ARTICLE
2 May 2025

Understanding The Interplay Between Insurance And Data Protection In India

TC
Tuli & Co

Contributor

Tuli & Co logo
Tuli & Co is an insurance-driven commercial litigation and regulatory practice established in 2000. With offices in New Delhi and Mumbai, we undertake work for a cross section of the Indian and international insurance and reinsurance market and work closely alongside Kennedys’ network of international offices
Explore Firm Details
The Digital Personal Data Protection Act 2023 ("DPDP Act") read with the Draft Digital Personal Data Protection Rules 2025 ("Draft Rules") is expected to set out a comprehensive framework for the processing of personal data in India.
India Privacy
Anuj Bahukhandi and Armaan Tuli
Your Author LinkedIn Connections

Introduction

The Digital Personal Data Protection Act 2023 ("DPDP Act") read with the Draft Digital Personal Data Protection Rules 2025 ("Draft Rules") is expected to set out a comprehensive framework for the processing of personal data in India1. Various aspects of this framework, including privacy notices, consent management, and regulatory oversight through the establishment of the Data Protection Board of India ("Board"), are expected to bring significant implications for the insurance sector.

Insurers face unique challenges in implementing the DPDP Act due to the inherent data-intensive nature of their business model. This involves extensive collection, processing, and sharing of highly sensitive personal data of policyholders across the entire customer lifecycle—from underwriting to claims settlement while simultaneously complying with sector-specific regulations mandated by the IRDAI. Thus, the interplay between the DPDP Act and insurance regulatory framework will be crucial in determining how insurers adapt to the evolving data protection landscape. This article examines how the DPDP Act and its Draft Rules will impact the insurance industry, highlighting key compliance challenges and operational considerations.

Data Processing in the Insurance Sector

Types of Data Collected

Insurers and insurance intermediaries collect various categories of personal data to assess risks, determine premiums, process claims, and comply with regulatory requirements. Some key data types include:

  • Personal Identifiable Information: Name, date of birth, address, contact details, and Aadhaar/PAN for KYC compliance.
  • Financial Data: Bank details, income information, credit history, and payment records for premium collection and claims disbursement.
  • Health and Medical Data: Medical history, diagnostic reports, and hospital records for health and life insurance underwriting and claims processing.
  • Risk Profile Data: Lifestyle habits (eg smoking and alcohol consumption), occupation details, and driving behaviour (for motor insurance).
  • Claims and Policy History: Previous insurance claims, policy renewals, and past rejections to assess insurability.
  • Biometric Data: Fingerprints or facial recognition may also be used during digital onboarding processes.

Given the extensive range of data collected by insurers, it is important that they ensure compliance with India's data protection framework. The DPDP Act prescribes penalties for violations of its provisions, which extend to ₹250 crore (c.$28,590,000)2.

Key Stakeholders

The insurance ecosystem involves multiple stakeholders handling personal data at different stages of the policy lifecycle. These include:

  • Insurers – Data Fiduciaries: Insurers typically act as Data Fiduciaries under the DPDP Act, determining how and why personal data is collected and processed3. They must obtain explicit consent from Data Principals (ie policyholders and insureds) before processing their personal data. Further, insurers are responsible for implementing data security measures, retention policies, and grievance redressal mechanisms.
  • Insurance Intermediaries – Data Processors (or even Data Fiduciaries): Various insurance intermediaries process personal data on behalf of insurers and therefore act as Data Processors4. For example, corporate agents collect and process policyholder data to facilitate policy sales, while third-party administrators process health insurance claims and handle sensitive medical data. However, in some cases, such insurance intermediaries may have an existing clientele to which insurance is cross-sold, and they could also be classified as Data Fiduciaries. Insurance brokers act on behalf of policyholders, and represent them before Insurers, independently deciding how and why customer data is processed (such as for profiling customers to offer personalised insurance solutions), and thus are likely to be viewed as Data Fiduciaries as well.
  • Policyholders – Data Principals: The policyholder (or proposer if at the proposal stage) acts as the Data Principal, providing personal and financial information for underwriting and risk assessment. Other insureds, group insurance members, nominees, legal heirs, assignees and claimants (even unrelated third-parties such as widely seen in motor insurance) could also be Data Principals in the insurance context. This is particularly relevant in cases of retail insurance, which extensively involves the personal data of individuals5.

This fluidity in roles means that insurance entities must carefully assess their position in each processing activity to determine whether they are acting as a Data Fiduciary or a Data Processor and ensure that they adhere to the appropriate compliance requirements under the DPDP Act.

