A Project by Meridian Bridge Strategy
Book Consultation
🛡️

DPDP Compliance for Insurance Companies

Insurance companies process health records, financial data, and family details for underwriting and claims. DPDP transforms how insurers can collect, analyze, and retain policyholder data.

46/100 Avg. Score
1 Analyzed
7 Gaps Found

Insurance and DPDP: Data at the Core of the Business

Insurance is fundamentally a data business. Risk assessment, underwriting, pricing, and claims processing all depend on extensive personal data — health records, income details, family composition, lifestyle habits, and property information. Companies like PolicyBazaar, Acko, and traditional insurers process deeply personal data for every policy issued.

When you apply for life insurance, you share:

  • Complete medical history and family health records
  • Income and financial details
  • Lifestyle information (smoking, drinking, exercise)
  • Occupation and travel patterns

Under current practice, this data is collected under a broad consent at application time. DPDP requires that consent be specific to each processing purpose. Using health data submitted for life insurance to market health insurance products is a separate processing activity requiring separate consent.

Claim Investigation: Purpose Limitation

During claims investigation, insurers may access:

  • Hospital records beyond the disclosed condition
  • Social media profiles to verify claim validity
  • Surveillance data (for fraud investigation)
  • Family members’ information

DPDP’s purpose limitation principle means claim investigation data cannot be repurposed for underwriting future applicants, creating industry risk models, or sharing with reinsurers beyond what’s necessary.

Agent and Broker Data Access

Insurance distribution in India relies heavily on agents and brokers who access policyholder personal data. Under DPDP:

  • Agents must be treated as data processors with formal agreements
  • Agent access should be limited to data necessary for the specific policy
  • Terminated agents must have all policyholder data access revoked immediately
  • The insurer (as fiduciary) is liable for agent-level data breaches

Lapsed Policy Data

What happens to personal data when a policy lapses? Most insurers retain the full application data indefinitely for “fraud prevention” and “re-engagement marketing.” Under DPDP, data collected for an expired purpose (the policy) should be deleted unless there’s a specific, disclosed reason for retention.

Health Data: The Highest Sensitivity

Health data in insurance creates a feedback loop — your health information affects your premium, which affects your coverage, which affects your healthcare decisions. DPDP requires that health data be processed with the highest safeguards and that policyholders can access, correct, and challenge health data held by insurers.

InsurTech Company Analyses

InsurTech

PolicyBazaar

46

PolicyBazaar collects detailed health questionnaires, income declarations, and family histories — then shares this with 50+ insurance partners simultaneously. At 46/100, the broadcast-style data sharing model where your health conditions are sent to dozens of insurers creates a DPDP consent nightmare.

⚠️ No DPDP Act 2023 reference
⚠️ Health questionnaire data shared with multiple insurance partners
+5 more gaps detected
Feb 2026 View Report
📞 Free Consultation