ARTICLE
10 December 2025

Data Is The New Risk: How The DPDP Rules Impact The Insurance Sector

TC
Tuli & Co

Contributor

Tuli & Co logo
Tuli & Co is an insurance-driven commercial litigation and regulatory practice established in 2000. With offices in New Delhi and Mumbai, we undertake work for a cross section of the Indian and international insurance and reinsurance market and work closely alongside Kennedys’ network of international offices
Explore Firm Details
India's current data protection regime is governed by the Information Technology Act 2000 ("IT Act"), read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 ("SPDI Rules") issued under Section 43A of the IT Act.
India Privacy
Anuj Bahukhandi and Armaan Tuli
Your Author LinkedIn Connections
Anuj Bahukhandi’s articles from Tuli & Co are most popular:
  • within Privacy topic(s)
  • in Australia
  • with readers working within the Law Firm industries
Tuli & Co are most popular:
  • within Privacy, Insurance and Finance and Banking topic(s)

Introduction

India's current data protection regime is governed by the Information Technology Act 2000 ("IT Act"), read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 ("SPDI Rules") issued under Section 43A of the IT Act. Section 43A of the IT Act and the SPDI Rules will, however, stand repealed once the Digital Personal Data Protection Act 2023 ("DPDP Act") and the recently notified Digital Personal Data Protection Rules 2025 ("DPDP Rules") are fully operational. The DPDP Act establishes a comprehensive framework governing the processing of personal data in India.

The Government of India has adopted a phased implementation approach through notifications under the DPDP Act. Based on notifications issued as of date, the framework is expected to be operationalised in stages, with early provisions relating to the constitution of the Data Protection Board of India coming into force first, followed over time by consent manager requirements and core compliance obligations.

Insurers face distinctive challenges in implementing the DPDP Act. The insurance business model relies on the continuous and often large-scale collection, use, and sharing of various types of personal data throughout the policy lifecycle. Insurers must therefore align their data processing activities with the DPDP Act, as well as IRDAI-specific requirements, which themselves mandate detailed disclosures, reporting, record-keeping, and data-sharing protocols. The interaction between the DPDP Act and the insurance regulatory framework will define how Insurers recalibrate their systems and operational processes. This article examines the impact of this new framework on the insurance industry.

Data Protection in the Insurance Industry

Across the policy lifecycle, the insurance ecosystem involves different insurance entities handling personal data at various stages, assuming distinct roles under the DPDP Act depending on the nature and purpose of the specific processing activity.

  • Insurers - Data Fiduciaries: Insurers typically act as Data Fiduciaries1, determining the purposes and means of processing policyholder and insured data. This covers proposal intake, underwriting, policy issuance, servicing, and claims. As Data Fiduciaries, they must ensure valid consent, provide privacy notices, maintain security and retention standards, and operate grievance mechanisms.
  • Insurance Intermediaries - Either Data Processors or Data Fiduciaries: In many operational contexts, intermediaries (such as corporate agents or TPAs) may function as Data Processors2 when processing data strictly on the Insurer's behalf. However, depending on the degree of autonomy and decision-making involved, they may also act as Data Fiduciaries. In such cases, they must issue their own privacy notices, maintain consent records, and comply with breach reporting requirements. Personal data breaches must be carefully assessed to identify the capacity in which the intermediary was acting at the time. For instance, if a broker was processing data solely on behalf of the Insurer, the Insurer, as the Data Fiduciary, ultimately bears responsibility for breach notifications and compliance consequences. Conversely, where the broker was acting as an independent Data Fiduciary, it would assume those obligations directly.
  • Policyholders and Other Individuals - Data Principals: Policyholders (or proposers at the application stage) remain the Data Principals3 whose personal and financial information is processed for underwriting and claims. In practice, this extends beyond the primary insured to nominees, dependants, group members, claimants, and even unrelated third parties (such as victims in motor insurance claims), making insurance a high-volume, multi-Data Principal ecosystem.

These varied roles across the insurance ecosystem, combined with the data-intensive nature of insurance business, highlight the need for robust data governance processes. During this critical transition period, Insurers and intermediaries should review their processing activities, map data flows, and align systems and operations with the new compliance requirements.

