Data Protection In The Insurance Sector: Navigating India’s Digital Personal Data Protection Act, 2023

Abstract

The enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) marks a watershed moment for the Indian insurance sector, an industry that has long been among the most data-intensive in the financial services landscape. From health declarations and clinical histories to actuarial profiling and claims adjudication, insurers process volumes of sensitive personal data that touch upon the most private aspects of a policyholder’s life. This article examines the intersection of the DPDP Act with the existing insurance regulatory framework under the Insurance Regulatory and Development Authority of India (“IRDAI”), identifies key compliance obligations, and charts a roadmap for insurers, intermediaries, and InsurTech entities navigating this evolving legal landscape.

Introduction

India’s insurance sector, encompassing over 50 life and non-life insurers, thousands of intermediaries, and a rapidly expanding InsurTech ecosystem, processes the personal data of hundreds of millions of policyholders and prospects each year. The nature of this data, health records, financial histories, nominee information, and digital behavioural signals, places it at the heart of any robust data protection regime.

The Digital Personal Data Protection Act, 2023 (hereinafter the “Act” or “DPDP Act”), which received Presidential assent on August 11, 2023, establishes for the first time in India a comprehensive statutory framework governing the processing of digital personal data. While the Act’s rules and the operationalisation of the Data Protection Board of India (“DPDPB”) are yet to be fully notified at the time of writing, the substantive obligations it creates have profound implications for insurance companies, third-party administrators (“TPAs”), surveyors, brokers, and agents.

Critically, the Act does not operate in isolation. Insurance companies remain subject to IRDAI’s omnibus directions, the Insurance Act, 1938, the Insurance Laws (Amendment) Act, 2015, and a host of sector-specific guidelines on customer data, KYC, and information security. The challenge for compliance professionals and legal counsel is to reconcile these overlapping frameworks and build a unified data governance architecture.

The DPDP Act: Key Concepts and Architecture

A. Scope and Applicability

The DPDP Act applies to the processing of digital personal data within India, and also to processing outside India where the goods or services are offered to data principals within India. For insurers, this has immediate significance: overseas reinsurers, global claims management platforms, and foreign TPAs that handle Indian policyholders’ data will fall within the Act’s extended jurisdictional reach.

“Personal data” under the Act means any data about an individual who is identifiable by or in relation to such data. Notably, the Act does not explicitly carve out a separate category of “sensitive personal data” as its predecessors (particularly the aborted Personal Data Protection Bill, 2019) did. However, health data, financial data, and data concerning children are accorded heightened protection through specific provisions, making them functionally equivalent to a sensitive category for insurance purposes.

B. Principal Definitions Relevant to Insurers

• Data Fiduciary: Any person who, alone or in conjunction with others, determines the purpose and means of processing personal data. Insurers, TPAs acting as primary data processors, and intermediaries that independently determine processing purposes will qualify.
• Data Processor: Any person who processes personal data on behalf of a Data Fiduciary. Aggregators, survey agencies, and cloud service providers used by insurers will typically be Data Processors.
• Data Principal: The individual to whom the personal data relates. In insurance, this means policyholders, nominees, claimants, insured beneficiaries, and even prospective customers whose data is collected during proposal processing.
• Consent Manager: A Board-registered entity through whom Data Principals may give, manage, review, and withdraw consent. The emergence of Consent Managers may reshape how insurers collect and store consent artefacts.

C. Legitimate Bases for Processing

The Act recognises two principal bases for lawful processing: (i) consent of the Data Principal, and (ii) “certain legitimate uses” (the Act’s equivalent of legitimate interests and legal obligation-based processing). For insurers, several of the latter are directly applicable:

• Processing required for the performance of a contract to which the Data Principal is a party, plainly applicable to policy issuance and claims settlement.
• Processing for compliance with legal obligations, including those under the Insurance Act, IRDAI guidelines, Prevention of Money Laundering Act (PMLA), and income tax regulations.
• Processing for medical emergencies involving threats to life or health – relevant for health and personal accident insurers.
• Processing for public interest functions carried on by the State applicable to government-sponsored insurance schemes (PMJJBY, PMSBY, Ayushman Bharat, etc.).

