Rajan was genuinely excited.
He is the CTO at a mid-size Gold Loan Company in Pune. Sharp, well-read, someone who follows global technology trends closely. We were sitting in his office last quarter when he pulled up a presentation from a vendor he had been speaking with for three weeks.
The pitch was for an AI-powered customer risk profiling tool. The system would take existing customer KYC data, transaction history, repayment behaviour, and communication patterns, run them through an AI model, and generate a real-time risk score for each customer. Better lending decisions. Faster fraud detection. Reduced NPA exposure.
The product looked genuinely good.
I asked one question before he could continue: “Did your customers consent to having their data used for AI-based risk profiling when they submitted their KYC?”
Rajan stopped mid-sentence.
He looked at his screen. Then back at me. Then at his legal head sitting in the corner of the room, who had the same expression.
“They consented to data collection,” he said. “That covers it, doesn’t it?”
It does not. And under India’s Digital Personal Data Protection Act, which moved into the enforcement phase in November 2025, that answer is no longer just a compliance gap. It is the beginning of a formal investigation.
This is the AI and DPDP collision that is playing out in boardrooms across India right now. Companies are excited about AI. They have data. They have tools. They have vendors with compelling demos. What they do not have is the consent architecture that makes the AI legal to run.
The 72 Percent Problem
According to the Capterra India 2025 HR Software Trends Survey, 72% of Indian organisations have already integrated AI features into their HR software. Mondaq
That number is not surprising. AI is being embedded into every category of enterprise software right now. Recruitment platforms use AI to screen applications. Payroll systems use AI to flag compliance anomalies. HR tools use AI to predict attrition. Customer service platforms use AI trained on past interaction logs. Lending systems use AI trained on historical repayment data.
The pattern in every case is the same. An organisation has years of accumulated personal data. A vendor offers an AI feature that can extract value from that data. The organisation says yes. The vendor activates the feature.
Nobody asks the question Rajan did not ask.
Was the original consent specific enough to cover this use?
The DPDP Act is clear on this point: the Act does not exclude personal information just because it was collected earlier or for a different stated purpose. The purpose for which data was originally collected is the boundary of what it can be used for. Press Information Bureau
A customer who submitted their Aadhaar and bank statement to get a personal loan consented to those documents being used for loan processing and KYC verification. They did not consent to those same documents being used to train or run an AI model that scores their creditworthiness three years later using new algorithmic methods they were never told about.
These are two different purposes. The law treats them as two different consent events.
Meera’s Attrition Model
Let me tell you about another conversation, this one with an HR head at a manufacturing company in Nashik.
Meera had been in HR for fourteen years. She was proud of what her team had built. Structured performance reviews. A reasonably disciplined appraisal process. Three years of employee data in a system that had been gradually improved from spreadsheets to a proper HRMS.
A few months ago, her company deployed an AI attrition prediction tool. The vendor connected it to the existing employee database. It analysed attendance patterns, performance scores, salary history, leave frequency, manager change history, and some social signals from internal communication tools. It produced a list every month: the employees most likely to resign in the next ninety days.
Meera found the tool genuinely useful. It helped her team have proactive conversations with people before they decided to leave.
I met her at an industry event where she mentioned this during a discussion on HR technology. She was enthusiastic. I asked the same question I had asked Rajan.
“Did your employees consent to having their data used for an AI model that predicts their resignation probability?”
Meera thought about it for a moment. “We have a standard employment contract and an HR data processing policy.”
“Does either of those documents mention AI-based attrition modelling?”
They did not.
Under the DPDP framework, employee data processing for routine HR activities like recruitment, onboarding, payroll, and performance management is treated as a legitimate use and does not require separate consent. But for non-routine purposes such as advanced monitoring, predictive profiling, and AI-driven behavioural analysis, explicit consent is required. Mondaq
Predicting whether someone is likely to quit, based on a pattern analysis of their work behaviour and personal leave data, is not routine HR management. It is predictive profiling. And Meera’s employees had never been told it was happening.
What the DPDP Act Actually Says About AI
The DPDP Act does not mention artificial intelligence by name. It does not need to. The principles it establishes apply to every form of personal data processing, and AI systems are among the most intensive processors of personal data that exist.
The specific provision that catches every AI deployment involving personal data is purpose limitation.
The Act allows AI training and inference on personal data only under a clear legal basis with safeguards including purpose limitation, consent, and transparency regarding downstream uses. skeletos
Purpose limitation means this: data can only be used for the specific purpose for which it was collected and for which consent was obtained. Using it for anything else requires fresh consent for the new purpose.