Operational Considerations under the DPDP Framework for Insurance Entities

The upcoming changes will necessitate significant technology investments in infrastructure, IT systems, and automated workflows, as well as potential additional personnel, to manage consent operations and data-governance functions. We have set out below more specifically the expected operational changes that Insurers will face:

Changes to Digital Touchpoints for Policyholders

Given the centrality of consent under the DPDP framework, the accompanying notice requirements become especially significant for Insurers and intermediaries. For example, Section 5 of the DPDP Act requires requests for consent to be accompanied or preceded by a notice. Rule 3 of the DPDP Rules sets out specific requirements for the notice to be given by a Data Fiduciary to a Data Principal, including that the notice must be presented and understandable independently of other information, provide clear and plain-language details of the personal data and purposes for which consent is sought, and include accessible links or mechanisms for withdrawing consent, exercising rights under the DPDP Act, and making complaints to the Data Protection Board of India. In light of these requirements, industry discussions have recently concerned the following:

  • Insurers must review all digital touchpoints, such as websites, mobile applications, and online customer portals, to ensure that privacy notices are independently presented, clear and accurate, and provide a means for consent withdrawal and exercising of customer rights under the DPDP Act.
  • In addition, Insurers and intermediaries are expected to assess their cookie collection practices, including tracking and analytics tools. Entities may configure their websites such that cookies or other data collected are completely anonymised or aggregated, thereby placing the data outside the DPDP Act's scope.
  • Further, Insurers are already reviewing their online marketing and lead-generation activities to ensure that valid consent is sought and appropriate notices are given where personal data is collected or solicitation is undertaken.

Treatment of Legacy Data

Insurers will also need to address personal data collected prior to the commencement of the DPDP Act. Section 5(2) of the DPDP Act requires Data Fiduciaries to provide notice to Data Principals whose personal data was processed based on consent given before commencement, informing them of the data processed, purposes, and means to exercise their rights. Insurers with large legacy databases, particularly those containing historical claims and underwriting records, will need to implement processes to identify such data and issue compliant notices, while continuing to process data until and unless consent is withdrawn.

Policy Documentation Changes

The DPDP framework gives Data Principals significant control over how their personal data is managed, processed, and retained, including the right to withdraw consent as easily as it was given. For example, Section 12(1) of the DPDP Act gives Data Principals the right to request deletion of their personal data. In light of these requirements, we expect to see the following from an insurance perspective:

  • Insurers may need to evaluate how consent withdrawal and erasure rights under the DPDP Act interact with their continuing performance of an insurance contract. While blanket termination clauses may raise regulatory concerns, Insurers may consider clarifying the operational consequences where essential data processing is no longer permissible. Further, since the required consent must be clear, specific, and affirmative, this raises practical questions, and Indian policies may see more explicit consent requirements incorporated directly into their terms.
  • We may also see privacy notices incorporate tighter clauses on disclosure, containing clear, purpose-based disclosures identifying categories of recipients, since Insurers are prohibited from inserting any clause in a proposal form which by default allows the Insurer to share policyholder information to any third party4.
  • Since Section 10 of the DPDP Act requires verifiable parental consent for processing a child's personal data, Insurers, for example when issuing health insurance on a family-floater basis that covers a minor, may need to implement additional measures or request additional documentary evidence to confirm that the individual providing consent is indeed the child's parent and is identifiable for compliance purposes.

Policy Servicing and Grievance Redressal Changes

The DPDP framework will also affect the grievance redressal practices of Insurers. For example, Section 8(10) of the DPDP Act, read with Rule 14(3) of the DPDP Rules, requires Data Fiduciaries to establish effective mechanisms for grievance redressal, requiring grievances to be resolved within a reasonable time, not exceeding 90 days. In light of these requirements, we expect to see the following from an insurance perspective:

  • Insurers are already required to maintain a grievance redressal mechanism for policyholders under the IRDAI framework5]. Insurers may need to update this to specifically address data protection issues, and update websites and communication templates accordingly, so that policyholders have a clear and accessible means for withdrawing consent and exercising their rights under the DPDP Act.
  • It is also yet to be seen whether data protection grievances will be classified as "Complaints" under the IRDAI framework, and accordingly how Insurers will reconcile the timelines prescribed under the IRDAI grievance framework6 with the longer 90-day timeline under the DPDP Rules, particularly where the same issue may give rise to parallel obligations.
  • Further, a Data Protection Officer ("DPO") is required oversee compliance, handle grievances, and serve as the point of contact for data protection matters7. We may see the Grievance Redressal Officer of Insurers assume this role concurrently.
  • On 25 November 2025, the Ministry of Finance released the Draft Insurance Ombudsman (Amendment) Rules 2025, proposing significant digitisation of the Ombudsman complaints platform, including Aadhaar-enabled authentication. In the absence of specific guidance on how Aadhaar-linked data is collected by the platform and shared with Insurers, Insurers will need to assess data retention, access controls, localisation, and onward disclosure risks, and ensure that their technology and outsourcing arrangements are aligned with the DPDP Act to avoid inadvertent non-compliance. To read more about the proposed changes to the Insurance Ombudsman Rules 2017, please see our article published here.

