Is consent required for background verification under DPDP Act?

Yes. The Digital Personal Data Protection Act (DPDP Act 2023) requires clear, specific consent from the data principal (candidate) before collecting or processing personal data for background verification. Consent should be obtained in a free, informed, and unambiguous manner.

How can HR ensure BGV is DPDP compliant?

HR should: obtain explicit consent before running BGV; use a BGV provider that is DPDP compliant and documents consent and data flows; limit data collection to what is necessary; ensure secure storage and defined retention; and have a process for candidate rights (access, correction, erasure) as per the Act.

DPDP Act 2026: Background Verification Compliance Checklist for HR

Under India’s Digital Personal Data Protection Act (DPDP Act 2023), background verification must be lawful, consent-based, and transparent. This post is an HR compliance checklist for running BGV under DPDP Act 2026: consent, data handling, vendor selection, and what to document so your background verification stays DPDP compliant.

1. Consent for Background Verification (DPDP Must)

Consent for background verification is mandatory under the DPDP Act. Checklist:

Obtain explicit, clear consent from the candidate before collecting personal data or running any BGV check.
Specify purpose (e.g. pre-employment background verification) and what data you will collect (identity, education, employment, etc.).
Record consent (timestamp, channel—e.g. secure form or portal).
Allow withdrawal of consent where feasible; explain implications (e.g. cannot proceed with BGV).

Without valid consent, BGV can fall foul of the DPDP Act.

2. Data Minimisation and Purpose

Collect only data necessary for the BGV checks you run.
Use data only for the stated purpose (verification); do not use for marketing or unrelated purposes without fresh consent.
Limit access to personal data to those who need it for BGV and compliance.

3. Vendor Selection: DPDP-Compliant BGV Provider

Your BGV provider processes candidate data on your behalf. Checklist:

Choose a provider that is DPDP compliant and can document consent and data flows.
Contract should cover: purpose, data handling, retention, security, sub-processors (if any), and candidate rights.
Prefer providers with strong security and privacy practices (e.g. ISO 27001, 27701).

MPloyChek is DPDP compliant and supports explicit consent and secure data handling for background verification.

4. Storage, Retention, and Security

Store BGV data securely (encryption, access controls).
Define retention—keep only as long as needed for verification, legal, or policy requirements; then delete or anonymise.
Ensure your provider does the same and can evidence it.

5. Candidate Rights (Access, Correction, Erasure)

Under the DPDP Act, data principals have rights to access, correction, and erasure. Checklist:

Have a process for candidates to request access to their BGV-related data.
Allow correction of inaccuracies.
Handle erasure requests as per the Act and your retention policy.
Respond within the timelines specified under the Act.

Summary: DPDP Act BGV Compliance Checklist for HR 2026

(1) Consent—explicit, purpose-specific, recorded. (2) Data minimisation—collect only what’s needed. (3) Vendor—use a DPDP-compliant BGV provider with clear contracts. (4) Storage & retention—secure, defined retention, then delete/anonymise. (5) Candidate rights—access, correction, erasure. For a DPDP-compliant background verification partner, see MPloyChek.

For a deeper dive on the DPDP Act and data protection, see our DPDP India compliance guide.

Need DPDP-Compliant Background Verification?

Explicit consent, secure data handling. Request a demo.

Request Demo