In this snippet from Spice Route Legal’s Cocktails & Compliance – Financial Services Edition, Vishnu Naduvakkad (Associate) discusses how organisations should treat legacy customer data under India’s Digital Personal Data Protection Act, 2023 (DPDPA). The session explores whether organisations must obtain fresh consent for personal data collected prior to the Act’s implementation, and how businesses can align existing data practices with DPDPA requirements. Key themes discussed include:

• Treatment of legacy customer data under DPDPA
• Whether fresh consent is required for previously collected personal data
• Aligning historical datasets with DPDPA consent frameworks
• Practical considerations for organisations transitioning to the new data protection regime

Bonus: Aadhaar Data – Key Regulatory Considerations The discussion also touches on the processing of Aadhaar data, highlighting the regulatory restrictions and compliance considerations organisations must keep in mind when collecting, storing, or processing Aadhaar identifiers under India’s Digital Personal Data Protection Act, 2023 (DPDPA).