Implementation of Reasonable Security Measures

The DPDP framework's emphasis on data security and breach prevention is expected to change how Insurer safeguard personal data. For example, Rule 6 of DPDP Rules requires certain reasonable security safeguards at the minimum, which include encryption, obfuscation, and controlling access to computer resources. As another required security measure, the DPDP Rules will also require Insurers to insert appropriate contractual provisions in contracts between Data Fiduciaries and Data Processors, requiring reasonable security safeguards to be taken8. In light of these requirements, we expect to see the following from an insurance perspective:

  • Insurers are expected to update (and invest in) their current security infrastructure in order to comply with the parallel and overlapping security requirements under the DPDP Rules. Further, Insurers and intermediaries will need to harmonise these requirements with the storage and labelling requirements it is already subject to under the IRDAI Information and Cyber Security Guidelines 2023 ("IRDAI Cyber Guidelines").
  • Since Data Fiduciaries are responsible for ensuring the Data Processors they engage comply with the DPDP framework9, Insurers will need to contractually ensure that these various Data Processors, such as insurance intermediaries, surveyors, vendors, or TPAs, process policyholder data in a compliant manner. Insurers will similarly need to harmonise its practices in this regard with existing requirements under the IRDAI Cyber Guidelines on vendor management. We may also see Insurers implement certain indemnity rights to recover a portion of losses incurred as a result of a Data Processor's fault leading to a personal data breach.

Personal Data Breach Reporting Mechanisms

The DPDP framework's strict breach-notification obligations will likewise affect how Insurers manage and respond to personal data incidents. For example, Rule 7 of the DPDP Rules requires Data Fiduciaries to immediately report any personal data breach, in considerable detail, to both the Data Protection Board of India and the affected Data Principals. In light of these requirements, we expect to see the following from an insurance perspective:

  • Insurers will need to implement systems and processes that enable timely reporting, particularly in relation to describing the nature of the incident and the mitigation measures taken. Since this obligation applies even in the case of minor data leaks, the compliance trigger is broad, and Insurers will need to remain highly vigilant.
  • Insurers and intermediaries will need to align DPDP reporting obligations with the requirements under the IRDAI Cyber Guidelines, which mandate reporting of cyber incidents (including data breaches) to the IRDAI within six hours10.
  • Additional governance structures may also emerge for larger players, such as a dedicated sub-committee within the Information Security and Risk Management Committee, to specifically address data breach concerns and other related matters.

Broader Considerations under the DPDP Framework for Insurance Entities

Apart from operational changes, the DPDP framework also introduces broader implications that may re-shape how Insurers and intermediaries structure their operations. We have set out some of these below:

Cross-Border Data Transfers

The DPDP Act and DPDP Rules have extraterritorial applicability11, meaning they apply not only to entities operating within India but also to overseas entities processing personal data in connection with offering goods or services to individuals in India. This brings foreign entities such as overseas Insurers, Cross Border Reinsurers, MGAs and foreign brokers within the scope of the DPDP Act if they handle personal data of Indian residents. The DPDP Rules also empower the Indian Government to impose restrictions on cross-border data transfers12, which could restrict Insurers from sharing data with entities in certain countries and may therefore affect certain cross-border placements or outsourcing arrangements.

Significant Data Fiduciary Obligations

The Government may designate certain entities as Significant Data Fiduciaries ("SDFs") based on factors such as the volume and sensitivity of personal data processed, and potential impact on national security13. While Insurers have not yet been notified as SDFs, the scale and sensitivity of insurance data make future categorisation possible. SDFs face additional obligations, including mandatory Data Protection Impact Assessments and annual audits14.

Data Protection Board of India

The DPDP Act also establishes the Data Protection Board of India as a dedicated enforcement body with powers to investigate, issue directions, and impose significant monetary penalties. The Board will function as a digital office, enabling streamlined techno-legal proceedings without requiring physical appearances15. For Insurers, this creates a dual compliance environment; obligations under both the IRDAI framework and the DPDP regime, with enforcement potentially from either authority. Penalties under the DPDP Act may reach up to Rs. 250 crore (approximately USD 27.9 million), depending on the nature and gravity of non-compliance.

Industry Observations and Emerging Trends

Beyond the immediate compliance requirements outlined above, the DPDP framework is also influencing broader strategic and operational trends across the insurance industry. We highlight below two significant areas of development.

