The recently rolled out DPDP reforms combine with insurance regulations to raise compliance responsibilities and alter how the industry does business in many ways, write Shatakshi Komal and Suvrat Bahuguna
The Digital Personal Data Protection Act, 2023, and the Digital Personal Data Protection Rules, 2025 (collectively the DPDP), aim to revamp 含羞草社区 current data protection regime, which is governed by the Information Technology Act, 2000, read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
With the enforcement of the DPDP, organisations operating in India, as well as those outside India offering goods or services to Indian individuals, are re-evaluating their data governance frameworks. The implications for the Indian insurance sector are particularly profound, given its reliance on large-scale digital data collection, storage and processing.
The sector is not new to data protection norms. The Insurance Regulatory and Development Authority of India (IRDAI) has long maintained operational and cybersecurity standards. Most recently, this was through the Information and Cyber Security Guidelines, 2023 (cybersecurity guidelines), issued on 24 March 2023, and multiple operational circulars designed to integrate technology and protect the confidentiality of policyholders’ data.
The DPDP, however, takes this further into a legally enforceable, rights-based regime that directly addresses individuals’ personal data rights and overhauls how entities in India collect, process and use personal data.
Digital mandate
In past years, the IRDAI has promoted technological innovation to enhance efficiency and customer experience in the insurance sector. The IRDAI (Protection of Policyholders’ Interests, Operations and Allied Matters of Insurers) Regulations, 2024, mandate the digital issuance of all new insurance policies, with physical copies provided only on request. Policyholders must maintain an electronic insurance account, which insurers are required to facilitate.
Further, the IRDAI Master Circular on General Insurance, 2024, requires insurers to implement end-to-end digital solutions covering policy issuance, claims processing and grievance redressal. These initiatives aim to improve efficiency, data security and customer experience across the sector.
Threats to data
Despite advanced software, robust technology and best-effort security protocols, the insurance sector, like any other sector, faces significant cyber risks. Threat actors continue to exploit system vulnerabilities ranging from unauthorised access and ransomware attacks to the illegal monetisation of personal data.
含羞草社区 insurance sector, with a compound annual growth rate (CAGR) of about 17% more than the past two decades (as quoted by the India Brand Equity Foundation), is a rapidly growing sector and handles vast quantities of sensitive personal and financial data, making it an attractive target for cybercrime.
Notable breaches
February 2025. The customer data of Niva Bupa Health Insurance was accessed and published on a fraudulent website demanding ransom. The insurer obtained a Delhi High Court order for the deletion and blocking of the site.
November 2024. About 16 million customer records of HDFC Life Insurance were accessed by an unauthorised actor with mala fide intent. The insurer obtained an injunction from the Bombay High Court to prevent disclosure.
August 2024. More than 31 million customers of Star Health and Allied Insurance were affected by a cyberattack. In July 2025, the IRDAI imposed an INR33 million (USD363,000) penalty for violations of its cybersecurity guidelines.
Tata AIG (in March 2025) and LIC (in September 2025) also faced data breach incidents involving sensitive personal and policy information, exposing the recurring risk across the sector.
While the IRDAI has exercised its regulatory powers to issue directions and impose penalties, its role is sectoral and institutional in nature, and it has no mechanism for directly addressing individual grievances related to data breaches.
The DPDP Act addresses this gap, creating a centralised, rights-based framework that empowers individuals and enforces statutory obligations on entities for the protection of data.
DPDP, IRDAI intersections
The IRDAI remains a sectoral regulator concerned with the insurance industry’s growth, operational stability and compliance. The DPDP, in contrast, transcends sectors and imposes overlapping statutory compliances and duties that go beyond operational governance. Some of the key areas of overlapping and divergence are highlighted below.
Consent for data processing. The IRDAI requires consent in specific scenarios, for instance, during policy issuance, know your customer (KYC) processes, or for third-party data sharing, but provides little guidance on how consent should be captured, documented or revoked, and does not strictly determine the means of processing it.
The DPDP mandates explicit, informed and specific consent, including mechanisms for revocation of such consent by individuals to whom the data belongs. For minors and persons with disabilities, consent must be obtained from lawful guardians, and entities are responsible for maintaining evidence to support this consent being verified by a lawful guardian.