When a customer submits their income documents during a loan application, the consent they provide covers the loan processing. It does not automatically extend to training a fraud detection model. When an employee submits their performance review, the consent covers the appraisal process. It does not automatically extend to feeding the data into an attrition prediction algorithm.
For any AI feature deployed in India in 2026, the law requires documented consent or lawful basis for any training data containing personal information, an audit log of AI decisions affecting individuals such as credit scoring, hiring, or fraud flags, and a human override mechanism for adverse AI decisions affecting users. Lexology
Three specific requirements. Most Indian companies using AI today cannot demonstrate compliance with any of the three.
The Data Fiduciary Trap
Here is the part of this story that surprises even technically sophisticated CTOs.
When your company uses an AI tool built on top of a third-party platform, whether that is a vendor product, a GPT-based chatbot, or an open-source model you have deployed, you are still the Data Fiduciary under DPDP.
If you build a feature or product on top of an AI service like GPT-4, Gemini, or any other model, you determine the purpose of processing. The AI provider is not the Data Fiduciary. You are. Lexology
This matters enormously because it is the most common misconception I encounter in conversations with Indian companies deploying AI.
The thinking goes: “We are using a vendor’s AI tool. The AI provider is responsible for compliance.”
That is not how the Act works. Your customer gave their data to your company. Your company decided to process it through an AI tool. Your company is the Data Fiduciary. The vendor is your Data Processor. If the AI model processes personal data in a way that violates DPDP, the investigation starts with you, not with your vendor.
The Data Protection Board initiated its first enforcement actions in Q1 2026 against several app developers found to be processing data without valid consent or with inadequate retention policies. India Briefing
These early cases are app developers. The next wave of enforcement will reach companies using AI on customer and employee data without updated consent frameworks. The question is not whether this will happen. It is which organisations will be ready when it does.
The Specific Problem With HR Data and AI
Of all the categories of personal data that Indian companies are currently feeding into AI systems without fully mapping their DPDP obligations, employee data is the most exposed.
The reason is structural. Between 2022 and 2024, Indian organisations treated AI as a series of discrete experiments: a chatbot in one business unit, a screening tool in another, a sentiment dashboard for a single team. Each of these experiments used employee data collected for routine HR purposes and repurposed it for AI analytics. Mondaq
The data was already there. The tool was affordable. Nobody connected the new AI feature to the original consent under which the data was collected.
This creates a specific exposure map for any organisation using AI tools that touch employee data:
- Resume screening AI uses candidate data submitted for a specific job opening. Using it to train a broader hiring model or to profile candidates across future roles they did not apply for, is a new purpose.
- Attrition prediction AI uses performance data, attendance records, leave patterns, and sometimes communication metadata. None of this was collected with AI-driven behavioural prediction as a stated purpose.
- Sentiment analysis AI processing internal communication data to gauge team morale is an active monitoring activity that requires specific consent under DPDP and specific disclosure to employees.
- Payroll anomaly detection AI processing salary and attendance data for fraud flags is a different purpose from the original payroll processing consent.
In every case, the organisation has the data. The AI feature is technically functional. The DPDP consent trail for the new purpose does not exist.
What Governed Data Looks Like Before You Point AI at It
The companies that will navigate this well are not the ones that stop using AI. They are the ones that build the data governance foundation before deploying AI on top of it.
That foundation has three components that are all operational, not just policy documents.
- First: a clear purpose registry. Every dataset that holds personal data must have a documented purpose for which it was collected and consented to. When a new AI feature proposes to use that dataset, the purpose registry is checked. If the new purpose falls outside the documented consent scope, fresh consent is collected before the AI runs. This is not a complex system. It is a discipline. But it requires a structured data environment where you can actually see and control what data exists and what it is consented for.
- Second: a consent update mechanism. Most Indian organisations have no mechanism to push a consent update to existing customers or employees when a new processing purpose is introduced. A DPDP-compliant AI deployment requires exactly this capability. Before the attrition prediction model goes live, affected employees need to receive a clear notice explaining what data will be used, for what purpose, and what the outcome of the AI analysis will be. They need the ability to object.
