Cross-over with Sectoral Regulators under the DPDP Act, 2023: Harmonising RBI, SEBI, IRDAI, and TRAI Compliance

Posted On - 15 October, 2025 • By - Jidesh Kumar

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDP Act) introduces a uniform data protection regime across India. However, several industries including banking, securities, insurance, and telecom are already governed by strong sectoral regulators: the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority of India (IRDAI), and Telecom Regulatory Authority of India (TRAI).

The overlap between DPDP and sectoral frameworks creates both complementary synergies and compliance tensions. Fiduciaries operating in these industries must navigate dual obligations on consent, retention, grievance handling, breach notification, and cross-border transfers.

Introduction: A Multi-Regulatory Environment

India’s regulatory landscape is fragmented but maturing. Sectoral regulators historically developed their own privacy and cybersecurity rules to protect consumers. With the advent of the DPDP Act, companies now face an overlay regime, where DPDP applies across the board while sector-specific rules continue in parallel.

The challenge for businesses is to satisfy both regimes simultaneously without breaching either.

RBI and DPDP

RBI’s Data Mandates

  • KYC Guidelines: Banks must retain KYC data for at least five years after account closure.
  • Cybersecurity Framework: Mandates reporting of breaches within 6 hours to CERT-In.
  • Data Localisation: Payment data must be stored only in India (for payment system operators).

Overlaps with DPDP

  • Erasure Requests: DPDP grants data principals erasure rights, but RBI retention obligations override.
  • Breach Notification: RBI requires immediate notification; DPDP requires notification to Data Protection Board and principals. Dual reporting obligations may arise.
  • Cross-border Transfers: RBI restricts payment data transfers; DPDP permits subject to government notification.

Practical Case Illustration

A digital bank receives a customer’s erasure request under DPDP. It must refuse, citing RBI’s 5-year retention rule. To remain compliant, it must:

  • Erase non-mandatory data.
  • Inform the customer of the legal basis for retention.
  • Document justification in case of DPB inquiry.

SEBI and DPDP

SEBI’s Data Mandates

  • Cybersecurity Circulars: Mandate exchanges and intermediaries to report cyber incidents.
  • Investor Data Handling: Prescribes standards for record retention by brokers and depositories.
  • Market Infrastructure Institutions: Must maintain secure, auditable systems.

Overlaps with DPDP

  • Consent Management: SEBI intermediaries collect investor data under statutory obligations. Consent withdrawal under DPDP may be limited.
  • Record Retention: SEBI mandates multi-year retention of investor records, potentially conflicting with DPDP erasure rights.
  • Grievance Redressal: SEBI’s SCORES platform coexists with DPDP grievance channels.

Practical Case Illustration

An investor demands deletion of trading history citing DPDP. A broker must decline, explaining SEBI-mandated retention. However, it must:

  • Ensure use of data is limited to compliance purposes.
  • Delete peripheral or unnecessary data (marketing logs).

IRDAI and DPDP

IRDAI’s Data Mandates

  • Policyholder Protection Regulations: Require insurers to maintain records of policies and claims.
  • Health Data Handling: Strict confidentiality norms for medical records.
  • Outsourcing Guidelines: Mandate security safeguards with third-party service providers.

Overlaps with DPDP

  • Consent: IRDAI requires informed consent for health data, consistent with DPDP.
  • Retention vs. Erasure: Claims data must be retained as per IRDAI rules, potentially conflicting with DPDP’s erasure right.
  • Breach Notification: IRDAI requires insurers to notify regulators and customers, overlapping with DPDP.

Practical Case Illustration:  

A nominee of a deceased policyholder demands erasure of medical records under DPDP. The insurer must balance IRDAI’s retention requirements for claims settlement with DPDP obligations, limiting use but retaining legally required records.

TRAI and DPDP

TRAI’s Data Mandates

  • Subscriber Verification (KYC): Mandatory storage of subscriber records.
  • Telemarketing and Spam Rules: Restrictions on unsolicited communication.
  • Data Security Directions: Oblige telecom operators to safeguard subscriber data.

Overlaps with DPDP

  • Consent Framework: TRAI already enforces Do Not Disturb (DND) registries. DPDP expands consent requirements to cover all processing, not just communication.
  • Spam Complaints: TRAI handles unsolicited messages; DPDP grievance mechanisms may overlap.
  • Retention vs. Erasure: Subscriber data retention mandated by TRAI may conflict with DPDP erasure rights.

Practical Case Illustration

A subscriber files a DPDP grievance against a telecom provider for spam calls despite DND registration. The provider must address both TRAI’s anti-spam obligations and DPDP consent withdrawal duties, risking double exposure if mishandled.

Areas of Conflict and Duplication

1. Retention vs. Erasure

  • RBI, SEBI, IRDAI, and TRAI mandate retention of certain records.
  • DPDP grants erasure rights. Fiduciaries must explain lawful exemptions.

2. Breach Notification

  • CERT-In (6 hours), RBI/SEBI/IRDAI/TRAI (sector timelines), DPDP (to Board + principals).
  • Risk of multiple notifications for one breach.

3. Grievance Mechanisms

  • Sectoral grievance systems (SCORES, DND, Insurance Ombudsman) overlap with DPDP grievance officers and the Board.

4. Cross-Border Restrictions

  • RBI mandates localisation of payment data, while DPDP leaves cross-border approvals to government notification.

Global Comparisons

GDPR (EU)

  • Supervisory Authorities work alongside sectoral regulators (e.g., ECB for banks).
  • Harmonisation achieved through cooperation agreements.

HIPAA (U.S., Healthcare)

  • Sector-specific law coexists with general consumer protections, often leading to overlaps.

UK Financial Conduct Authority (FCA) and ICO

  • FCA regulates financial records; ICO enforces GDPR. Clear guidance documents harmonise obligations.
  • India will need inter-regulator coordination frameworks to replicate this clarity.

Compliance Strategies for Fiduciaries

1. Regulatory Mapping: Maintain a matrix mapping DPDP obligations against sectoral rules.

2. Retention Justifications: Document legal bases for denying erasure requests.

3. Unified Breach Protocols: Create integrated notification frameworks covering CERT-In, RBI, SEBI, IRDAI, TRAI, and DPB.

4. Dual Grievance Integration: Route complaints seamlessly between sectoral systems and DPDP mechanisms.

5. Regulator Engagement: Industry associations should lobby for harmonised guidelines to avoid conflicting duties.

Risks of Non-Compliance

  • Double Penalties: Simultaneous action by DPB and sectoral regulator.
  • Regulatory Arbitrage: Conflicting orders create uncertainty.
  • Operational Confusion: Frontline staff may mishandle requests if systems are not integrated.
  • Reputational Harm: Breach of sensitive financial, health, or telecom data invites intense scrutiny.

Conclusion & Key Takeaways

The DPDP Act overlays a comprehensive privacy regime onto existing sectoral frameworks enforced by RBI, SEBI, IRDAI, and TRAI. While synergies exist, conflicts arise around retention, grievance redressal, breach notification, and cross-border transfers.

Key takeaways for businesses:

  • Expect dual compliance burdens – sectoral rules + DPDP.
  • Use regulatory mapping and documentation to defend conflicting obligations.
  • Invest in unified grievance and breach response systems.
  • Engage proactively with regulators to shape harmonised rules.

For corporate India, compliance under DPDP is not siloed—it requires navigating a multi-regulatory ecosystem where privacy and sectoral mandates must be harmonised.

Co–Authored by :- Aurelia Menezes