DPDP compliance for BFSI: what IRDAI and RBI expect
That is the actual job DPDP compliance for BFSI lands on, and the trade press never describes it that way. The Act looks like one regulation. In the BFSI seat it is the third overlapping circular in 18 months, all asking for similar controls written differently, and the auditor wants one operating model that closes all three. Approx 60 percent of the controls overlap. Approx 12 percent actively contradict. The rest sit in a grey band that becomes a working-paper finding if you guess wrong.
On this page
- The 7:40pm BFSI compliance head problem
- What IRDAI, RBI and DPDP each actually require
- Where the three regulators overlap and where they fight
- The 6-hour vs 72-hour breach problem nobody is ready for
- The DPDP compliance for BFSI cost band (with real numbers)
- Seven controls one operating model has to cover
- A 14-month sequencing plan that survives an Audit Committee
- What most BFSI compliance heads get wrong
- Priya’s take
- FAQ
The 7:40pm BFSI compliance head problem
Ashwin, Head of IT and Compliance at a 380-person Mumbai general insurer in BKC, sent a message to his CFO at 7:40pm last Thursday. Board on Tuesday. Need to confirm spend. On his desk: an IRDAI Information & Cyber Security Guidelines circular, a printed DPDP readiness memo from the statutory auditor, and a half-finished RBI Master Direction excerpt his CISO had highlighted. Three regulators, three different breach reporting clocks, one budget meeting, no dinner. Yaar, this is going to be a long evening.
How to design one DPDP compliance for BFSI operating model that closes IRDAI ICSG, RBI Master Direction on IT Governance, and the DPDP Act in 14 months, even if your CFO has not approved the spend yet. The framework, the cost band, and the sequencing pattern, in that order.
What IRDAI, RBI and DPDP each actually require
Before you can build one model, you have to be honest about what each regulator is asking for. The summary that gets handed around at industry events flattens this into “they all want cyber security and data protection.” That is true at the marketing level. It is not true at the audit-finding level.
| Regulator | Anchor document | Who it applies to | Headline control | Reporting clock |
|---|---|---|---|---|
| IRDAI | Information & Cyber Security Guidelines, 2023 (ICSG) | Insurers, reinsurers, intermediaries | Annual cyber security audit by a CERT-In empanelled auditor | 6 hours from incident detection |
| RBI | Master Direction on IT Governance, Risk and Controls, 2023 | Banks, NBFCs, ARCs, payment aggregators, system providers | Board-approved IT strategy plus IT/IS audit | Within 6 hours (banks), 24 hours (NBFCs) |
| MeitY (Govt of India) | Digital Personal Data Protection Act, 2023 | Every Data Fiduciary handling Indian personal data | Consent, grievance, notice, breach notification, retention | 72 hours from awareness |
Three documents, three reporting clocks, three accountability surfaces. The fact that IRDAI says 6 hours and DPDP says 72 hours is not a typo; it is the structural problem that DPDP compliance for BFSI has to solve at the operating-model layer. You cannot have one breach team running two stopwatches.
The other thing the table hides is that IRDAI ICSG and the RBI Master Direction are sector-specific and prescriptive (they tell you which controls, often which tools, sometimes which frequencies). DPDP is principle-based; it tells you what outcomes are required and leaves the operating choices to you. That asymmetry catches BFSI compliance teams off guard because they are used to a tick-box regulator, not a principle-based one.
Where the three regulators overlap and where they fight
The overlap is large and useful. The contradiction is small but expensive. The honest map I draw for every BFSI compliance head we sit with sits below.