The critical insight for insurers is that while contract performance and legal obligation provide robust bases for core underwriting and claims data processing, peripheral uses such as marketing, profiling for upselling, or data analytics will typically require explicit, free, and informed consent.

The Insurance Data Landscape: What Is at Stake?

Before mapping compliance obligations, it is instructive to catalogue the categories of personal data routinely processed in the insurance life cycle:

A. Data Collected at Proposal Stage

• Identity and demographic data (name, date of birth, PAN, Aadhaar, address)
• Health and medical data (pre-existing conditions, medical history, diagnostic reports, physician details)
• Financial data (income declarations, bank account details, premium payment instruments)
• Lifestyle data (occupation, travel history, hazardous activities, tobacco/alcohol use)
• Nominee and beneficiary details (which may constitute third-party personal data)

B. Data Collected and Generated During Policy Tenure

• Premium payment transaction records
• Policy servicing interactions (call centre logs, chatbot transcripts, customer portal activity)
• Telematics data in motor insurance (driving behaviour, location, speed)
• Wearable and wellness data in health insurance (step counts, vitals, fitness scores)
• Claims notifications and correspondence

C. Data Processed During Claims

• Hospital and treatment records, discharge summaries, surgical notes
• Investigation reports, surveyor assessments, forensic findings
• Legal documents (FIRs, post-mortem reports, court orders)
• Third-party liability data (accident victims, witnesses)

The sheer breadth and sensitivity of this data ecosystem makes insurers among the highest-risk Data Fiduciaries from a regulatory perspective, and likely candidates for designation as “Significant Data Fiduciaries” under Section 10 of the DPDP Act.

Compliance Obligations: A Sectoral Mapping

The table below maps the principal obligations under the DPDP Act to their insurance sector implications:

A. Consent Architecture

Perhaps no obligation will require more immediate restructuring than consent management. Insurers have historically relied on broadly worded, pre-ticked, bundled consent clauses buried in proposal forms. The DPDP Act renders this approach non-compliant. Consent must now be:

• Free: not bundled with acceptance of terms and conditions for the insurance product itself
• Specific: separately obtained for each distinct processing purpose beyond core contract performance
• Informed: accompanied by a notice that clearly explains the personal data to be collected, the purpose of processing, and the rights of the Data Principal
• Unambiguous: expressed through a clear affirmative action (a pre-ticked box does not constitute consent)
• Withdrawable: the Data Principal must be able to withdraw consent as easily as it was given

The practical implication is that insurers must audit every data collection touchpoint including proposal forms, agent scripts, customer portal registration, chatbot interfaces, and mobile applications and rebuild consent frameworks accordingly. The use of a Board-registered Consent Manager may provide a compliant and auditable consent infrastructure.

B. Notice Requirements

Every Data Fiduciary processing personal data on the basis of consent must provide a notice to the Data Principal. For insurers, this notice obligation interfaces directly with IRDAI’s Key Feature Document (KFD) and Policy Schedule disclosure requirements, but goes further, it must also specify the personal data being processed and the contact details of the Data Protection Officer. Insurers should consider integrating DPDP-compliant privacy notices into existing product disclosure documents, while ensuring the language is plain and accessible to semi-literate policyholders.

C. Rights of Data Principals

The Act confers several rights on Data Principals that will require operational processes to honour:

• Right to Access: Data Principals may seek a summary of the personal data being processed and the processing activities undertaken with respect to such data.
• Right to Correction and Erasure: Data Principals may seek correction of inaccurate data and erasure of data that is no longer necessary for the purpose for which it was collected subject to the insurer’s retention obligations under law.
• Right of Grievance Redressal: Data Principals must be provided with a readily accessible means of registering grievances, which the Data Fiduciary must resolve within timelines set by the DPDPB.
• Right to Nominate: A Data Principal may nominate another individual to exercise rights on their behalf in the event of death or incapacity which is a provision with direct relevance to the life insurance sector.

Critically, the right to erasure is not absolute. Insurers are entitled to retain personal data to the extent necessary to comply with legal retention requirements (such as those under the IRDAI guidelines on record retention, PMLA, and income tax laws) and to protect against, establish, or exercise legal claims. A detailed data retention matrix aligned with applicable laws will be an essential compliance artefact.

