Can an insurer refuse a DPDP erasure request for claims records?

Yes. Where data is held under a statutory obligation such as IRDAI's claims record retention mandate, the DPDP Act's erasure right does not override the statutory obligation. ConsentOS documents this exception in a denial register and generates DPBI-ready justification automatically.

Does health data require different consent treatment under the DPDP Act?

The DPDP Act does not create a separate category for health data, but health data is inherently sensitive. Consent for underwriting, claims processing, and medical referral must be purpose-specific and separately captured. Bundled consent covering all insurance processing purposes does not meet the standard.

How does cross-border reinsurance interact with DPDP?

Reinsurance data transfers to foreign reinsurers are cross-border personal data transfers under the DPDP Act. Until the government publishes restricted jurisdictions, transfers are permitted but must be documented. Transfer safeguards (contractual clauses or equivalent) are required for each reinsurer relationship.

Are TPAs considered data processors under the DPDP Act?

Yes. Third Party Administrators processing claims data on behalf of an insurer are data processors under the DPDP Act. The insurer, as data fiduciary, bears responsibility for ensuring TPA compliance and must maintain data processing agreements that define processing scope, security requirements, and breach notification obligations.

Insurance

DPDP Readiness Infrastructure for IRDAI-Regulated Insurers

When an IRDAI examination reviews your DPDP posture, your answer must be a documented compliance position, not an in-progress consultant engagement. Insurance companies collect health data for underwriting, process claims records under IRDAI retention mandates, and share data with foreign reinsurers. The DPDP Act imposes consent and erasure obligations on all of it. ConsentOS implements a Legal Obligation Override that satisfies IRDAI's 7-year claims retention mandate and DPDP erasure rights simultaneously, giving your Board and your examiner a printable readiness report.

Critical Risk: IRDAI/DPDP/Health Data Enforcement Risk

57+

IRDAI-regulated insurance companies in India

$130B+

India insurance market size (2025)

250 Cr

Maximum DPDP penalty per incident

IRDAI Examination Readiness

IRDAI examinations are beginning to review DPDP preparedness posture alongside standard compliance assessments. The answer "we are working on it" is not an acceptable position for a Board reporting cycle. IRDAI cybersecurity guidelines (April 6, 2026) require insurance CISOs to report breaches to DPBI and IRDAI simultaneously within 72 hours. RBI circular RBI/DPSS/2026-27/396 (April 22, 2026) further established a dual-audit standard for statutory retention vs. DPDP erasure conflicts, applicable to entities with cross-regulator exposure. ConsentOS gives your Board a printable readiness report and your IRDAI examiner a documented, verifiable compliance position.

Obligations

Your DPDP Obligations as a Insurance Company

The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to insurance operations.

IRDAI / DPDP Retention Conflict

IRDAI regulations mandate retention of claims records and policyholder data for 7 years. The DPDP Act requires erasure when the stated purpose is fulfilled. Legal Obligation Override documents the statutory exception and generates denial evidence.

Health Data for Underwriting

Health data collected for premium calculation and underwriting is among the most sensitive processed under the DPDP Act. Each processing purpose — underwriting, claims assessment, medical referral — requires separate, purpose-specific consent.

Policyholder Rights vs IRDAI Mandates

DPDP erasure and access rights apply to all policyholder data. Data held under IRDAI statutory mandate is exempted from erasure, but the exemption must be documented and communicated to the data principal on request.

Cross-border Reinsurance Transfers

Reinsurance arrangements involve transferring policyholder and claims data to foreign reinsurers. DPDP cross-border transfer provisions apply. Each reinsurer relationship requires a documented transfer safeguard.

TPA and Surveyor Processor Chains

Third Party Administrators (TPAs), surveyors, and loss assessors all process policyholder personal data. Each is a data processor under the DPDP Act. You must govern their compliance and maintain data processing agreements.

Purpose Limitation for Claims Data

Health and financial data collected for claims processing cannot be repurposed for product development, marketing analytics, or risk pool modelling without fresh, purpose-specific consent under Section 5.

Breach Notification

Section 8 mandates notification to the Data Protection Board and every affected policyholder. Insurance data breaches — particularly health data — carry severe reputational damage and regulatory consequences beyond DPDP penalties.

Timeline

Your Compliance Roadmap

Key milestones between now and full DPDP enforcement in May 2027.

Now

Build your IRDAI examination readiness position

Map all personal data processing across underwriting, claims, reinsurance, and TPA systems. Document your DPDP posture before your next IRDAI examination cycle.

Q3 2026

Implement Legal Obligation Override

Deploy the Compliance Vault: classify IRDAI-retained data, isolate from DPDP erasure flow, configure denial register.

Nov 2026

Consent Manager registration

Q1 2027

Data principal rights workflows

Implement access, correction, and erasure workflows with IRDAI statutory exemption handling.

May 2027

Full DPDP enforcement

The Act is fully enforceable. Dual IRDAI/DPDP non-compliance exposes insurers to enforcement from both regulators.

Penalty Exposure for Insurance Companies

Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.

Health data breach (failure to implement safeguards) Up to ₹250 Cr

Failure to notify breach to Board and policyholders Up to ₹200 Cr

Non-compliance with consent and rights obligations Up to ₹50 Cr

Calculate your specific exposure

Recommended Plan

Compliance Vault for Insurance

Insurance companies operating under IRDAI mandates while handling health data require the Legal Obligation Override, retention schedule dashboard, and denial register that only the Compliance Vault tier provides.

Implementation

₹5,00,000 one-time

₹75,000 /month

Legal Obligation Override (RBI / PMLA)
Retention schedule dashboard — per data category
Denial register for statutory erasure exceptions
DPBI-ready audit evidence packs
72-hour breach notification pipeline
Dedicated compliance support manager

Start with a free assessment Compare all plans

Learn how the Compliance Vault resolves the IRDAI/DPDP conflict →

Not ready to subscribe? Start with a one-time Readiness Assessment →

Resources

Essential Reading for Insurance

Deep dives into the DPDP provisions most relevant to your sector.

Regulatory Updates

What Is the DPDP Act 2023? Guide for Indian Business Compliance

The Digital Personal Data Protection Act 2023 decoded. What it requires, who it applies to, and what happens if you ignore it.

6 min read min read

Industry Guides

NBFC DPDP Compliance: RBI KYC Retention and PMLA Overrides in India

How the DPDP Act 2023 interacts with RBI's KYC retention mandates, PMLA transaction record obligations, CIBIL consent requirements, and FIU-IND reporting for Non-Banking Financial Companies.

11 min read min read

Regulatory Updates

DPDP Penalties: ₹250 Crore Risk and Enforcement Tiers in India

A breakdown of every penalty provision in the DPDP Act 2023. Understand the financial exposure, the enforcement mechanism, and what triggers each penalty tier.

7 min read min read

When the IRDAI Examiner Asks, Have the Answer Ready

The free Compliance Vault Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.

Get Your Free Assessment Talk to a compliance specialist