Breach reporting. The regulator mandates reporting cybersecurity incidents to the regulator but does not require notification to affected policyholders, or suggest any mechanism thereafter. The rules introduce a dual obligation, requiring breach reporting to the Data Protection Authority as well as to the individuals whose data is compromised, in addition to the creation of a plan of action for rectification of the situation.
Data minimisation and purpose limitation. The IRDAI requires secure storage of data but leaves collection and processing decisions to insurance market players. The DPDP requires the collection of only necessary data, processing solely for specific purposes and forbids secondary use without fresh consent.
Therefore, when an entity collects personal data for the purpose of selling a product, it may request only the information that is strictly necessary to facilitate that transaction. Any additional data for marketing, cross-selling or other purposes cannot be collected without obtaining fresh, specific consent from the individual.
Rights of individuals. The regulator focuses on institutional compliance and does not grant direct enforceable rights to policy holders regarding their data. The rules empower individuals to access, correct, erase or port their data, with binding compliance timelines for data fiduciary entities.
Third-party or vendor oversight. The IRDAI mandates vendor audits and information security risk assessments. The DPDP makes entities legally accountable for all the actions of such vendors who are data processors, ensuring that the data fiduciary entity handling personal data ensures data security not just at its level, but also at the level of all third parties deployed by it in providing its services.
Retention and deletion of data. The DPDP follows a purpose-based retention model, requiring deletion once the purpose is fulfilled or consent is withdrawn, unless longer retention is legally mandated. The IRDAI, however, requires retention of certain records for 10 years, creating a scenario where insurance market players must reconcile regulatory retention requirements with DPDP obligations, while also making it clear that sectoral laws override the DPDP in such instances.
Grievance redressal. The IRDAI expects insurance market players to maintain internal grievance mechanisms and appoint a chief information security officer for cybersecurity oversight. The DPDP mandates a grievance redressal officer or data protection officer (DPO) (applicable to significant data fiduciaries or SDFs) and allows individuals to escalate unresolved complaints to the Data Protection Board, establishing a statutory avenue for the enforcement of individual rights.
Insurance as SDFs
Insurance sector entities including insurers, intermediaries, brokers, web aggregators, third-party administrators and agents handle vast categories of personal data: identity, financial, health, biometric, family, income, location and more. Under the DPDP, entities processing high-risk or voluminous personal data will likely be designated as SDFs, making it likely that either the insurance industry itself or certain players within it will be notified as SDFs.
The insurance industry may appear relatively well prepared to comply with the DPDP, given the IRDAI’s longstanding focus on cybersecurity and policyholder protection. However, the DPDP introduces new obligations, particularly for SDFs, including the appointment of a DPO, periodic data protection impact assessments, annual data audits, reporting to the Data Protection Board, and ensuring that technical systems, algorithms and processing tools do not infringe the rights of data principals.
Non-compliance carries hefty consequences, both financial and reputational, which may impact business continuity in a trust-driven sector. The DPDP Act establishes an unprecedented penalty framework: up to INR2.5 billion for failure to fulfil data fiduciary obligations; up to INR2 billion for failure to notify the Data Protection Board and affected individuals of a breach; up to INR2 billion for breaches involving children’s data; up to an additional INR1.5 billion for violations of SDF-specific obligations; and up to INR500 million for other violations.
These provisions make clear that, under the DPDP, data protection is no longer just a compliance exercise but a core legal responsibility with material consequences.
For IRDAI-regulated entities, this necessitates a re-evaluation of business continuity and operational risk strategies. The DPDP effectively shifts data protection from a sectoral compliance exercise to a statutory obligation that empowers individuals and enforces clear accountability.
Impact
The convergence of the DPDP and the IRDAI regulations presents an unavoidable challenge for the insurance industry. Insurers, intermediaries and stakeholders will need to strengthen governance frameworks, upgrade technology systems, overhaul consent processes, increase breach response protocols, expand grievance mechanisms and monitor third-party vendors. These changes bring higher compliance costs, resource-intensive hiring, ongoing audits, and a shift from a compliance-driven to a risk and rights-driven approach.
The good news is that the industry already has a strong baseline. Success under the DPDP will go to those who implement the act systematically and responsibly, demonstrating proactive, pre-breach measures and adherence to both the letter and spirit of the law. Those who cut corners may manage short-term gains, but the DPDP is designed to set the standard for long-term accountability and trust.
Shatakshi Komal is an associate director for legal and compliance, and Suvrat Bahuguna is a senior manager for legal and risk at InsuranceDekho.
