• Home
    • /
  • Articles
    • /
  • 93. Digital Personal Data Protection Act (DPDP) – Data Officers, Consent, Erasure & Children’s Data

93. Digital Personal Data Protection Act (DPDP) – Data Officers, Consent, Erasure & Children’s Data

Published on: April 16, 2026
HR Systems, Tech & Governance

When Employees Start Asking Questions, is HR Ready With Real Answers?

is when HR can legitimately use personal data, and when it must stop and ask for consent. This article goes one step further.

Once HR teams begin to recognise boundaries around data use, a very practical shift follows, employees, candidates, and even former employees start asking questions. The quality of HR’s response to those questions defines whether DPDP remains a policy document or becomes a lived practice of the organisation.

What data do you have about me?

For a long time, HR operated in an environment where data transparency was largely informational and informal. An employee might occasionally ask

  • Do you still have my documents?
  • Who sees my appraisal?
  • Why do you need this information?
  • Or I am uncomfortable sharing this with anyone, so please make sure it remains only with HR

These were usually handled on a case by case basis, often verbally, often without any structured response. Under the DPDP Act, this has changed. Employees and candidates now have a clear right to ask:

  • what personal data the organisation holds about them
  • what it is being used for
  • and how they can exercise their rights if they have concerns

If someone asked this question today, can we answer it clearly, without deflecting, delaying, or calling three other people?

Someone has to be accountable and HR cannot outsource it

Not every organisation may be required to formally appoint a Data Protection Officer (DPO). But every organisation must clearly identify who is responsible for responding to queries related to personal data. In reality, this responsibility almost always touches HR first. From an HR perspective, the most practical approach is to designate a clear data contact person within HR, and ensure that this role is aligned with the organisation’s broader data governance structure.

The point is not organisational design. The point is trust. When employees raise concerns or questions about their personal data, they should not feel like they are entering a black box ‘we will get back to you’ operating model.

Consent is only meaningful if HR can track what happens next

In the earlier article, we spoke about consent at a conceptual level. This article deals with the operational reality that follows. Once HR relies on consent for any use of personal data, several expectations immediately arise

  1. HR must know when consent was taken
  2. HR must know what exactly it was taken for
  3. HR must know how consent can be withdrawn
  4. HR must be able to stop using the data once consent is withdrawn

Saying this was covered in onboarding is no longer sufficient. HR must be able to connect consent to purpose and to action. The moment consent is withdrawn, HR has to change behaviour. Not eventually. Not theoretically, Practically.

Erasure requests

Few topics create more anxiety for HR teams than data erasure. The immediate instinct is defensive

  • Can we even delete this?
  • Isn’t this required for records?
  • What if we need it later?

A data principal has the right to request erasure of personal data. The organisation has the responsibility to assess the request, and here is the crucial distinction HR must understand

  • If personal data is still required for employment purposes or legal compliance, it may be retained but that rationale must be explainable to the data principle.
  • If the purpose no longer exists, data must be erased and HR must be able to confirm that erasure, not just promise it.

This distinction plays out most clearly in recruitment.

A candidate who applied but was never interviewed has a very different erasure expectation from an employee whose records are required for statutory reasons. Erasure is not an emotional response. It is a purpose based decision.

Children’s data

Many HR professionals instinctively assume that children’s data is not part of their everyday reality. Most of the time, that assumption is valid, but there are several areas where HR may still encounter children’s personal data

  • internship programmes
  • early college collaborations
  • CSR initiatives
  • benefit schemes involving dependents

The rule here is strict

  • personal data of children requires consent from a parent or legal guardian
  • that consent must be verified
  • and tracking behavioural attributes or monitoring children’s activities is not permitted

Where children’s data appears, HR must slow down and check assumptions and consult the legal team.

An important idea- nominating a Data Principal

Just as employees nominate individuals for gratuity or insurance benefits, organisations can allow employees to nominate someone who may exercise data rights on their behalf in the event of death or incapacity. This is not presented as a compliance obligation, but is a sensible governance practice. It acknowledges something HR understands well, processes must exist for events we hope never happen.

Looking ahead

If the previous article focused on judgement, this is about readiness. Once employees start exercising their rights, HR can no longer rely on informal explanations or assumptions. In the final article, we will address the most uncomfortable dimension of all, what happens when data breaches occur not because systems failed, but because everyday HR behaviour fell short.


This article is based on the transcript of the original podcast of the same name featured in India HR Guide.
The transcript has been translated into this article with the support of AI and a human‑in‑the‑loop process.