Compliance Guide
Manage consent versions, DSR requests, view the audit log and configure data retention policies in Ophillia HRMS.
Consent version management
Go to Compliance → Consent Versions. Each version represents a revision to your data processing notice. Click New Version, enter the version number, effective date and the full text of the notice. Mark it as Active when ready to deploy.
The next time any employee interacts with the PWA, they are shown the new consent notice and asked to accept or decline. Their choice is logged with a timestamp, the consent version ID and the employee's IP address.
Employees who decline consent are flagged in the compliance dashboard. HR can review and contact them directly. Declining consent does not block their access — but the flag is recorded for DPDP compliance purposes.
How employees grant consent
Employees see the consent notice on first login and whenever a new version is activated. The notice includes a plain-language summary and a link to the full privacy policy. They click I Accept or I Decline. The choice is persisted server-side — it is not stored in browser cookies or localStorage.
DSR (Data Subject Request) flow
Go to Compliance → DSR Requests → New Request. Select the employee, request type and reason:
- Access — export all personal data held for the employee
- Erasure — delete personal data subject to retention obligations
- Portability — export data in a machine-readable format (JSON/CSV)
The request enters a review queue. The assigned HR compliance officer reviews and executes the action. The employee receives a push notification at each status change (Received, In Review, Completed). The system tracks the 30-day statutory window and alerts HR if a request is approaching the deadline.
Viewing the audit log
Go to Compliance → Audit Log. Each entry shows the timestamp, actor (user who performed the action), action type, the record affected and a before/after snapshot. The log is append-only — entries cannot be deleted or modified. Filter by date range, actor, or action type. Export as CSV for auditor review.
Retention policy configuration
Go to Compliance → Retention Policies. For each data category (Employee Records, Attendance Logs, Leave Data, Audit Entries, Communication Logs), set the retention period in months. Records past their retention date are flagged with a Due for Review status. HR reviews and confirms before automated purge runs. Every purge action is logged in the audit trail.
Audit log entries have a minimum retention of 7 years under Indian labour laws. The system will not allow you to set audit log retention below this threshold.
Data inventory
Go to Compliance → Data Inventory. The inventory lists every PII field in the system, the legal basis for processing it, the retention period and who can access it. You can add custom notes for your DPO (Data Protection Officer) review. Export the inventory as a PDF report for regulatory submission.