Data Privacy and the DPDP Act: Implications for Indian Insurance Operations

The Digital Personal Data Protection Act, 2023 (DPDP Act) received presidential assent on 11 August 2023 and represents India's first wide-ranging legislation governing the processing of digital personal data. For Indian insurance companies, both life and non-life, the implications are sweeping because insurance is inherently a data-intensive business. Every proposal form, every health declaration, every claims investigation, and every reinsurance placement involves the collection, storage, and sharing of personal data.

The DPDP Act introduces a rights-based framework built around the concept of a Data Principal (the individual whose data is processed) and a Data Fiduciary (the entity that determines the purpose and means of processing). Indian insurers, whether public sector undertakings like New India Assurance or private players like ICICI Lombard, are classified as Data Fiduciaries under the Act. This classification triggers a cascade of obligations: lawful consent, purpose limitation, data minimisation, storage limitation, and accountability.

What makes the DPDP Act particularly significant for insurers is its interplay with existing sectoral regulation. IRDAI already governs data handling through various circulars, including the IRDAI (Protection of Policyholders' Interests) Regulations, 2017 and the more recent data governance guidelines issued in 2024. The DPDP Act does not replace these sectoral norms but adds a horizontal layer of data protection obligations on top. Insurers must now comply with both regimes simultaneously, and any conflict between them will need resolution through the rules that the Central Government is yet to notify under Section 40 of the Act.

The penalties are substantial. Section 33 of the DPDP Act prescribes penalties of up to INR 250 crore for specific violations, including failure to implement reasonable security safeguards and failure to notify the Data Protection Board of a data breach. For an industry already operating on thin combined ratios, a penalty of this magnitude could materially impact an insurer's solvency position.

Section 6 of the DPDP Act establishes consent as the primary legal basis for processing personal data, and Section 7 prescribes that consent must be free, specific, informed, unconditional, and unambiguous — given through a clear affirmative action. This standard is significantly higher than the vague consent clauses historically embedded in Indian insurance proposal forms.

Consider a standard commercial property insurance proposal. The proposer provides details about the business, turnover, employee count, premises address, fire protection systems, alongside personal data of the proprietor or directors: names, PAN numbers, Aadhaar-linked KYC documents, contact details, and sometimes financial statements. Under the DPDP Act, the insurer must present a notice (Section 5) in clear and plain language, specifying the exact purposes for which each category of data will be processed, before collecting consent.

Blanket consent clauses (such as 'I consent to the processing of my data for insurance purposes and any other lawful purpose') will almost certainly not meet the specificity standard under the Act. Insurers will need to redesign consent flows to be granular: one consent for underwriting assessment, another for claims processing, a separate consent for sharing data with reinsurers, and yet another for marketing communications. This is operationally complex but legally necessary.

The Act also grants Data Principals the right to withdraw consent at any time under Section 6(4). For insurers, this creates a practical challenge: if a policyholder withdraws consent for data processing mid-policy, can the insurer continue to administer the policy? The answer likely lies in Section 7(1), which allows processing for 'lawful purposes' including compliance with legal obligations and performance of contracts. However, the boundaries are not yet fully tested, and insurers should prepare for scenarios where consent withdrawal triggers policy administration complications.

For digital-first insurers and InsurTech platforms that collect data through mobile apps and web portals, the consent architecture must be embedded into the user interface with opt-in mechanisms, not pre-ticked checkboxes. IRDAI's push toward Bima Sugam, the proposed digital marketplace for insurance, will need to integrate DPDP-compliant consent management from the ground up.

Two foundational principles of the DPDP Act, purpose limitation (Section 5) and data minimisation, have direct implications for how underwriters assess risk. Purpose limitation means that personal data collected for underwriting a fire insurance policy cannot be repurposed for cross-selling a health insurance product without fresh consent. Data minimisation requires that insurers collect only the data that is necessary for the stated purpose.

