What the DPDP Rules 2025 actually started
The Digital Personal Data Protection Act 2023 sat largely inoperative for two years because its substantive obligations depended on rules that had not been notified. That changed on 13 November 2025, when the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules 2025, converting a dormant statute into a live compliance programme for every organisation handling personal data, insurers, brokers and TPAs included.
The most important feature is that the obligations do not all switch on at once. The Rules phase the Act in over an eighteen-month window with three trigger points, so the task is to map each DPDP duty to the date it actually bites rather than treating 13 November as a single deadline.
The sector relevance is direct, because the industry runs on personal data: proposal forms, health declarations, claims medical records and KYC. An insurer, a broker and a TPA each processes large volumes of frequently sensitive data, and under the framework each is a Data Fiduciary for the data it determines the purpose and means of processing for, carrying the consent, notice, security, breach-notification and data-principal-rights obligations. The penalty exposure gives the timetable its weight: the Act provides for monetary penalties of up to Rs 250 crore for breaches, assessed by the Data Protection Board.
The three-stage clock: 13 Nov 2025, 13 Nov 2026, 13 May 2027
The Rules give the sector three dates to plan against, and getting the sequence right is the difference between an orderly programme and a scramble.
- Immediate, from 13 November 2025. The provisions establishing the Data Protection Board of India took effect on notification. The Board hears complaints, investigates breaches and imposes penalties of up to Rs 250 crore, so the enforcement body is in place well before the substantive duties become binding, a signal to use the runway.
- Twelve months, from 13 November 2026. The consent-manager provisions become effective. A consent manager is a registered entity, accountable to the Board, through which a data principal gives, manages and withdraws consent across fiduciaries. Insurers, brokers and TPAs that intend to interoperate with one need their consent-capture design ready by then.
- Eighteen months, from 13 May 2027. The remaining substantive obligations become effective: notice and consent, security safeguards, breach notification, retention and erasure, and the data-principal rights. From this date a fiduciary that fails is exposed to the Board's penalty jurisdiction.
The most demanding obligations land last but need the longest lead time, because notice redesign, consent re-architecture, retention schedules and breach workflows all touch core systems.
Insurers, brokers and TPAs as Data Fiduciaries
The framework allocates obligations by who decides the purpose and means of processing. That entity is the Data Fiduciary and carries the primary obligations; an entity that processes on a fiduciary's instructions is a Data Processor. In an insurance chain the roles are not always obvious, and getting them right decides who owes what.
An insurer is a Data Fiduciary for the policyholder and claimant data it underwrites and settles claims on. A TPA handling health claims may act as a processor for the insurer or as a fiduciary in its own right. A broker that collects proposal and KYC data, advises and arranges cover determines purposes of its own (advice, placement, servicing, record-keeping) and is therefore a Data Fiduciary for that processing, not merely a conduit.
A single insurance transaction can therefore involve several fiduciaries and processors at once. The contracts between insurer, broker and TPA have to allocate these roles explicitly, set processing instructions where one acts for another, and carry security and breach-notification obligations down the chain; a silent data-processing arrangement is itself a compliance gap. A fiduciary must process for a lawful purpose with consent or another lawful basis, give a clear notice, implement reasonable security safeguards, limit retention, enable rights, notify breaches and respond to the Board, with higher care for health data, so the proposal and claims journeys, the consent text, the retention schedules and the breach workflow all have to be rebuilt to a fiduciary standard across the chain.
Consent, notice, retention and data-principal rights operationally
The obligations that land at eighteen months carry most of the system and process work.
Consent and notice
Consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action and limited to the data the stated purpose needs, with a notice that explains the data, the purpose, the rights and how to complain. This ends the single broad consent buried in a proposal form: each purpose (underwriting, claims, marketing, sharing with a TPA or reinsurer) has to be presented so the data principal can decline a severable one, and one purpose cannot be bundled as a condition of another. Where a data principal uses a registered consent manager from the twelve-month stage, the fiduciary must interoperate with it.
Retention, erasure and rights
The fiduciary must not keep data longer than the purpose needs and must erase it once the purpose is served and no legal retention requirement applies. This collides with insurance reality, where IRDAI record-retention, claims-reserving, fraud investigation and litigation can justify long retention, so the task is a defensible retention schedule mapping each data category to its lawful basis and triggering erasure when none remains. The data-principal rights then need a workflow that can locate a person's data across systems and the broker and TPA chain. Breach notification to the Board and affected data principals is a standing obligation that can trigger at any time, has to be built as a detect-assess-notify workflow with clear ownership, and runs alongside the shorter IRDAI cyber-reporting clock, so an insurance entity faces two notification regimes for the same incident.
How DPDP intersects with the IRDAI cyber guidelines
An insurance entity does not face the DPDP regime in isolation. It also sits under the IRDAI Information and Cyber Security Guidelines issued on 6 April 2026, which overlap with DPDP on the points that matter during an incident: security safeguards and breach reporting. The IRDAI guidelines require a cyber incident to be reported to CERT-In within six hours of detection, with a copy to IRDAI, require 180-day rolling retention of ICT and application logs and CISO independence from the Head of IT, apply to insurers and to intermediaries and TPAs, and are aligned with the DPDP framework.
The practical intersection is that a single data-breach event can trigger three obligations at once: the six-hour CERT-In report, the copy to IRDAI, and the DPDP breach notification to the Board and affected data principals. These run on different clocks, and the six-hour CERT-In window is the tightest, so the incident runbook has to be built around the shortest clock and satisfy the others in sequence. The log requirement reinforces the point: the IRDAI 180-day rolling retention is what makes a breach investigable, and a credible DPDP breach assessment depends on those logs. Build the logging and incident-response capability once, to the stricter standard, and it discharges much of both.
The cyber and liability read-through, and what to do now
The DPDP timetable changes the cover an insurance entity should hold and sell to data-rich clients. The penalty of up to Rs 250 crore is a regulatory penalty and is generally not insurable, so a cyber policy will not pay it. What a cyber insurance policy funds is the response and liability around a data incident: incident-response and forensic costs, the legal cost of managing the regulatory process, notification costs, business interruption, and third-party liability where individuals or other parties claim arising from the breach. So cyber cover funds the response and the third-party tail, not the penalty, and clients should size their compliance investment, not treat insurance as a substitute. For brokers and TPAs, a DPDP failure can also surface as a professional indemnity exposure where a client alleges mishandled data, and at board level feed a management-liability or directors and officers claim. The priority on the clock is to map the fiduciary and processor roles and fix the contracts, build breach detection and the unified incident runbook first (an incident can occur before 13 May 2027 and the six-hour IRDAI clock already runs), redesign consent ahead of November 2026, and review the cyber, PI and management-liability programme.
Doing the insurance side well means comparing what each cyber and professional-indemnity wording grants against where the DPDP and IRDAI obligations put the real exposure, which is detailed wording work, not a premium comparison. Sarvada gives commercial insurance brokers and corporate risk teams structured, searchable access to insurer policy wordings, so cyber and professional-indemnity covers can be matched to a data-protection risk profile the DPDP Rules 2025 are reshaping. Request Access to bring that precision to your clients' data-protection conversations.