DPDP Compliance for Insurance Companies
Insurance is built on data—health records, financial history, and lifestyle habits. Learn how the DPDP Act 2023 affects Indian insurers, brokers, and TPAs.
Understanding DPDP for the Insurance Sector
If you run an insurance company, a brokerage, or even a specialized agency in India, you are essentially a professional “data collector.” To decide whether to give someone a policy, you need to know everything—their age, their medical history, how much they earn, and sometimes even if they smoke or skydive.
Under India’s new Digital Personal Data Protection Act (DPDP), 2023, your business is classified as a Data Fiduciary. This is a fancy legal term that means you are the person the customer (the Data Principal) trusts with their information. Because you hold so much sensitive info, the law holds you to a very high standard. If you mishandle this data, the government can levy penalties of up to ₹250 Crore.
Let’s break down how to stay on the right side of the law without losing your mind in paperwork.
Data Types in the Insurance Lifecycle
In insurance, data isn’t just a name and number. It’s the foundation of your underwriting process. Here’s a look at what you’re likely handling and how risky it is under the new law.
| Business Function | Data Processed | DPDP Risk Level |
|---|---|---|
| KYC & Onboarding | Aadhaar, PAN, Bank details, Photo | High |
| Underwriting | Medical reports, BMI, family history, lifestyle | Very High |
| Claims Processing | Hospital discharge summaries, accident photos, death certificates | Very High |
| Marketing | Email, phone number, browsing history | Medium |
| Policy Servicing | Nominee details, address changes | Medium |
| HR & Payroll | Employee bank details, performance reviews | Medium |
1. The New Rules for Consent
In the old days, insurance companies buried “permission to use data” in page 45 of a 60-page policy document. DPDP kills that practice. Now, consent must be free, specific, informed, unconditional, and given through a clear affirmative action.
What this looks like in practice: Imagine a policyholder is signing up for health insurance on your website. You cannot have a pre-ticked box that says “I agree to let you share my data with 50 marketing partners.” You must provide a Notice in plain, simple language (and ideally in multiple Indian languages) explaining exactly what data you are taking and why you need it.
- Practical Tip: Create a “Consent Manager” interface where customers can see what they agreed to and, more importantly, withdraw that consent if they choose. If a customer withdraws consent, you have to stop processing their data, unless you need it for a legal reason (like an active claim). You can see how other financial firms are handling this on our DPDP analysis page.
2. Tightening Data Access Controls
Not everyone in your office needs to see everything. Does the person in the marketing department need to know that a specific policyholder has a chronic heart condition? Absolutely not. That information is for the underwriting team and the claims adjusters only.
What this looks like in practice: You need to implement Role-Based Access Control (RBAC). Your IT system should be locked down so that:
- Sales agents see contact info but not medical files.
- Underwriters see medical files but perhaps not full bank account numbers.
- IT admins can maintain the system without seeing the actual “values” inside the database (using encryption or masking).
If an employee leaks a celebrity’s medical record because your system was “wide open” to all staff, your company is the one facing that ₹250 Crore fine. Check out our guide for startups to see how to build these controls from day one.
3. Third-Party Data Sharing (TPAs and Reinsurers)
Insurance is a team sport. You likely share data with Third Party Administrators (TPAs) for claims, hospitals for cashless treatments, and reinsurance companies to spread your risk.
Under DPDP, these partners are Data Processors. While they do the work, you (the Fiduciary) are ultimately responsible if they lose the data. You must have a rock-solid contract in place that mandates they follow the same security standards you do.
A Real-World Scenario: For example, when a customer submits a claim, you send their hospital bills to a TPA. If that TPA stores those bills on an unsecured cloud folder and they get hacked, the regulator will come knocking on your door first. You must audit your partners. Ensure your contracts specify that they can only use the data for the specific claim and must delete it once the claim is settled or the contract ends.
4. Data Retention: When to Say Goodbye
Insurance companies love keeping data forever. “What if they come back in 10 years?” is the common excuse. However, DPDP says you must delete personal data as soon as the purpose for which it was collected is served, and there’s no legal requirement to keep it.
The Balancing Act: The IRDAI (the insurance regulator) has its own rules about how long you must keep records (often 5-10 years). DPDP respects other laws. So, if IRDAI says “keep it for 7 years,” you keep it. But the moment that 7th year ends and there is no pending litigation, that data needs to be scrubbed from your active servers.
- Practical Tip: Don’t just “archive” data in a dusty folder. Use “Data Minimization.” If a person’s policy expired 5 years ago and you only need their name and policy number for legal records, delete their sensitive medical scans and blood test reports.
5. Handling Policyholder Rights
Under the DPDP Act, your customers are now more powerful. They have the right to:
- Access: Ask you “What data do you have on me?”
- Correction: “You have my blood group wrong, please fix it.”
- Erasure: “I am no longer your customer, please delete my data.”
- Grievance Redressal: A way to complain if they feel you are mishandling their info.
You need a clear process to handle these requests. If a policyholder asks for their data and you ignore them, they can take their complaint to the Data Protection Board of India.
Quick Actions to Start This Week
If you’re feeling overwhelmed, don’t worry. Most of your competitors are in the same boat. Start with these five steps to get your house in order:
- Appoint a Privacy Lead: Even if you aren’t a “Significant Data Fiduciary” yet, designate one person to be the point of contact for all things DPDP.
- Map Your Data: Figure out exactly where your policyholder data is stored. Is it in Excel sheets? A CRM? On an agent’s personal WhatsApp? You can’t protect what you don’t know you have.
- Update Your Notice: Rewrite your privacy policy and consent forms. Remove the “legalese” and make it simple enough for a 12-year-old to understand.
- Review Partner Contracts: Send a formal letter to your TPAs and tech vendors asking about their DPDP compliance status and update your service agreements.
- Clean Your Databases: Identify old leads or expired policies that have passed the legal retention period and delete them. Less data = Less risk.
- Train Your Staff: Conduct a 30-minute session for your sales and claims teams. Explain that sharing customer data on unofficial Telegram groups or personal emails is now a major legal risk.
Insurance is a business of risk management. Complying with the DPDP Act is simply the ultimate form of risk management for your own company. For more deep dives into specific sectors, check out our industry compliance guide.