Impact on Insurance Operations and Compliance Challenges

The DPDP Act introduces a comprehensive framework governing the collection, processing, and storage of personal data in India. Given the data-intensive nature of the insurance sector, compliance with the framework will require insurers, intermediaries, and service providers to reassess their data governance practices, as illustrated below:

Procedural Changes

  • Proposal and application forms: Insurers will need to update their forms to ensure they provide clear, concise, and transparent notices regarding the collection, use, and processing of personal data, in line with the DPDP Act's consent requirements. Further, insurers will need to rethink their privacy practices to align with the DPDP Act, ensuring that they are transparent and include details about data usage, retention, rights of policyholders and grievance redressal mechanisms6. Proposal forms/policy documents may also see clauses stating that the policy will be automatically terminated and rights thereunder forfeited if the policyholder chooses to withdraw their consent or request erasure of their data.
  • Contracts with Intermediaries: Insurers will need to contractually ensure that the various Data Processors they engage, such as insurance intermediaries, surveyors, vendors, or TPAs process policyholder data in compliance with the data protection framework. The Draft Rules will also require insurers to insert contractual provisions requiring reasonable security safeguards being implemented by contracting parties to ensure protection and curb data breaches7.
  • Grievance Redressal: Insurers are required to maintain a grievance redressal mechanism for policyholders under the IRDAI framework8. Insurers may need to update this to specifically addresses data protection issues9. Further, a Data Protection Officer ("DPO") is required to be appointed by the insurer to oversee compliance, handle grievances, and serve as the point of contact for data protection matters10.
  • Process flows: Insurers will need to update their technology and overall process flows to ensure that there are effective systems in place for managing consent of policyholders, displaying information about data rights on the website, and establishing robust breach reporting mechanisms.
  • Security Standards: Insurers may need to update and invest in their current security infrastructure in order to prevent data breaches and incorporate more stringent security practices for encryption of their data and backup copies11 to avoid regulatory fines12.

Harmonisation with IRDAI's Cyber Security Guidelines

The Information and Cyber Security Guidelines 2023 ("Cyber Guidelines") are an iteration of the IRDAI's cyber security norms first introduced for the insurance sector in 2017 to strengthen data protection and cybersecurity measures. These Cyber Guidelines set out detailed security requirements for insurers to safeguard policyholder data and exist in parallel to the DPDP Act. As a result, insurers will be required to comply with dual regulatory standards, leading to increased compliance obligations as well as potentially conflicting stipulations.

The Cyber Guidelines closely follow the previous data protection regime, and require data to be mapped as personal data, sensitive personal data13, and other categories. For sensitive personal data, such as financial details and health records, they also mandate additional safeguards for processing, including additional storage, transfer and tracking requirements14. Consequently, insurers may still need to differentiate between these categories of data internally, and apply distinct processing measures, adding to their compliance burden. Such differing compliance standards may eventually require express clarifications from the IRDAI or the Board.

Even in terms of breach reporting, the Cyber Guidelines require insurers to report cyber incidents (which includes data breaches) to the IRDAI within six hours15, whereas the Draft Rules require insurers to report data breaches to the Board within 72 hours16. Additionally, insurers will be subject to dual regulatory oversight. Compliance failures, such as data breaches or security lapses, may attract separate enforcement actions and penalties from both the IRDAI and the Board.

Data Retention

The DPDP Act gives Data Principals significant control over how their data is processed and retained. Policyholders thus have the right to ask insurers to delete their data17. However, insurers are mandated to retain certain records under IRDAI regulatory framework, such as records of every policy issued and every claim made18. Insurers are also required to maintain identity verification details for KYC and AML compliance19. While the DPDP Act permits the retention of personal data if necessary for the compliance with any law, insurers will need to be mindful of the types of data they are required to retain under the IRDAI regulatory framework compared to the data they may erase on policyholder request.

Cross-Border Data Transfers

The DPDP Act and Draft Rules have extraterritorial applicability20, meaning they apply not only to entities operating within India but also to overseas entities processing personal data in connection with offering goods or services to individuals in India. This brings foreign entities such as overseas insurers, cross border reinsurers, MGAs and brokers within the scope of the DPDP Act if they handle personal data of Indian residents. The Draft Rules also empower the Indian Government to impose restrictions on cross-border data transfers21, which for example could restrict insurers from sharing data with entities in certain countries.

Artificial Intelligence

The insurance industry is seeing a rise in the adoption of Artificial Intelligence ("AI") and insurers are seeking ways to incorporate AI in their various operations. For example, insurers are using AI tools to assist in analysing large data sets for underwriting purposes, customer service, and fraud detection. Given the vast amounts of sensitive personal and financial data that insurers handle, insurers may be subject to stricter compliance and cybersecurity standards under upcoming AI governance laws in India22. To read more about the proposed regulation of AI in India and its impact on the insurance market, please see our article published here.