In practice, Indian commercial insurers often collect more data than is strictly needed for the risk being underwritten. A commercial vehicle fleet policy proposal might request the personal health details of the fleet owner, which has no actuarial relevance to motor risk. Similarly, many general insurance proposals still collect religion and caste data (a legacy of older form templates) which is not only unnecessary for underwriting but could also trigger scrutiny under anti-discrimination norms read alongside the DPDP Act.

Underwriting teams will need to audit their data collection practices line by line. For each field on a proposal form, the question must be: is this data point necessary for the specific underwriting decision being made? If the answer is no, the field should be removed or made optional with a clear disclosure of why it is requested.

The DPDP Act also affects the use of third-party data enrichment, a growing practice among Indian insurers using AI-powered underwriting platforms. Augmenting proposal data with information from credit bureaus (CIBIL), government databases (MCA, GST Network), or open-source intelligence must comply with purpose limitation. The data sourced from third parties can only be used for the specific purpose disclosed to the Data Principal. If an insurer uses MCA financial data to assess a director's creditworthiness for underwriting a D&O policy, that data cannot later be used for fraud analytics unless a separate consent or lawful basis exists.

Sarvada's approach to AI-powered underwriting intelligence is designed with these constraints in mind: structuring data inputs to be purpose-specific and auditable, so that every data point used in a risk assessment can be traced back to a lawful basis for processing.

Claims processing is arguably the most data-intensive function in any insurance company. A single commercial fire claim might involve personal data of the insured's directors, employees, witnesses, third-party claimants, surveyors, loss adjusters, forensic investigators, and legal counsel. Under the DPDP Act, the insurer is the Data Fiduciary for all of this data and must ensure lawful processing, adequate security, and timely deletion.

Section 8(7) of the DPDP Act requires Data Fiduciaries to erase personal data once the purpose for which it was collected has been fulfilled and retention is no longer necessary for that purpose or any legal obligation. This creates a direct tension with insurance industry practice, where claims files are routinely retained for decades — partly for actuarial analysis, partly for litigation defence, and partly because storage is cheap and deletion protocols are rarely enforced.

Insurers must now develop formal data retention schedules that specify, for each category of data, the retention period and the legal basis for retention. For claims data, the retention period must account for the Limitation Act, 1963, which prescribes a three-year limitation period for most insurance claims, extendable in certain circumstances. For marine insurance, Section 3 of the Marine Insurance Act, 1963 and associated case law may justify longer retention. For product liability claims under the Consumer Protection Act, 2019, the limitation window can be longer still.

The practical challenge is implementing automated data lifecycle management. Most Indian insurers still operate on legacy core systems where claims data is stored in monolithic databases without granular deletion capabilities. Complying with the DPDP Act's erasure requirements will require investment in data architecture: tagging personal data at the point of collection, associating it with a retention policy, and building automated workflows that trigger anonymisation or deletion when the retention period expires.

For surveyors and loss assessors governed by the IRDAI (Surveyors and Loss Assessors) Regulations, 2024, the retention obligations are layered. Surveyors must retain their reports for IRDAI inspection purposes while also complying with the DPDP Act's storage limitation principle. Insurers should include DPDP Act compliance clauses in their surveyor appointment agreements to ensure downstream accountability.

Indian commercial insurers routinely transfer personal data across borders in the context of reinsurance placements, co-insurance arrangements with foreign partners, and claims involving multinational corporations. A large infrastructure project insured in India with Swiss Re or Munich Re as treaty reinsurers will involve the transfer of proposal data, risk survey reports, and claims documentation to entities outside India.

Section 16 of the DPDP Act permits the transfer of personal data outside India to any country that is not specifically restricted by the Central Government through notification. This is a departure from the earlier Personal Data Protection Bill, 2019, which had proposed strict data localisation requirements with mirroring obligations. The DPDP Act's approach is more permissive — the default is that cross-border transfer is allowed unless a country is blacklisted.

