Pending the implementation of the Digital Personal Data Protection Act, 2023 (“DPDPA”), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) enacted under the Information Technology Act, 2000 (“IT Act”) form the primary law for the protection of personal data in India. The SPDI Rules prescribe procedures for the lawful collection of personal data and seek organisations’ adherence to reasonable security standards. 

Employers are required to adhere to the requirements of the SPDI Rules in respect of their employees and recruitment processes. Similarly, the DPDPA introduces changes to the existing data protection landscape which may require employers to modify internal processes and documentation. This note seeks to provide an overview of such changes and the potential impact they may have on employers’ operational practices.