| Control area | IRDAI ICSG | RBI MD on IT | DPDP Act | One operating-model answer |
|---|---|---|---|---|
| Named accountable officer | CISO mandatory | CISO + senior IT exec | Data Protection Officer (DPO) | One CISO who also wears the DPO hat for fiduciary purposes, written into the board mandate |
| Cyber/data audit | Annual CERT-In empanelled | IS audit annual | Significant Data Fiduciary DPIA + annual audit | A single annual audit programme with three working-paper appendices, one per regulator |
| Vendor/third-party governance | Cyber due-diligence + clauses | TPRM framework | DPA + sub-processor consent + breach pass-through | One master DPA template that satisfies the strictest of the three (DPDP), referenced from the IRDAI and RBI annexures |
| Breach reporting | 6 hours to IRDAI | 6 hours (banks) / 24 hours (NBFCs) to RBI | 72 hours to Data Protection Board | One breach desk that fires the IRDAI/RBI notice at hour 4 to 6, then the DPDP notice at hour 24 to 48 |
| Data retention | Sector-specific minimums (claims 5+ years) | Sector-specific (banks 8 years for some records) | “No longer than necessary” + sector exemptions | Retention matrix per data class; sector minimums override DPDP “necessary” |
| Personal data inventory | Implicit (sensitive data classification) | Implicit (data flow mapping) | Explicit (Data Map + RoPA-equivalent) | One inventory used by all three |
| Consent and notice | Limited (sector-specific) | Limited (KYC, customer education) | Explicit notice + revocable consent | DPDP layer wraps the IRDAI/RBI notice templates |
Where they overlap, you build once and reference three times. Where they fight, you defer to the stricter regulator on outcome and add a translation step in your operating playbook. The IRDAI 6-hour notice does not let you skip DPDP at hour 72; it just means hour 72 is the second filing, not the first.
The 6-hour vs 72-hour breach problem nobody is ready for
This is the single point where most BFSI compliance teams get the operating model wrong. They build a 72-hour DPDP breach playbook (because that is the timeline the trade press talks about) and then realise that the IRDAI ICSG 6-hour clock has already expired by the time the DPO sits down at the table.
Walk through it once. A claims agent’s laptop is reported missing on a Friday at 5pm. The first device-loss incident that occured at Ashwin’s firm last quarter played out almost exactly like this. The MDM flags it as out-of-policy. By 5:30pm the IT team has confirmed there is policyholder data on the device, including approx 4,200 KYC records. The IRDAI ICSG clock started ticking at 5pm; you have until 11pm to file an incident notice. The DPDP clock started ticking when you became aware, which is the same 5pm; you have 72 hours, until Monday at 5pm.
If your operating model treats this as one investigation, you spend the first 6 hours doing forensic work, miss the IRDAI window, and explain it to your sector auditor later. If your operating model treats this as two filings, you file the IRDAI ICSG notice at hour 4 to 5 with the facts you have (device missing, approx 4,200 records, MDM remote-wipe initiated, no confirmed exfiltration), then keep investigating, then file the DPDP notice at hour 24 to 48 with the deeper analysis the Act expects (root cause, scope of affected data principals, mitigation steps, communication plan).
One breach, two notices, one operating model. That is the BFSI-specific delta DPDP compliance has to solve. Most BFSI compliance heads I have sat with have not run a tabletop drill that surfaces this; the first time they discover the dual-clock problem is during the actual incident.
The DPDP compliance for BFSI cost band
Honest rupee math for a 200-1,000 person BFSI firm, India 2026. Numbers are based on the 11 BFSI compliance engagements Sirius Star has supported in the last 14 months. Smaller firms (under 200) sit at the low end; larger firms (over 1,000) with multi-state operations sit at the high end or above.
| Spend bucket | Year 1 outlay | Recurring annual | What it covers |
|---|---|---|---|
| DPO/CISO function (combined role, internal or fractional) | Approx Rs.24 to 60 lakh | Approx Rs.18 to 45 lakh | Named officer, board mandate, reporting line to Audit Committee |
| Personal data inventory + RoPA + data flow mapping | Approx Rs.12 to 22 lakh | Approx Rs.4 to 8 lakh refresh | One-time discovery; quarterly refresh |
| Consent management + grievance channel | Approx Rs.14 to 28 lakh | Approx Rs.6 to 10 lakh | Notice templates, consent ledger, grievance workflow, SLA tooling |
| Endpoint and email DLP rewrite (DPDP-aligned) | Approx Rs.28 to 65 lakh | Approx Rs.14 to 28 lakh | Tooling, policy rewrite, agent rollout across 200 to 1,000 endpoints |
| Vendor DPA programme (approx 40 to 60 processors) | Approx Rs.8 to 16 lakh | Approx Rs.4 to 7 lakh | Master DPA, vendor onboarding, sub-processor consent flow |
| Breach detection + 6/24/72-hour playbook | Approx Rs.18 to 42 lakh | Approx Rs.12 to 24 lakh | SOC tuning, tabletop drills, three-regulator filing templates |
| Audit, DPIA, Significant Data Fiduciary assessment | Approx Rs.10 to 20 lakh | Approx Rs.8 to 14 lakh | External audit, DPIA, ongoing testing |
| **Total Year 1 outlay** | **Approx Rs.1.14 to 2.53 crore** | **Approx Rs.66 lakh to 1.36 crore** | Excludes any IRDAI/RBI penalty exposure |
Two numbers worth holding in your head for the Audit Committee meeting. The Year 1 outlay band of approx Rs.1.14 to 2.53 crore is what a 200-1,000 person BFSI firm spends to land an operating model that closes IRDAI ICSG, RBI MD and DPDP in one programme. The penalty exposure for getting it wrong is the DPDP Rs.250 crore per-violation cap, the IRDAI Rs.1 crore per direction violation, and the RBI Rs.5 lakh per day for continuing breach. The compliance spend is approx 0.5 percent of the worst-case enforcement exposure.
