspects related to People, Process & Technology before implementing the DPDP Act. Some questions that could be in the minds of employers and/or management teams are (not exhaustive);
Is my organization aware of the implications of the DPDP Act on the hiring process and exit process?
Is my organization taking the right measures to ensure the security of personal data of its employees?
Does my organization have robust security systems and infrastructure in place to handle employee data?
How is my organization handling and managing the personal data of exiting employees? Or how should my organization handle the personal data of ex-employees?
What skills and tools should I equip my HR, Legal, Admin and Security teams with to implement and comply with the DPDP Act?
Does my organization have personnel with the requisite skills and awareness of the DPDP Act and will be able to implement this in the organization?
Does my organization know which policies and procedures need to be updated/created to comply with the DPDP Act?
The employer may carefully consider the above and assess internally to determine its readiness to implement the DPDP Act.
Implications of the DPDP Act 2023 on Employers
Compliance with the DPDP Act: The DPDP Act requires the employer to comply with the provisions of the DPDP Act regardless of any agreements or employee duties with respect to any processing undertaken by it or on its behalf (by a Data Processor). The employer will have to consider implementing appropriate technical and organisational measures to ensure effective adherence to the provisions of the Act and Rules.
Further, the employer may achieve this by reviewing their current policies to check for the inclusion of privacy measures, data retention protocols, and data purging procedures. Additionally, they should reassess their agreements with data processors and other external parties who handle employee data.
Data Processing: The employer has the option to involve a Data Processor to handle personal data on its behalf for activities related to providing goods or services to Data Principals/employees, but this must be done through a valid contract. The employer must ensure that the contract with the Data Processor includes clauses that align with the compliance requirements outlined in the DPDP Act.
Data Retention: The DPDP Act obligates the employer to erase personal data once an employee withdraws their consent or when it becomes reasonable to conclude that the intended purpose is no longer relevant, except when retention is essential to adhere to current legal requirements. Additionally, the employer is responsible for ensuring that any personal data shared with a Data Processor for processing is also erased by the Data Processor. A Data Retention Policy may be formulated by the employer in line with applicable laws.
Employee consent: Employee consent is one of the fundamental requirements under the DPDP Act. The Act requires the employer to obtain employee’s consent before processing the employee’s personal data. The consent obtained from the employee to process the personal data must be ‘freely given, specific, informed, unconditional’, and an ‘unambiguous indication of consent’ through ‘clear affirmative action.’
Further, the DPDP Act has also provisioned for the right to withdraw consent by the employee. In situations where personal data aligns with ‘legitimate purposes,’ such as adhering to legal requirements, court orders, and employment purposes, personal data can be processed without consent.
The Act allows the employer to process employee personal data without obtaining consent in the following scenarios:
For employment purposes
For reasons related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information; or
For provision of any service or benefit sought by an employee.
Notice to the employee: The request for consent shall be preceded or accompanied by a notice from the employer, informing the employee the intended purpose of processing the employee’s personal data. The employer may be required to provide notices to employees accessible in English OR in any of the official languages as outlined in the eighth schedule to the constitution.
Grievance Handling: The employer must put in place mechanisms for addressing employee grievances. The employer can choose to appoint a Data Protection Officer (DPO) to address employee concerns. More clarity may emerge on DPOs once the Rules are notified. A timely grievance mechanism aligned with evolving guidelines is recommended.
Reporting of a data breach: In the event of a breach of any employee personal data, the employer shall inform the Data Protection Board and each affected employee in such form and manner as may be prescribed.
Penalty: Non-compliance with the provisions of the DPDP Act may have a significant financial impact on the employer. The Act stipulates that the employer may be levied penalties of up to INR 250 crore for violation of its provisions. It is therefore recommended to always have a compliance-conscious approach while handling employee personal data and foster such mindset across all levels of the organisation.
In summary, it is recommended that the employer review its existing policies and procedures concerning data privacy, retention, data purging, agreements with background verification (BGV) vendors and other external parties. The other critical component of compliance with the DPDP Act is ensuring that all the specific employees handling employee personal data are adequately trained and skilled in all aspects of the Act and its prescribed rules and compliances. This assessment is crucial to ensure alignment with the compliance mandates stipulated in the DPDP Act. While the employer may await the Rules for further directions on the manner of implementation of the provisions of the DPDP Act, the employer may work towards strengthening its privacy controls and standardizing its policies.
Furthermore, any non-compliance by the Data processors may result in non-compliance by the employer. Thus, if the employer engages a Data Processor for processing of employee personal data, the employer may consider engaging Data Processors who have a strong ecosystem for managing employee personal data and at the same time, understand the compliance requirements under the DPDP Act.
In the next part of this series, we will delve into the rules and its implications on the employer and any impact on employees once the rules are notified. It is anticipated that the DPDP rules will be notified by the end of the month.
– Amrutha Ananth,
Advocate & Principal Associate