The Digital Personal Data Protection (DPDP) Act and the Insurance Regulatory and Development Authority (IRDA) rules combined provide a comprehensive framework for managing personal data in the insurance industry. With the DPDP Act offering broad guidelines for data protection across industries and the IRDA regulations customizing these guidelines to the unique requirements of the insurance sector, both laws are essential. This blog explores the main ways in which different frameworks interact and what it means for insurers.

The DPDP Act provides broad definitions for key terminology including “Data Fiduciary,” “Data Principal,” and “Personal Data” in order to meet the needs of various businesses. In contrast, the IRDA regulations focus on insurance-specific terminologies like “policyholder data,” “regulated entities,” and “records,” which are subsets of the data categories recognized under the DPDP Act.

It is crucial for insurers to comprehend and balance these definitions. Under the DPDP Act and IRDA regulations, for instance, “policyholder data” may need to be handled more strictly because it contains sensitive personal information.

Standards for Consent

Section 5 of the DPDP Act emphasizes that every request for consent for processing data under Section 6 must be accompanied or preceded by a notice to the Data Principal. Rule 3 of the Draft Rules, 2025, elaborates on the standards for such notices. These notices must:

1. Be presented in clear, plain language.

2. Include detailed descriptions of the personal data, its specific purpose, and a list of goods or services utilizing the data.

3. Explain how consent can be withdrawn and outline procedures for filing complaints with the DPBI.

IRDA regulations mandate transparency in managing policyholder data, which must now align with the consent standards under the DPDP Act and Rule 3 of the Draft Rules. Insurers must provide clear, compliant notices to policyholders to enable informed decisions about their data. Reinsurance arrangements must ensure shared data is strictly used for risk assessment and claims settlement, adhering to both frameworks.

Localized Data Storage

The DPDP Act, under Section 9, mandates that personal data should not be retained beyond the period necessary for fulfilling its purpose. This clause supports the IRDA’s emphasis on keeping private insurance-related documents in India for the duration specified by law. For instance, in order to satisfy operational and regulatory requirements, IRDA laws frequently mandate that insurers keep data for a minimum of ten years. In accordance with DPDP’s tenets, insurers are required to make sure that data is securely erased or anonymized after the retention term has ended.

Cross-Border Data Transfers

Cross-border data transfers are allowed under Section 15 of the DPDP Act, as long as they follow the guidelines and security measures set forth by the government. Despite the fact that cross-border data transmissions are not specifically covered by IRDA laws, insurers frequently use them when interacting with reinsurers or foreign regulatory agencies. Hence, insurers must make sure that cross-border data transfers are carried out with the proper precautions, including data transfer agreements or encryption measures.

Rights of Individuals

Individuals are granted access, correction, and erasure rights over their personal data under the DPDP Act. Rule 13 of the Draft Rules now provides detailed guidelines for their implementation. This includes outlining the means for making requests, necessary identifiers for verification, and the timeframe for grievance redressal. The IRDA rules, however, require audit trails and record-keeping for regulatory compliance, which can restrict an insurer’s ability to remove or alter data right away when asked. In order to resolve this conflict, insurers should set up procedures that uphold DPDP Act individual rights while also adhering to IRDA’s operating guidelines.

Consent Management and its Implications for Insurers

Complementing Section 6 of the DPDP Act, Section 2(g) introduces the concept of a Consent Manager, defined as a person or entity registered with the Data Protection Board of India (DPBI) to act as a single point of contact for Data Principals. Consent Managers facilitate providing, managing, reviewing, and withdrawing consent through accessible, transparent, and interoperable platforms. Rule 4 of the Draft Rules further elaborates on Consent Managers by outlining their eligibility criteria, which include technical, operational, and financial standards.
For insurers, this framework intersects significantly with IRDA’s requirements for policyholder data transparency and protection. As entities managing sensitive personal information, insurers may need to collaborate with Consent Managers to streamline consent processes while ensuring compliance with both DPDP Act provisions and IRDA’s regulations.

Significant Data Fiduciaries in Insurance

The DPDP Act allows insurers that handle large amounts of customer data to be categorized as “Significant Data Fiduciaries.” Additional duties associated with this classification include hiring Data Protection Officers, carrying out Data Protection Impact Assessments (DPIAs), and being subject to frequent audits.
These obligations require a strong compliance infrastructure for major insurers. Even though they are not considered Significant Data Fiduciaries, smaller insurers are nonetheless required to comply with the DPDP Act and IRDA regulations.

Conclusion: Adopting a Dual Compliance Approach

The overlapping provisions of the DPDP Act and IRDA regulations underscore the need for insurers to adopt a dual compliance approach. While the IRDA regulations provide sector-specific standards, the DPDP Act establishes a universal foundation for personal data protection. Insurers must integrate both frameworks into their data management policies to ensure comprehensive compliance.
By harmonizing the requirements of the DPDP Act and IRDA regulations, insurers can protect personal data effectively while maintaining transparency, accountability, and regulatory compliance. This dual compliance approach not only minimizes legal risks but also fosters trust among policyholders, regulators, and other stakeholders.