Insurtech

The DPDP framework is likely to influence how insurtech companies design and operate their digital platforms. Many insurtech products rely on automated analytics, API-driven distribution, and swift digital onboarding, all of which involve ongoing personal data processing. With the new requirements, insurtechs will also need to reassess data flows, ensure algorithms use only data necessary for the stated purpose, and embed transparent consent and privacy mechanisms into customer journeys. This may affect product architecture, particularly in personalised pricing, behavioural underwriting, and automated claims processing. At the same time, the DPDP framework creates opportunities for insurtech providers to work with consent managers and support Insurers in meeting their data obligations.

Artificial Intelligence

More broadly, the insurance industry is rapidly adopting Artificial Intelligence ("AI") for underwriting, customer service, fraud detection, and data analysis. The recently issued "India AI Governance Guidelines" of 5 November 2025 take a facilitative, innovation-friendly approach, with minimal technical requirements for now, while positing that existing laws such as the DPDP Act may already address several AI-related risks. Regulators are, however, expected to identify gaps not covered by current frameworks. Recent measures, including the IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules 2025 targeting deepfakes and content manipulation, show how regulators are beginning to respond to emerging risks. More prescriptive rules may yet be on the anvil, particularly for high-risk use cases, such as where AI-driven decisions may amplify biases and cause significant harm to policyholders.

Concluding Remarks

The notification of the DPDP Rules marks the final stage in operationalising India's first dedicated data protection regime. For Insurers, the key areas requiring immediate attention include: (a) mapping existing data flows and identifying processing activities requiring fresh or renewed consent; (b) updating digital touchpoints, policy documentation, and grievance mechanisms; (c) reviewing contractual arrangements with Data Processors to incorporate DPDP compliant security and indemnity provisions; and (d) harmonising DPDP obligations with existing IRDAI requirements, particularly under the IRDAI Cyber Guidelines.

Further clarity is expected as the Government notifies additional elements of the framework, including potential restrictions on international data transfers and the designation of certain entities as Significant Data Fiduciaries. Insurers processing high volumes of personal data should proactively assess whether additional SDF obligations may apply to them. The dual regulatory environment, with enforcement potentially triggered by both the Data Protection Board and IRDAI, will require a compliance strategy that addresses both data protection and insurance sector obligations.

Footnotes

1 §2(i) of the DPDP Act defines "Data Fiduciary" as "any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data".

2 §2(k) of the DPDP Act defines "Data Processor" as "any person who processes personal data on behalf of a Data Fiduciary".

3 §2(j) of the DPDP Act defines "Data Principal" as "the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf".

4 R15(3) of the IRDAI (Protection of Policyholders' Interests, Operations and Allied Matters of Insurers) Regulations 2024 prevents an Insurer from inserting any clause or condition in the proposal form which, by default, allows the Insurer to part or share policyholder's information to any third party.

5> R25 of the IRDAI (Protection of Policyholders' Interests, Operations and Allied Matters of Insurers) Regulations 2024 sets out the requirements for a grievance redressal procedure for insurers and distribution channels.

6 ¶2 under Section VI of Part A of the IRDAI Master Circular on Protection of Interests of Policyholders of 5 September 2024 (same requirement for health and retail general) states that the timeline for resolving complaints is 14 days.

7 §8(9) and §10(2) of the DPDP Act set out the requirements in relation to a DPO.

8 Rule 6(1)(f) of the DPDP Rules requires appropriate provisions in contracts entered into between a Data Fiduciary and a Data Processor for taking reasonable security safeguards.

9 §8(1) of the DPDP Act states that a Data Fiduciary shall be responsible for complying with the provisions of the DPDP Act and DPDP Rules in respect of any processing undertaken by it or on its behalf by a Data Processor.

10 ¶2.10(3.5) of the IRDAI Cyber Guidelines sets out the notification requirements for cyber incidents to Cert-In and the IRDAI.

11 §3(b) of the DPDP Act states that it applies to the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.

12 R15 of the DPDP Rules states that a Data Fiduciary may transfer personal data outside India, subject to such conditions and restrictions as may be specified by the Central Government by general or special order in relation to making such data available to any foreign State or entities under its control.

13 §10 of the DPDP Act empowers the Central Government to notify any Data Fiduciary or class of Data Fiduciaries as a "Significant Data Fiduciary" based on specified criteria relating to the nature and impact of its data processing activities.

14 §10(2)(c) of the DPDP Act, read with R13 of the DPDP Rules set out the additional obligations applicable to SDFs.

15 §28 of the DPDP Act, read with R20 of the DPDP Rules, state that the Data Protection Board of India is to function as an independent body and shall, as far as practicable, function as a digital office.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Anuj Bahukhandi
Anuj Bahukhandi
Photo of Armaan Tuli
Armaan Tuli
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More