DPDP Compliance After Employee Termination
Liability Check
Retaining an ex-employee's personal data without a legitimate, documented purpose is a direct violation of DPDP Act principles. You face penalties for every piece of unnecessary data you hold.
Why DPDP Compliance After Employee Termination is at Risk
When an employee leaves, your company still holds their **Aadhaar, PAN, bank accounts, medical records, and performance reviews**. The **DPDP Act** mandates that such **personal data** must only be retained for specific, legitimate purposes, and for no longer than absolutely necessary. Indefinite retention, or failure to secure this data post-termination, is a common compliance pitfall, leading to massive data breach risks and **DPDP penalties**. Imagine the liabilities if an ex-employee's data is compromised, or if you're audited for holding onto their personal documents unnecessarily years later. Are you still holding onto Aadhaar copies for people who left your Bangalore startup in 2020?
Common Violations
- 1.Retaining **personal data** (e.g., Aadhaar, PAN, contact details) of ex-employees indefinitely without a legitimate legal basis or defined retention period.
- 2.Failing to revoke system access (e.g., HRMS like Keka, CRM like Zoho, Slack, email) for terminated employees, creating security vulnerabilities and data breach risks.
- 3.Lack of a documented **data retention and deletion policy** specifically for employee data, leading to inconsistent or non-existent secure data disposal post-termination.
The Immediate Fix
Develop and implement a robust **data retention policy** for employee data, clearly defining what data is kept post-termination, for how long, and why. Create a mandatory offboarding checklist that includes timely access revocation and secure deletion/anonymisation of non-essential personal data from all systems (like Tally or greytHR).
Projected Compliance Deadline: Immediate