Data Breaches Under DPDP: An HR Reality Check

For years, data breaches were associated with hackers, headlines, and massive leaks. Under India’s Digital Personal Data Protection (DPDP) Act, that definition has fundamentally changed. A breach no longer needs to be loud or malicious, it only needs personal data to fall outside authorised control. HR teams sit at the center of this shift. From resumes and ID proofs to payroll details and background verification reports, HR manages some of the organisation’s most sensitive data. Everyday actions, sending documents to the wrong email address, failing to revoke access after exits, retaining old employee records, or reusing candidate data without fresh consent, can all qualify as data breaches under DPDP. The law doesn’t assess intent first. It looks at whether data was accessed without authorisation, disclosed unintentionally, used beyond consent, or retained without purpose. Even vendor mishandling remains the organisation’s responsibility. DPDP expects timely breach identification, risk assessment, corrective action, and notifications where required, making clear processes and secure systems essential for HR teams. The goal isn’t to slow hiring or operations, but to design smarter workflows. When HR understands what truly constitutes a breach, compliance becomes practical, not paralysing and trust becomes a real competitive advantage.