However, insurers should not assume this permissive stance will remain unchanged. The Central Government retains the power under Section 16(1) to restrict transfers to specific countries at any time, and the rules under Section 40 may impose additional conditions on cross-border transfers. Given the geopolitical sensitivity of data flows and the precedent set by the EU's adequacy decisions under GDPR, it is prudent for Indian insurers to build contractual safeguards into their reinsurance agreements now.

Practical steps include incorporating data protection clauses into all reinsurance treaties and facultative placement slips. These clauses should specify the types of personal data being transferred, the purpose of the transfer, the security standards expected of the reinsurer, and the reinsurer's obligations regarding data deletion after the treaty period. For Lloyd's market placements, brokers should be required to confirm that the data handling practices at the London end comply with both UK GDPR and the DPDP Act.

The Insurance Information Bureau of India (IIB) and GIC Re, as centralised data repositories for the Indian insurance market, also face cross-border data obligations. Any analytics or reinsurance pricing studies that involve personal data must be conducted within the DPDP Act's framework, even when the output is shared with international reinsurers for treaty pricing purposes.

For multinational corporations purchasing insurance in India, the DPDP Act adds a layer of complexity. If a US-headquartered company buys a commercial policy from an Indian insurer, the personal data of Indian employees included in the proposal (for group health or workmen's compensation) is subject to the DPDP Act, even though the parent company may be subject to different privacy regimes. Insurers must ensure that their data processing agreements account for this multi-jurisdictional overlay.

The DPDP Act establishes the Data Protection Board of India (DPBI) under Section 18 as the primary adjudicatory body for data protection violations. Unlike IRDAI, which has broad regulatory and supervisory powers, the DPBI is designed as a quasi-judicial body that adjudicates complaints and imposes penalties. Its members are appointed by the Central Government, and it operates as a digital-first body with proceedings conducted primarily online.

For insurers, the DPBI's enforcement powers are consequential. Under Section 28, any Data Principal can file a complaint with the Board if they believe a Data Fiduciary has violated the Act. In the insurance context, this could include complaints about inadequate consent notices, unauthorised data sharing with marketing agencies, failure to honour data erasure requests, or insufficient security safeguards leading to a data breach.

The penalty framework under Section 33 is tiered but severe. Failure to take reasonable security safeguards to prevent a data breach attracts a penalty of up to INR 250 crore. Failure to notify the Board and affected Data Principals of a breach can attract up to INR 200 crore. Non-compliance with obligations regarding children's data (relevant for insurers processing data of minor dependents in family floater policies) carries a penalty of up to INR 200 crore. Even general non-compliance with the Act's provisions can attract up to INR 50 crore.

These are maximum penalties, and the DPBI will likely adopt a proportionality approach based on the nature and severity of the violation, the number of Data Principals affected, and whether the Data Fiduciary took reasonable steps to mitigate the breach. However, even a fraction of the maximum penalty would be material for most Indian non-life insurers, many of whom operate with net profits in the INR 100-500 crore range.

The DPBI can also issue directions under Section 27 requiring a Data Fiduciary to take specific corrective action: which could include suspending a particular data processing activity, overhauling consent mechanisms, or appointing a Data Protection Officer. For insurers, a direction to suspend data processing could temporarily halt underwriting or claims operations, making proactive compliance far more cost-effective than reactive remediation.

Insurers should monitor the DPBI's early enforcement actions once it becomes operational, as these will set precedents for how data protection obligations are interpreted in the insurance context. Building a working relationship with the DPBI, similar to how insurers engage with IRDAI, will be important for handling ambiguities in the Act's application to insurance-specific scenarios.

The DPDP Act creates a direct nexus between data privacy compliance and cyber insurance. As Indian businesses face mandatory obligations under the Act (including security safeguards, breach notification, and potential penalties) the demand for cyber insurance products that cover DPDP Act-related liabilities is set to increase significantly.

From an underwriting perspective, cyber insurance policies must now account for DPDP Act-specific exposures. Key coverage areas include: first-party costs for breach notification to the DPBI and affected Data Principals (which can be substantial for insurers with millions of policyholders), legal defence costs before the DPBI, penalty coverage (subject to insurability debates: regulatory penalties are generally not insurable in India, but legal defence costs are), forensic investigation expenses, and business interruption arising from a DPBI direction to suspend data processing.

