DPDPA Compliance in Recruitment: Navigating Digital Personal Data Protection on adviti.in

India's Digital Personal Data Protection Act, 2023 represents the most significant overhaul of privacy law in the country's legislative history. For executive search firms, the implications are not peripheral. Recruitment is a data-intensive industry. Every candidate profile, every reference call note, every compensation benchmark, and every communication between a search firm and a candidate constitutes personal data under the Act's definition, and the obligations that flow from that classification are substantial.

Adviti began preparing for DPDPA compliance in mid-2023, well before the Rules were finalised. This article reflects what we have learned through that process, and what we believe every executive search firm and in-house talent function in India needs to understand.

What Counts as Personal Data in a Search Context

The DPDPA defines personal data broadly as any data about an individual who is identifiable from that data. In a search context, this encompasses the obvious (name, contact details, employment history) and the less obvious (compensation details, the fact that a candidate is exploring opportunities, references provided about a candidate, and even the metadata of communications such as when a candidate responded to an approach and how quickly).

The practical implication is that executive search firms cannot treat candidate information as proprietary data that belongs to the firm. The candidate, as the Data Principal under the Act, has rights over that information: the right to access it, the right to correct it, and the right to require its erasure. Firms that have historically maintained large candidate databases without explicit consent frameworks are now in a legally precarious position.

Consent as the Foundation

The DPDPA requires that personal data be processed only on the basis of explicit, informed consent, or on one of a limited set of legitimate grounds. In a recruitment context, the consent requirement is clear: before a firm maintains a candidate's profile, approaches them for a role, or shares their information with a client, the candidate must have given consent that is free, specific, informed, and unambiguous.

This has forced a redesign of how Adviti manages candidate relationships. Our consent framework now operates at three levels. First, a candidate who submits information through adviti.in provides consent through the form checkbox, which is explicit and documented. Second, candidates who are approached proactively are given a clear consent notice before any detailed conversation about a specific mandate begins. Third, before any candidate information is shared with a client organisation, a second explicit consent is obtained for that specific disclosure.

This is more friction than the industry has historically operated with. Some firms in the market are treating it as a compliance checkbox. We treat it as a relationship signal. Candidates who understand that Adviti handles their information with this level of care are more forthcoming in those conversations, and more likely to trust us with sensitive details about their situation.

Data Minimisation in Practice

The DPDPA's data minimisation principle requires that only the data necessary for the stated purpose be collected. For an executive search firm, this means having a clear and documented rationale for every data point in a candidate record.

In practice, this has led Adviti to audit and significantly reduce the scope of the standard candidate profile we maintain. Information that was historically captured as a matter of habit (date of birth, marital status, detailed personal background) has been removed from our standard data collection unless it is directly relevant to a specific mandate and the candidate has explicitly provided it for that purpose.

The Grievance Architecture

The Act requires Data Fiduciaries (which includes any firm processing personal data) to designate a Grievance Officer and to have a functional grievance mechanism. For executive search firms, this means having a named individual who can receive, acknowledge, and resolve complaints from candidates about data handling, and doing so within the thirty-day window the Act specifies.

Our Grievance Officer contact is published on this website. This is not a formality. Candidates have used it. The most common contact has been requests to understand what information we hold and requests for correction of outdated professional details. Having a functional mechanism for these requests, rather than a nominal compliance statement, is both the legal requirement and the right way to operate.

What Firms Should Do Now

For in-house talent functions and executive search firms that have not yet addressed DPDPA compliance systematically, the starting point is a data audit: map every category of personal data you hold, document the basis on which it was collected, and identify where consent is absent or inadequate. The next step is a consent retrofit for existing databases, which is operationally demanding but legally necessary. The final step is a process redesign that builds compliant data handling into the standard workflow, rather than treating it as an overlay.

The cost of non-compliance under the DPDPA is significant. But the more immediate business risk is reputational. In a market where senior candidates have choices, a firm's handling of their personal data is a signal of trustworthiness. Firms that handle it well will gain a competitive advantage in candidate relationships. Those that do not will lose it.