DPDP Act 2023 backdrop & Rules timeline
The Digital Personal Data Protection Act 2023 is India's first cross-sector data-protection statute. It was passed in 2023 and covers digital personal data processed within India — including data of employees, contractors, and gig workers. The Act sets the obligations of data fiduciaries (the employer who decides why and how data is processed), data processors (the vendor who processes on instruction), and data principals (the individual). The Data Protection Board is the enforcement body. Penalty bands run up to INR 250 crore per violation in the statute — the exact amount depends on the violation class and is subject to revision in implementing Rules, so verify with counsel.
The DPDP Rules — the operative regulations that set the form of notice, the consent mechanics, the breach-notification timeline, and the Board's procedures — are expected to be notified in late 2025 or 2026. The exact date is subject to change as the Ministry finalises the draft; verify the current status with counsel for your jurisdiction. The working assumption in early 2026 is that the Rules close out by late 2026; many enterprise CISOs are scoring vendors against the statute now so that the Rule-specific tightening is patchable rather than blocking.
For India IT services and BPO firms serving global clients, the cross-border layer matters: data of EU workers processed in India falls under both DPDP and the EU AI Act. See our companion EU AI Act vendor readiness 14 questions for the EU-side framework; the practical sequence is to score the vendor under DPDP first, then run the EU AI Act scorecard on the same vendor where EU workers or EU clients are in scope.
The 14-question framework, grouped
The 14 questions split into five anchor blocks. Q14 is a halt question. Score each pass / partial / fail. The verdict math is at the bottom.
Block A — Consent & lawful basis (Q1-3)
- Lawful basis declared per inference. For each AI inference the vendor produces (productivity score, idle classification, focus signal, allocation), has the vendor named the lawful basis under DPDP — consent under Section 6 or a legitimate use under Section 7? “We rely on the employer’s contract” without a specific basis is fail.
- Consent mechanics shipped. Where consent is the basis, does the vendor ship the consent capture surface, the withdrawal path, and the consent log — or does the employer have to build it? An employer building consent infrastructure from scratch for a vendor is a partial at best.
- Section 7 legitimate-use map. Where Section 7 employment provisions are the basis, does the vendor's deployer kit name which specific clause the inference rests on, with the narrative argument? Vague reliance on “legitimate interest” is fail.
Block B — Purpose & minimisation (Q4-6)
- Stated purpose per data category. Does the vendor document the specific processing purpose for each data category captured — activity events, application context, focus signal, identifier, location? “Productivity” as a purpose is not specific enough.
- Data-minimisation evidence. Can the vendor show that each captured signal is necessary for a stated purpose — not just useful? Purpose-limitation under DPDP is stronger than “could be helpful one day”.
- Retention schedule per category. Is there a written retention schedule per data category with a documented destruction process? “Forever” or “until customer requests” is fail.
Block C — Data-fiduciary & processor duty (Q7-9)
- Processor-fiduciary contract terms. Does the vendor's DPA explicitly position the vendor as data processor and the employer as data fiduciary, with the Section 8 obligations mirrored in writing? Many vendors are still on pre-DPDP DPA templates — check the date.
- Sub-processor disclosure. Is there a current sub-processor list (cloud, analytics, model providers) with locations and a change-notification SLA? An out-of-date sub-processor list is a fail by definition.
- Data residency option. Can the deployment be run with primary data residency in India, including model inference where AI is in use? Cross-border transfer is allowed under DPDP, but the option to keep data in-country matters for BFSI, gov, and regulated-sector buyers.
Block D — Breach, rights, audit (Q10-13)
- Breach intake SLA. Is there a written 24-hour breach-intake SLA from vendor to employer, with a documented escalation chain and a forensics-ready audit trail? DPDP Board notification timing is set in Rules; the working assumption is 72 hours from employer to Board, so vendor-to-employer must beat that.
- Data-principal rights routing. Can a worker exercise access, correction, erasure, and grievance rights through the deployment, with a documented path the employer can publish? “Email support” is partial.
- Grievance officer point of contact. Is the vendor's grievance officer named in the contract, with response SLA? Significant data fiduciaries have specific obligations here; check if your deployment volume crosses any threshold.
- Audit-trail export. Can the deployer pull a regulator-ready audit trail in under 30 minutes — capture, inference, decision, override — for any worker-affecting decision in the last 12 months?
Block E — Surveillance-on-default halt (Q14)
- Surveillance-on-default halt. Does the vendor ship screenshots, keystroke capture, webcam or microphone surveillance switched off by default per role / team / per feature? If the default is on, score the vendor halt regardless of any other passes. DPDP's purpose-limitation and data-minimisation principles are not consistent with default-on surveillance, even where consent is technically obtained.
How buyers should score — the rubric primer
Score by evidence, not by intent. Vendors will offer to walk you through nuance, especially around Section 7 legitimate-use arguments. Resist that until the scorecard is done. The point of pass / partial / fail is to remove the nuance and put each anchor on a line; counsel handles the nuance after.