Interaction with the IRDAI Regulatory Framework

A. IRDAI’s Data Protection Framework

IRDAI has, through its Information and Cyber Security Guidelines (2023) and various master circulars, already established baseline requirements for data classification, access controls, incident management, and vendor due diligence. These guidelines overlap substantially with DPDP Act obligations but are not co-extensive. Insurers must treat the DPDP Act as a floor that supplements and in some respects raises the bar beyond IRDAI’s existing requirements.

Notably, IRDAI’s 2023 Insurance Regulatory and Development Authority of India (Insurance Products) Regulations and its Bima Sugam initiative contemplate an integrated digital insurance marketplace where insurers, intermediaries, and the regulator exchange policyholder data. The design and operation of Bima Sugam must be stress-tested against DPDP Act obligations, particularly around data minimisation, purpose limitation, and cross-entity data sharing.

B. TPAs and Data Processor Obligations

Third-Party Administrators play a central role in health insurance claims processing and accordingly handle significant volumes of medical and financial personal data. Under the DPDP Act, TPAs acting as Data Processors must process data only on documented instructions from the insurer (as Data Fiduciary) and must implement appropriate technical and organisational measures to ensure data protection. The insurer, as Data Fiduciary, remains responsible for ensuring that its TPAs comply with the Act’s requirements, a dynamic that necessitates robust data processing agreements and periodic audits.

C. Insurance Intermediaries: Agents, Brokers, and Web Aggregators

The DPDP Act creates compliance obligations for all entities that process personal data, regardless of their size though the Rules may create differential obligations for smaller entities. Insurance agents, brokers, and web aggregators collect significant personal and financial data during the distribution process. They must ensure that their data collection practices are aligned with the purposes for which consent was obtained, that they do not retain data beyond the purpose for which it was collected, and that they implement baseline security safeguards. The principal insurer’s liability exposure for mis-selling and data misuse by intermediaries may be amplified in a DPDP Act environment.

Cross-Border Data Flows and Reinsurance

The global nature of the reinsurance market creates particular complexity. Indian insurers routinely share policyholder data with overseas reinsurers for pricing, accumulation management, and claims settlement. The DPDP Act empowers the Central Government to notify countries or territories to which personal data may be transferred making it a mechanism, depending on its implementation, could create friction in existing reinsurance arrangements.

Until a detailed cross-border transfer framework is operationalised, insurers should undertake a mapping exercise to identify all overseas data transfers, review contractual safeguards in reinsurance treaties and facultative arrangements, and ensure that such transfers are restricted to what is strictly necessary for the reinsurance purpose. IRDAI’s existing data localisation requirements for certain categories of policyholder data provide a starting point but do not address all scenarios.

Significant Data Fiduciary Designation

Section 10 of the DPDP Act empowers the Central Government, in consultation with the DPDPB, to designate certain Data Fiduciaries as “Significant Data Fiduciaries” (SDFs) based on factors such as the volume and sensitivity of personal data processed, the risk to the rights of Data Principals, and the potential impact on national security and public order. Large insurance companies particularly life insurers with hundreds of millions of policyholders are likely SDF candidates.

SDFs are subject to additional obligations, including the mandatory appointment of a Data Protection Officer (who must be a resident in India and be accountable to the Board of Directors), the engagement of an independent Data Auditor, and the conduct of periodic Data Protection Impact Assessments (DPIAs). Insurers designated as SDFs must also avoid algorithmic processing that poses a risk of significant harm to Data Principals, a provision with implications for AI-driven underwriting and fraud detection systems.

The Data Protection Board of India

The DPDPB, to be established under Section 18 of the Act, will be the primary adjudicatory body for data protection grievances and violations. Complaints may be filed before the Board by Data Principals who have exhausted the Data Fiduciary’s internal grievance redressal mechanism. The Board has the power to impose significant financial penalties up to INR 250 crore per instance for certain breaches, with an overall cap of INR 500 crore for a single matter.

For insurers, the DPDPB will operate as an additional regulatory body alongside IRDAI, the Consumer Protection Authority, the Financial Intelligence Unit, and sector tribunals. Coordination between regulatory bodies in cases of overlapping jurisdiction such as a data breach that also triggers regulatory reporting obligations under IRDAI’s cyber security guidelines will require careful navigation. Insurers should establish a clear internal protocol for managing cross-regulatory incidents.

