Legacy Data Notice
Plain English Translation
If your organization collected personal data before the Act's commencement, Section 5(2) outlines specific steps for legacy data DPDP compliance. You are not immediately required to obtain fresh consent; however, you must send a pre-DPDP data notice to all such Data Principals "as soon as it is reasonably practicable." This notice must inform them about the data processed, the purpose, and their rights. While existing data consent DPDP rules allow you to continue processing until a user withdraws consent, failing to send this notice invalidates that transitional protection.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Export the legacy user list to a CSV file.
- Send a broadcast email with the new privacy notice using a standard marketing tool.
- Archive the campaign report as proof of historical data consent management.
Required Actions (scaleup)
- Automate the existing customer data DPDP notice via CRM workflows.
- Track delivery failures (bounces) and flag those accounts for potential restriction.
- Implement a database flag `legacy_notice_sent` to track status.
Required Actions (enterprise)
- Deploy an in-app interstitial modal for historical personal data compliance that requires acknowledgement before proceeding.
- Immutable audit logging of notice delivery for millions of users.
- Automated retention policies to purge data for users who withdraw consent via the notice link.
Section 5(2)(a) requires a notice informing the Data Principal of the personal data processed, the purpose, the manner of exercising rights (including withdrawal), and the manner of making a complaint to the Board.
Under Section 5(2)(b), you may continue to process existing personal data until and unless the Data Principal withdraws her consent, provided you send the required notice as soon as reasonably practicable.
The Act states in Section 5(2)(a) that the notice must be given "as soon as it is reasonably practicable" after the date of commencement of the Act.
The notice must include the personal data processed, the purpose of processing, the rights of the Data Principal (Section 6(4) and Section 13), and the complaint mechanism for the Data Protection Board.
You do not initially need new consent; Section 5(2)(b) allows continued processing based on pre-existing consent DPDP rules until the user withdraws consent after receiving the notice.
Yes, Section 5(2)(b) explicitly states the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.
While a specific date isn't fixed in the Act, Section 5(2)(a) mandates the notice be sent "as soon as it is reasonably practicable" once the Act commences.
Auditors should review the legacy data protection compliance logs, specifically the "Output Activity Logs" showing the notice was delivered to the user base defined in the Consent Management Record.
"Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— (a) the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– (i) the personal data and the purpose for which the same has been processed; (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and (iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed. (b) the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