- Third: a data lifecycle that matches the AI model’s lifecycle. If a customer requests deletion of their data under DPDP and that data was used to train an AI model, the question of whether the model must be retrained becomes an existential engineering question. Legal experts advise documenting best-effort technical measures, such as retrieval-augmented architectures where data is accessed at inference time rather than baked into model weights, to argue compliance. This architectural decision must be made before the model is built, not after a deletion request arrives. Lexology
This is where a structured HRMS becomes the foundation of DPDP-compliant AI, not just a nice-to-have. OfficeSIA governs employee personal data with documented purpose records, access controls, consent management, and retention policies. When an HR team wants to deploy an AI attrition tool, the data governance layer already exists. They can answer the DPDP questions before the vendor presentation ends, not six months after the tool goes live.
The same principle applies to customer data in banking and NBFC environments. AI tools built on ungoverned, undocumented data create liability that grows with every query the AI processes. AI tools built on governed data with documented consent trails create a defensible position the moment a regulator asks.
What to Do Before Your Next AI Deployment
These are practical steps, not a compliance checklist. They are the things Rajan and Meera both needed before their AI conversations went further.
- Map the data before you evaluate the tool. Before any AI vendor presents a demo, your team should be able to answer: what data will this AI use, what was that data originally collected for, and what consent did the affected individuals give at collection time? If you cannot answer these questions, the AI conversation should wait until you can.
- Update your privacy notice before the AI goes live. Privacy notices must mention AI processing of personal data if it occurs. If your current notice does not include this, it must be updated and redistributed before the AI feature activates. Lexology
- Treat AI decisions affecting individuals as employment or credit decisions, not technical outputs. AI-assisted HR decisions are treated as employment decisions under the law, not technical processes. Employers remain accountable even when using third-party AI tools. Transparency and human oversight are increasingly expected. An AI model that recommends not hiring someone or flags someone as a flight risk has made a consequential decision about a real person. DPDP requires a human review mechanism and a disclosure pathway. deloitte
- Audit your existing AI deployments for purpose limitation gaps. If you have AI features currently running on customer or employee data, run a purpose audit. For each AI feature, document the data it uses, the original consent scope for that data, and whether the AI purpose falls within that scope. Where it does not, either get fresh consent or pause the feature until you do.
- Build your HRMS as the governed foundation, not as an afterthought. If employee data lives in spreadsheets, email archives, and disconnected payroll systems, DPDP-compliant AI HR is structurally impossible. You cannot document a consent trail for data you cannot locate. A structured HRMS with purpose-linked data management, consent records, and access controls is the prerequisite, not the optional upgrade.
The Bigger Picture
Rajan’s situation and Meera’s situation are not unique. They are representative.
India’s AI adoption in enterprise software is moving faster than most organisations’ legal and governance readiness. The pace of AI adoption continues to outstrip legal, governance, and risk frameworks across organisations globally. In 2026, AI governance will be judged less by aspirational principles and more by documented processes, controls, and accountability. Vistainfosec
The DPDP Act’s enforcement mechanism is not designed to punish early adopters who made honest mistakes while frameworks were still forming. It is designed to create accountability for organisations that continued using data in ways they knew, or should have known, required fresh governance.
The distinction between those two categories is documentation. An organisation that maps its data, identifies the gaps, updates its consent framework, and deploys AI on a governed foundation is making a defensible good-faith effort. An organisation that receives the same advice and does nothing is not.
The first enforcement wave hit app developers. The second will reach enterprises. The organisations that are working through their AI data governance now are the ones who will not feature in the second wave’s headlines.
Final Thought
I spoke with Rajan again recently. He put the AI risk profiling tool on hold. Not permanently. He is working with his legal team to map the consent gaps, update the privacy notice, and build the proper consent collection into the customer onboarding flow. The tool will go live when the data is ready.
It will take three more months. His attrition from borrower fraud in that period will be marginally higher than it would have been with the AI tool running. That is a real cost.
But the alternative, running AI on undocumented consent until the Data Protection Board arrives, is a different kind of cost entirely.
Meera also paused her attrition prediction model. She is working on an employee communication that explains the tool, what it analyses, and how to opt out. Some employees will. The model will be less accurate as a result.
That is an honest trade-off. The DPDP Act is built on the principle that individuals have the right to know how their data is being used and to say no.
AI does not exempt any company from that principle. It extends it.
At Skeletos IT Services, we help Indian companies build the governed data foundation that makes AI deployment legally defensible under the DPDP Act. OfficeSIA, our HRMS platform, manages employee data with documented purpose records, consent management, and access controls that satisfy DPDP obligations before any AI tool is pointed at the data. If you want to understand whether your current data environment is ready for the AI tools you are planning to deploy, let us help you find out.