InsurTech and Emerging Data Practices

A. AI-Driven Underwriting

The use of artificial intelligence and machine learning in underwriting whether for health risk scoring, motor risk assessment, or property valuation involves the processing of large volumes of personal data, including inferred and derived data. The DPDP Act’s prohibition on processing personal data in a manner that involves a risk of significant harm creates a novel compliance consideration: underwriting algorithms that systematically disadvantage certain demographic groups or produce opaque, unexplainable decisions may need to be reviewed and redesigned.

B. Usage-Based and Behavioural Insurance

Telematics-based motor insurance and wellness-linked health insurance products collect granular, continuous data on policyholder behaviour. This data is inherently personal and, in the case of telematics, may also constitute location data. Insurers deploying such products must ensure that the consent obtained from policyholders is granular enough to cover the specific data points collected, the frequency of collection, and the specific purposes (premium calculation, claims verification, product improvement) for which it is used.

C. Data Brokers and Lead Generation

The practice of purchasing leads from data brokers or digital marketing platforms common in both life and general insurance distribution is fraught with DPDP Act risk. Unless the original data collector obtained consent for onward transfer to insurers for marketing purposes, the use of such data by insurers is likely non-compliant. Insurers should audit their lead generation channels and obtain legal opinions on the provenance of purchased data.

A Compliance Roadmap for Insurers

Given the above analysis, the following phased compliance roadmap is recommended for insurance entities:

Phase 1: Baseline Assessment (Months 1–3)

• Conduct a comprehensive data inventory and data flow mapping exercise across all business lines, geographies, and third-party relationships.
• Classify all personal data processed into categories (identity, financial, health, behavioural, derived) and identify applicable legal bases for processing.
• Review existing consent mechanisms, privacy notices, and data subject rights processes against DPDP Act requirements.
• Identify potential SDF designation risk and prepare for associated obligations.

Phase 2: Framework Design and Implementation (Months 3–9)

• Rebuild consent architecture across all customer touchpoints, incorporating withdrawal mechanisms and linkage to Consent Managers where applicable.
• Draft and implement DPDP-compliant privacy notices integrated with IRDAI disclosure requirements.
• Establish a Data Principal rights fulfilment process, including timelines and escalation paths for access, correction, and erasure requests.
• Appoint a Data Protection Officer and establish a Data Protection Committee at the board level.
• Review and update all data processing agreements with TPAs, surveyors, brokers, and technology vendors.
• Design and implement a cross-border data transfer framework aligned with Central Government notifications.

Phase 3: Operationalisation and Audit (Months 9–18)

• Conduct a Data Protection Impact Assessment for high-risk processing activities, including AI-driven underwriting and telematics.
• Implement a data breach response and notification process aligned with DPDPB timelines and IRDAI’s cyber incident reporting requirements.
• Engage an independent Data Auditor for SDF-designated entities.
• Conduct staff training and awareness programmes across distribution, operations, and technology functions.
• Establish a regulatory monitoring process to track DPDP Rules notifications, DPDPB guidelines, and IRDAI data protection circulars.

Conclusion

The Digital Personal Data Protection Act, 2023 represents the most significant shift in Indian data governance in the nation’s legislative history. For the insurance sector, it is not merely a compliance exercise but a structural transformation of how personal data is collected, used, stored, and protected across the entire value chain.

Insurers that approach DPDP compliance as a box-ticking exercise do so at their peril. The Act’s penalty regime, the DPDPB’s adjudicatory powers, and the reputational consequences of a significant data breach in a trust-dependent industry make proactive, good-faith compliance the only rational strategic choice. More fundamentally, insurers that invest in building genuine data privacy practices i.e. consent architectures that respect policyholder autonomy, algorithmic systems that are explainable and non-discriminatory, and data governance frameworks that are transparent and auditable, will be better positioned to earn and retain the trust of India’s increasingly data-aware consumer.

The DPDP Act and the IRDAI’s evolving regulatory framework together create a dual-regulator environment that will require sophisticated legal and compliance capabilities. The time for action is now, well before the Rules are notified and enforcement begins.