DPDP Act 2023 Compliance Checklist for HR and Marketing Teams

Author : Nitin Ray | Published On : 09 Jul 2026

HR and marketing are two departments that handle enormous volumes of personal data — resumes, salary details, customer contact lists, campaign analytics — and are often the last to hear about compliance requirements until it's audit season. Here's what teams in both functions need to know about the data protection bill 2023.

For HR teams: Employee data falls under the Act just like customer data does. Background check records, health information collected for insurance, and even performance review data need to be mapped, purpose-limited, and retained only as long as necessary. If your HRMS vendor doesn't have a current Data Processing Agreement, that's a gap.

For marketing teams: Every email list, every retargeting pixel, every WhatsApp campaign needs a documented, itemized consent trail. A user who opted into order updates but not marketing communications needs that distinction respected across every tool in your stack — your CRM, your ad platforms, your analytics suite.

Shared responsibilities: Both teams should know who their organization's DPO is, understand the 30-day timeline for responding to data subject requests, and be able to answer, on short notice, "where does this specific piece of data live and who else has access to it."

Getting this level of visibility manually is genuinely difficult once an organization has more than a handful of tools in its stack — automated data registries exist precisely for this reason. A fuller explanation of the underlying law and its penalty structure is available in this DPDP Act compliance overview.