For Indian insurers writing cyber insurance policies, the DPDP Act also affects how they assess the risk of their insureds. A prospective cyber insurance buyer that has implemented DPDP-compliant consent mechanisms, data retention policies, encryption standards, and breach response plans presents a materially better risk than one that has not. Underwriters should incorporate DPDP Act compliance as a rating factor in their cyber insurance pricing models.

The IT Act, 2000, specifically Section 43A and the associated Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Already imposed some data protection obligations on companies. However, the DPDP Act's penalty framework is far more severe, and its scope is broader. Cyber insurance products designed around IT Act exposures will need to be updated to reflect DPDP Act liabilities.

Sectors most exposed to DPDP Act liability (and therefore most likely to seek cyber insurance) include IT services companies processing personal data on behalf of foreign clients, healthcare providers handling sensitive patient data, e-commerce platforms with large consumer databases, and financial services firms including banks and NBFCs. Indian insurers should develop sector-specific cyber insurance products that address the unique DPDP Act compliance challenges of each industry.

For insurers themselves, the question of self-insurance for DPDP Act liability is relevant. An insurance company that suffers a data breach affecting policyholder records faces a dual exposure: penalties from the DPBI and reputational damage that could trigger policy cancellations. Building sound internal data governance is both a regulatory obligation and a risk management imperative.

Compliance with the DPDP Act is not a one-time project, it is an ongoing operational discipline. Indian insurers should adopt a phased roadmap that addresses the Act's requirements across the policy lifecycle: product design, distribution, underwriting, issuance, claims, and renewal.

Phase one involves a detailed data mapping exercise. Insurers must identify every touchpoint where personal data enters the organisation; proposal forms (paper and digital), agent submissions, Bima Sugam integrations, third-party data feeds, claims notifications, and surveyor reports. For each touchpoint, map the categories of personal data collected, the purpose of collection, the legal basis (consent or legitimate use), the storage location, the retention period, and the downstream recipients (reinsurers, TPAs, surveyors, IRDAI, IIB).

Phase two focuses on consent re-architecture. Existing proposal forms and digital journeys must be redesigned with DPDP-compliant consent notices. Work with legal counsel to draft purpose-specific consent language that is clear and in plain language as required by Section 5. For existing policyholders, a re-consent exercise may be necessary at renewal. This is logistically challenging but legally prudent.

Phase three addresses data security and breach response. Section 8(5) mandates reasonable security safeguards to protect personal data. Insurers should benchmark their information security practices against ISO 27001, the IRDAI Cyber Security Framework (circular dated 7 April 2023), and the CERT-In Directions of April 2022 which mandate six-hour breach notification to CERT-In. A DPDP Act-compliant breach response plan should include notification to the DPBI within the timeframe prescribed by the yet-to-be-notified rules, notification to affected Data Principals, forensic containment, and regulatory liaison.

Phase four involves vendor and partner governance. Insurers share data extensively with surveyors, TPAs, motor garages, hospitals, legal firms, and technology vendors. Under Section 8(2), the Data Fiduciary remains responsible for ensuring that Data Processors (vendors processing data on the insurer's behalf) comply with the Act. All vendor contracts must be updated with DPDP Act-specific data processing agreements covering purpose limitation, security obligations, sub-processing restrictions, and data deletion upon contract termination.

Phase five is training and culture. Underwriters, claims managers, agents, and support staff must understand their obligations under the DPDP Act. Data privacy cannot remain solely a legal and compliance function: it must be embedded into daily operations. Regular training sessions, updated standard operating procedures, and periodic audits will be necessary to sustain compliance.

The Central Government is yet to notify the rules under Section 40, which will fill in many operational details, including specific consent formats, breach notification timelines, and the process for cross-border transfer restrictions. Insurers should not wait for the rules. The Act's principles are clear, and early movers will have a significant advantage in building compliant processes before enforcement begins.