- Pass means written evidence with a date and an owner, viewable inside 24 hours of request. A slide deck is not evidence; the DPA clause, the consent log specimen, and the retention schedule are.
- Partial means a credible delivery date inside Q2-Q3 2026 with a named owner and a milestone visible this quarter. Where the anchor depends on Rule-specific language (breach SLA timing, grievance officer threshold), partial is the right score until notification.
- Fail means no answer, evasive answer, or an answer that contradicts the contract. Q14 fail is a halt — do not score the rest until the default is fixed.
Run the worksheet with two reviewers: a CISO or DPO who can read the DPA, and a procurement lead who controls the contract. Score independently, reconcile, then take counsel only the disputes.
Expected scorecard band by vendor archetype
The table below summarises how five common workplace-monitoring archetypes typically score against the 14-question DPDP framework. It describes vendor-archetype defaults observed in product documentation and marketing material as of May 2026; specific deployments may vary by configuration choices. Verify the actual configuration with the vendor in writing, and verify your specific obligations with counsel for your jurisdiction.
| Vendor archetype | Surveillance default | Emotion / sentiment inference (DPDP Section 8 risk) | Human-oversight workflow | Expected 14-Q band |
|---|---|---|---|---|
| Hubstaff (default install) | ON (screenshots, activity %) | No | Ad-hoc | At-risk (6-8 pass) |
| Time Doctor (default install) | ON (screenshots, app/URL capture) | No | Ad-hoc | At-risk (6-8 pass) |
| Teramind (default install) | ON (screen, keystroke, video) | Yes — behavioural / sentiment features (DPDP Section 8 exposure on minimisation) | None / vendor-defined | Halt (Q14 fail) |
| ActivTrak (default install) | ON (continuous activity capture) | Yes — productivity / focus inferences marketed as wellbeing | Ad-hoc | Halt or At-risk |
| gStride (default install) | OFF (capture off; outcome-signal default) | No — category excluded by design | Documented (named reviewer, override authority, audit trail) | Ready (12-14 pass) on the architecture; Rule-specific anchors patchable on notification |
Reading note. Archetype band describes the out-of-the-box configuration as advertised in vendor marketing, not a per-tenant audit. The Q14 halt fires on default-on capture regardless of how many other anchors a vendor can configure into compliance — the principle DPDP enforces is purpose limitation, and default-on capture is not consistent with it.
Verdict bands — what to do at each
| Verdict band | Scorecard pattern | What to do |
|---|---|---|
| Ready (12-14 pass) | Pass on Q14, pass on Q1-3 and Q10; partials only in Rule-pending anchors | Proceed to deployment. Set a quarterly re-review tied to Rule-notification milestones. |
| Patchable (9-11 pass) | Pass on Q14; partials clustered in breach SLA, grievance officer, or sub-processor list | Conditional deployment with a 30-day patch plan. Hold renewal on patch completion. |
| At-risk (6-8 pass) | Pass on Q14; three or more fails across Block A or Block C | Parallel-track an alternate vendor. Do not renew past Q3 2026 unless lawful-basis and processor gaps close. |
| Halt (any Q14 fail) | Surveillance-on-default deployment, or scorecard shows the vendor never designed for purpose limitation | Replace the vendor. Build the migration plan now — the Rule notification is the latest you can wait. |
The Q14 halt — why it is the load-bearing question
Q14 carries weight because it is the cheapest fail to identify and the most expensive fail to live with. A vendor that ships surveillance switched on by default is making a design statement: capture first, justify later. That posture is inconsistent with DPDP's purpose-limitation and data-minimisation principles, with the EU AI Act's high-risk obligations for any cross-border deployment, and with the brand position of any India IT services or BPO firm serving global clients. The honest framing: surveillance-on-default vendors have known about DPDP since 2023; the fact that the default has not flipped tells you what the roadmap priorities are.
For the architecture that holds up under DPDP scoring — capture and inference separated, AI framed as recommendation to a human, off-default monitoring, and a deployer kit shipped with the product — see our behavior signals framework and the anti-surveillance productivity stack. The DPDP lens on screenshots specifically is in how often should you take employee screenshots.
India IT services & BPO — the cross-border angle
Most India IT services and BPO buyers also serve EU or US clients. The DPDP scorecard does not replace the EU AI Act scorecard for those deployments — it sequences before it. Run DPDP first because India is where you are headquartered and where the Board enforces; run the AI Act scorecard second on any vendor that touches EU worker data or informs decisions about EU workers. The cross-border data-flow question (Q9 in this scorecard) is the bridge: if your DPA does not let you choose primary data residency, your EU AI Act conformity argument gets harder.
For the BPO and India IT services lens specifically, see BPO workforce management software in India for the shift, attrition, and DPDP layering, and Hubstaff alternative for India for the INR pricing and payroll context.
