HRTech AI in India: Employee Data Governance and DPDP Compliance

HRTech's DPDP Exposure

HRTech platforms process highly sensitive personal data at scale: for enterprise customers with thousands of employees. Resume databases contain identity documents (PAN, Aadhaar copies), salary history, employment history, and health information (from medical insurance enrollment). Candidate pipelines contain rejected candidates' personal data that is often retained indefinitely.

The data transfer chain: candidate submits resume to job board → job board passes to ATS (Applicant Tracking System) → ATS processes through AI screening → HR manager reviews → offer/rejection. Each step involves DPDP-covered personal data processing by a different entity.

AI Screening Compliance

AI resume screening must comply with DPDP's accuracy principle (Section 8) — if your screening AI has systematic biases (gender, university tier, geography), it's potentially processing personal data inaccurately in a way that harms data principals. Document the screening model's training data, fairness metrics, and limitations.

Disclosure requirement: candidates should be informed that AI is used in screening. This isn't explicitly required by DPDP text (which requires notice about data processing, not specifically about AI use), but it's good practice and aligns with emerging AI governance expectations.

Payroll and Performance AI

Payroll AI that processes salary, deductions, PF, gratuity, and tax data touches some of the most sensitive employee personal data. This data must be strictly purpose-limited — payroll data cannot be used for performance analytics, leave prediction, or attrition modelling without separate consent.

Performance management AI (AI-generated performance scores, peer feedback analysis, productivity monitoring) requires particular care under DPDP. If AI-generated performance ratings affect compensation or career progression, employees have Section 11 rights to information about this processing — they can ask how the AI rating was calculated.

Industry operational checklist

HRTech AI in India: Employee Data Governance and DPDP Compliance should be reviewed as an operating control, not only as a reference article. The minimum checklist is a data inventory, a stated processing purpose, owner approval, PII detection at the AI boundary, redaction or tokenisation where possible, retention limits, vendor transfer records, and a tested user-rights workflow. This checklist gives engineering and compliance teams a shared language for deciding what must be blocked, what can be allowed in shadow mode, and what needs human review before production release.

For AI systems, the review should include prompts, retrieved context, tool call arguments, model responses, logs, traces, analytics events, exports, and support attachments. Many incidents happen because teams scan only the visible form field while sensitive data moves through background context or observability tooling. CrewCheck's recommended pattern is to place the scanner at the request boundary, record the policy version, and keep audit evidence that shows which identifiers were detected and what action was taken.

A practical rollout starts with representative samples from production-like traffic. Run a DPDP scan, sort findings by identifier sensitivity and blast radius, fix Aadhaar, PAN, financial, health, children's, and precise-location exposure first, then move to consent wording, retention, deletion, and vendor review. Use shadow mode when false positives could disrupt users, and promote to enforcement only after the exceptions have owners and expiry dates.

This page is educational and should be paired with legal review for final policy interpretation. The operational proof should still come from repeatable evidence: scanner results, audit exports, pull-request checks, policy configuration, and a documented owner for the workflow. That combination is what makes the content useful during buyer diligence, board review, regulatory questions, or an incident investigation.