Cyber Insurance Business

The DPDP Act and Draft Rules introduce specific thresholds and security measures that Data Fiduciaries, such as insurers, must adhere to when processing personal data. This creates a unique challenge for the cyber insurance market, where underwriting typically relies on the insurer's proprietary risk assessment frameworks and security standards. Insurers offering cyber coverage now face a potential misalignment: their policy terms may require security measures that differ from or fall short of DPDP Act requirements, creating coverage gaps and compliance confusion for policyholders. This could lead to scenarios where a policyholder believes they have adequate coverage but faces claim denials if a data breach occurs while they are compliant with policy terms but not with statutory requirements.

To address these challenges, insurers will need to revise policy wordings to reference DPDP Act standards explicitly, update security requirements in underwriting processes, and potentially introduce new endorsements that clarify coverage in relation to data protection compliance.

Significant Data Fiduciaries

Significant Data Fiduciaries ("SDFs") are a certain category of entities identified by the Government based on factors like data volume, sensitivity, and potential impact on national security23. Although not currently notified as such by the Government, it is possible that insurers could be bucketed into this category due to the significant volume of policyholders' sensitive data that they process. Such categorisation may mean additional compliance obligations, such as a requirement to conduct a Data Protection Impact Assessment and a comprehensive audit once every year24.

Concluding Remarks

In addition to a significant shift in India's data protection landscape, the DPDP Act presents wide implications for the insurance sector. As insurers handle vast amounts of personal data, any operational and technological adjustments made to align with the DPDP Act would need to align the existing IRDAI regulatory framework. This necessitates a careful examination of the interplay between the two regimes across various functions.

For instance, Insurers must implement systems to manage granular consent, which may necessitate updating policy documents to address implications such as policy termination upon consent withdrawal or data erasure requests, a point of intersection between data rights and contractual obligations. The requirement to handle Data Principal requests for access, correction, or erasure may necessitate updates to the IRDAI-mandated grievance redressal mechanisms to specifically address data protection concerns within defined timelines. Similarly, while the DPDP Act introduces a right to data erasure, data retention practices must be reviewed to balance this with IRDAI regulations that mandate retention for specific purposes like policy and claim records. Policyholder-facing documentation, such as proposal forms and privacy policies, must be updated to incorporate clear, plain language notices about data processing and Data Principal rights, reflecting the DPDP Act's transparency requirements while also adhering to any IRDAI-prescribed standards. Furthermore, strengthening security measures and technological infrastructure requires alignment not just with the DPDP Act's reasonable safeguards but also with the detailed and extensive requirements of the IRDAI's Cyber Guidelines, covering areas like data loss prevention, access controls, risk assessments, and incident response. Finally, contracts with third parties, including intermediaries and reinsurers, must be updated to ensure their data processing and security practices comply with both the DPDP Act and potentially align with IRDAI norms on outsourcing or data sharing, recognising that ultimate liability under the DPDP Act potentially rests with the insurer.

Apart from any additional compliances that may be applicable if Insurers are notified to fall within the SDF category, these various coordinated changes may be essential to avoid regulatory scrutiny from both the Board and the IRDAI.

Footnotes

1 The DPDP Act applies to all personal data processed in digital form within India, as well as to entities outside India that process such data in connection with offering goods or services to individuals in India. While certain exemptions exist, such as data processed for personal use or publicly available information, the DPDP Act imposes strict compliance obligations on businesses.

2 The Schedule of the DPDP Act.

3 §2(i) of the DPDP Act.

4 §2(k) of the DPDP Act.

5 §2(j) of the DPDP Act.

6 §5 of the DPDP Act.

7 R6(f) of the Draft Rules.

8 R25 of the IRDAI (Protection of Policyholders' Interests, Operations and Allied Matters of Insurers) Regulations 2024.

9 §8(10) of the DPDP Act.

10 §8(9) of the DPDP Act.

11 §8(5) of the DPDP Act, read with R6 of the Draft Rules.

12 Ibid (n 1).

13 ¶2.0(3.5.1) of the Guidelines.

14 ¶2.0(3.5.3) and (3.4) of the Guidelines.

15 ¶2.10(3.5) of the Guidelines.

16 R7 of the Draft Rules.

17 §12(1) of the DPDP Act.

18 R9 of the IRDAI (Maintenance of Information by the Regulated Entities and Sharing of Information by the Authority) Regulations 2025.

19 ¶19.1 of the IRDAI Master Guidelines on Anti-Money Laundering/Counter Financing of Terrorism 2022.

20 §3(b) of the DPDP Act.

21 R14 of the Draft Rules.

22 ¶III(A)(2) of the MeitY's report on "AI Governance and Guidelines Development" of 7 January 2025.

23 §10 of the DPDP Act.

24 §10(2)(c) of the DPDP Act, read with R12 of the Draft Rules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Anuj Bahukhandi
Anuj Bahukhandi
Photo of Armaan Tuli
Armaan Tuli
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More