Score your vendor against the 14 DPDP questions
The interactive DPDP Vendor Risk Assessment Worksheet runs in the browser. Pass / partial / fail per question, instant verdict band, emailed PDF for your buying committee. Free, no card. Pair it with the EU AI Act scorecard if you serve EU clients. Reviewing the deployer side too? Read how gStride is built on the DPDP Act Compliant Productivity Intelligence Platform architecture — consent-first capture, Section 5 notice linked to every toggle, Data Principal Rights as features rather than ticket queues.
Open the DPDP Vendor Risk Assessment See all gStride compliance worksheetsFrequently asked questions
When do the DPDP Rules take effect for workplace AI in India?
The Digital Personal Data Protection Act 2023 is the statute; the DPDP Rules that operationalise it are expected to be notified in late 2025 or 2026. The Act is passed law; the Rules are what set the consent mechanics, notice form, breach SLA, and the Data Protection Board's enforcement machinery. The dates are subject to change as the Ministry finalises the Rules; verify current status with counsel for your jurisdiction. Workplace AI vendors should be scored against the statute as written, with Rule-specific anchors treated as patchable until notification.
Does DPDP cover employee data and workplace AI inferences?
Yes. The DPDP Act covers digital personal data processed within India, including data of employees, contractors, and gig workers. Workplace AI that processes activity signal, focus inference, productivity score, idle classification, or any identifier-linked behavioural data falls under the Act's data-fiduciary obligations on the employer and the data-processor obligations on the vendor. The consent layer is the most contested part — employment is not free consent in DPDP's design, so employer reliance on legitimate use cases under Section 7 needs to be deliberate and documented.
What is the surveillance-on-default halt question?
Q14 in the scorecard is a halt question: if the vendor ships screenshots, keystroke capture, webcam or microphone surveillance switched on by default, score the vendor halt regardless of any other passes. DPDP's purpose-limitation and data-minimisation principles are not consistent with default-on surveillance, even where consent is technically obtained. Indian works-council and labour-law overlays make this harder, not easier. A surveillance-on-default deployment is an enforcement trigger for the Data Protection Board and a brand risk for any India IT services or BPO firm serving global clients.
What breach SLA should India CISOs demand from a workplace AI vendor?
DPDP requires breach notification to the Data Protection Board and affected data principals. The exact timeline and form are set in the Rules; the working assumption among India CISOs in early 2026 is 72 hours to the Board with a 24-hour intake SLA from the vendor. Score a vendor pass if the contract has a written 24-hour breach intake from vendor to employer, a documented escalation chain, and a forensics-ready audit trail. Verify the final Rule timeline with counsel.
How does DPDP interact with EU AI Act for India IT services serving EU clients?
India IT services and BPO firms that handle data of EU workers, or whose AI inferences inform decisions about EU workers, fall under both DPDP and the EU AI Act. The DPDP layer governs consent, purpose, and breach for the India-side processing; the AI Act layer adds Annex III high-risk obligations on top where the AI informs employment decisions. Practical sequence: score the vendor under DPDP first (the statute India enforces), then run the EU AI Act Vendor Scorecard on the same vendor where EU workers or EU clients are in scope.
What is the DPDP Vendor Risk Assessment Worksheet and how does it work?
The DPDP Vendor Risk Assessment Worksheet is an interactive 14-question evaluator. Each question maps to a DPDP Act obligation (consent under Sections 4-6, purpose limitation, Section 8 data-fiduciary duty, breach under Sections 11-14) with one halt anchor on Q14 for surveillance-on-default vendors. Score each question 0/1/3/5 in the browser; the worksheet produces a verdict band (Ready, Patchable, At-Risk, Halt) with a recommended next step. Free, no card, runs in the browser. See the full set of compliance worksheets on the resources hub.
What is a Significant Data Fiduciary under DPDP, and does it apply to my deployment?
Section 10 of the DPDP Act lets the Central Government designate certain data fiduciaries as Significant Data Fiduciaries based on volume and sensitivity of personal data, risk to data principals, and other listed factors. Significant Data Fiduciaries have additional obligations — appointing a DPO based in India, commissioning periodic Data Protection Impact Assessments, and undergoing independent data audits. The thresholds and class designations are set by the Central Government and will be operationalised through the DPDP Rules; verify whether your deployment crosses a designated threshold with counsel for your jurisdiction. The 14-question worksheet flags the Significant Data Fiduciary anchors (Q9, Q10, Q11) so deployments at or near the threshold can pre-build the obligation set.
This article describes the DPDP Act 2023 as it applies to workplace AI vendor selection as of May 2026. The DPDP Rules are expected to be notified in late 2025 or 2026; exact timing is subject to revision. Verify specific obligations, deadlines, breach SLA, grievance-officer thresholds, and penalty schedules with legal counsel for your jurisdiction. The 14-question worksheet is a buyer aid, not legal advice.