Navigating Digital Privacy under the DPDP Act and Labour Codes

    0
    3
    ADVERTISEMENT



    The implementation of the Digital Personal Data Protection (DPDP) Act, 2023 and the New Labour Rules, 2026 has fundamentally shifted employee data management from static paper files to “dynamic digital handshakes.”

    SPONSORED

    At the centre of this compliance shift is the Consent Manager—a registered entity acting as a single point of contact for employees (Data Principals) to give, manage, review, and withdraw data permissions through a centralised digital platform.

    The Compliance Reality: For modern employers, understanding the Consent Manager framework is no longer optional. It is a critical technical requirement for statutory compliance.

    Based on the DPDP Rules, 2025 (notified November 13, 2025) and the Central Labour Rules, 2026 (notified May 8, 2026), private organisations must synchronise their internal data systems according to the following timeline:

    Internal systems or platforms managing employee consent must be registered with the Data Protection Board of India (DPBI) under Rule 4.

    Phase 2: Labour Portal Alignment

    Employers must update registration particulars on the Shram Suvidha Portal to sync with interconnected databases like EPFO and ESIC.

    Phase 3: Full Enforcement

    Core rules regarding notice architecture, data principal rights, and security safeguards (Rules 3, 5–16) become fully enforceable.

    A Consent Manager is not simply a Data Protection Officer (DPO) or an HR manager within your company.

    • The Statutory Definition: A Consent Manager is a data-blind, tech-enabled intermediary entity registered with the Data Protection Board.

    • The Role: They provide an interoperable platform that gives individuals a unified digital dashboard to grant, review, manage, and withdraw consent across multiple organisations simultaneously.

    • The Employer’s Role: The employer remains the Data Fiduciary—the entity that decides the “purpose and means” of data processing. However, the Consent Manager acts as a fiduciary to the employee, holding the “keys” to their data permissions.

    The Consent Manager framework was introduced to solve the inherent power imbalance between individuals (Data Principals) and organizations (Data Fiduciaries). Under the new regime, consent is no longer a “one-time signature” buried in an employment contract.

    To be valid, consent must be free, specific, informed, unconditional, and unambiguous.

    The arrival of the New Labour Rules, 2026, created technical requirements that physical paper files can no longer satisfy:

    • Aadhaar Seeding: Under Rule 6 of the OSHW (Occupational Safety, Health and Working Conditions) Central Rules, an employer can only include an Aadhaar number in a letter of appointment after obtaining explicit consent.

    • Women’s Night Shifts: Under Section 43 of the OSHW Code, written consent is mandatory for women working between 7 PM and 6 AM. The framework must link this consent to the roster system to prevent illegal scheduling.

    • The “One Registration” Linkage: Data shared on the Shram Suvidha portal auto-syncs with the EPFO and ESIC. The Consent Manager provides the “technical handshake” required to ensure that data shared across these government databases is backed by a valid, digital consent log.

    A critical legal safeguard is that the Consent Manager is statutorily prohibited from reading the data itself. According to Rule 2, Part B of the First Schedule, the platform ensures that the “manner of making available the personal data or its sharing is such that the contents thereof are not readable by it.”

    Instead, it operates through a system of digital instructions:

    1. Onboarding: Employers must onboard their systems onto the Consent Manager’s interoperable platform.

    2. Digital Locker Linkage: Employees can provide access to specific data points (like educational certificates or past employment records) via a digital vault.

    3. Instruction Routing: The manager sends digital signals to employers to stop processing or erase data when an employee withdraws consent.

    The transition from static paper files to “dynamic digital handshakes” is now a statutory mandate under the DPDP Act and Rules . With the first critical registration deadline of November 13, 2026, fast approaching—and potential penalties reaching ₹250 crore—proactive system alignment is no longer optional; it is a business necessity .

    Ensure your organisation is compliance-ready. Partner with Aristo Legal to conduct a comprehensive audit of your data touchpoints and implement the necessary technical API hooks to navigate this new era of digital privacy seamlessly

    No. While it is a critical requirement for private employers to manage employee permissions legally, it is a universal tool for all Indian citizens to exercise their digital privacy rights. A “Data Principal” is any individual to whom the personal data relates, including customers, app users, and banking clients.

    No. Statutory retention obligations take precedence over a data principal’s erasure request under the principle of legal necessity.

    • The 5-Year Rule: Under the Central Labour Rules, employers are legally required to preserve original registers and records (including wages, attendance logs, and core employment particulars) for a minimum of five calendar years from the date of the last entry.

    • The 7-Year Rule: The Consent Manager platform itself must preserve an immutable audit log of all granted, denied, and withdrawn permissions for at least seven years.

    • Legitimate Use Exceptions: The DPDP Act permits companies to retain specific historical records to protect against corporate liability, manage ongoing social security benefits (Gratuity, PF, ESI), or safeguard intellectual property.

    When a former employee triggers a withdrawal request through their registered Consent Manager dashboard, a highly regulated chain of events occurs:

    1. System Notification: The Consent Manager transmits a digital instruction to your enterprise system.

    2. Cessation of Processing: The employer must immediately cease processing that individual’s records and ensure all third-party Data Processors (such as background verification or cloud hosting providers) do the same.

    3. Erasure vs. Retention: The employer must erase the data unless its retention is strictly protected by independent statutory obligations.

    No. A Consent Manager is legally prohibited from reading the actual substance of the underlying personal data. Under Rule 2 (Part B, First Schedule), the data transport architecture must be completely data-blind. The Consent Manager acts as an encrypted router for instructions and authorisations; it manages the digital handshake and verifies the authenticity of the user’s choice, but the actual transfer of personal files occurs directly between authorised entities.

    Q5: What are the statutory and operational penalties if a company fails to integrate with Consent Managers?

    Failing to integrate with the Consent Manager framework under the Digital Personal Data Protection (DPDP) Act, 2023, and the New Labour Rules, 2026, exposes a company to the following Statutory Monetary Penalties:

    • Residuary Breach: Any general failure to comply with the Act’s provisions or rules (which includes respecting digital permissions via Consent Managers) carries a penalty of up to ₹50 crore.

    • Security Failures: If the lack of integration leads to a failure in maintaining reasonable security safeguards for data, the company faces fines up to ₹250 crore.

    • Breach Notification: Failing to notify the Board of a personal data breach (which dynamic consent logs help track) is punishable by up to ₹200 crore.

    To ensure your organisation is prepared for the November 2026 technical deadline, execute this compliance sprint:

    1. Audit Data Touch points: Map out every instance where employee data is collected, stored, or shared with third-party vendors (like payroll or background check agencies).

    2. Implement Tokenised Logging: Move away from open-access HR folders to programmatic, role-based access control where data cannot be transferred without an attached, time-stamped digital consent token.

    3. Bridge the API Gap: Build the necessary API hooks to receive real-time consent revocation signals from external Consent Managers.



    Source link

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here