Seven controls one operating model has to cover
The shortcut compliance teams reach for on DPDP compliance for BFSI is to buy a “DPDP tool” and consider the box ticked. That misses what the regulators are actually asking, which is a small number of operational controls that have to run together. If you can answer “yes, and here is the evidence” to all seven below, you are operationally compliant on all three regimes.
- It names one accountable officer (CISO/DPO with board mandate) so you can hand any of the three regulators one person who owns the answer, which means your Audit Committee stops asking “who is the accountable person” every quarter.
- It maintains one personal data inventory plus RoPA so you can answer “what data, where, who has access, how long” in 48 hours for any regulator, which means you stop scrambling for spreadsheets the week the auditor walks in.
- It runs one consent and grievance channel with a defined SLA so you can show data-principal requests are handled in 30 days under DPDP and reconciled with IRDAI grievance redressal timelines, which means you stop having two parallel customer-complaint queues that contradict each other.
- It produces one breach playbook with three filings (IRDAI/RBI at hour 4 to 6, DPDP at hour 24 to 48, customer notification at hour 48 to 72) so you can prove a tabletop-tested response under audit, which means your auditor cannot raise “untested incident response” as a working-paper finding.
- It enforces one master DPA across vendors and sub-processors so you can map approx 40 to 60 third-party relationships to one set of clauses that satisfy the strictest regulator, which means you stop negotiating clauses one vendor at a time and one regulator at a time.
- It maintains one data retention matrix that respects sector minimums (claims 5+ years, banking records 8 years, KYC 10 years) over DPDP “necessary” so you can defend your retention to all three regulators with the same document, which means you stop having an IT team that deletes data the legal team needs.
- It produces one annual audit report with three appendices (IRDAI ICSG, RBI MD, DPDP) so you can hand your statutory auditor and each regulator the same evidence base, which means the audit fee stops doubling because no two auditors are testing the same controls.
Seven controls, one operating model, three appendices. That is the DPDP compliance for BFSI architecture. Everything else is implementation detail.
A 14-month sequencing plan that survives an Audit Committee
The sequence matters as much as the controls. If you do them in the wrong order, you spend money twice and your auditor still flags the gap. This is the order I recommend after running this with 11 BFSI compliance heads.
- Months 1-3 (foundation): Name the accountable officer (CISO or external DPO). Get the board mandate. Stand up the data inventory project. Inventory your vendor portfolio. Start the gap analysis against IRDAI ICSG and DPDP simultaneously.
- Months 4-6 (build): Roll out consent and grievance. Roll out the master DPA programme; renegotiate the top 15 vendor contracts first. Deploy DLP rewrite on endpoint and email. Build the retention matrix.
- Months 7-9 (test): Run two tabletop breach drills covering the dual-clock problem. File a mock IRDAI ICSG notice. File a mock DPDP notice. Reconcile the playbook. Test the grievance channel with synthetic data-principal requests.
- Months 10-12 (audit): Commission the annual cyber audit (CERT-In empanelled for IRDAI). Run the DPIA if you are likely to be designated a Significant Data Fiduciary. Reconcile the three audit reports into one Audit Committee paper.
- Months 13-14 (board, sustain): Present the board paper. Close any audit findings. Lock the operating model into the IT operating budget. Set the quarterly rhythm.
Two things kill this sequence. One: the CFO approves only Year 1 spend and refuses to commit to Year 2; the operating model unravels in Month 9 because nobody owns the sustain phase. Two: the CISO and Compliance Lead split the work and the DPDP grievance channel never integrates with the IRDAI grievance redressal channel; both auditors flag the inconsistency. Both failures are operational, not technical. Avoid them by writing the 14-month plan into the board mandate, not the IT budget.
What most BFSI compliance heads get wrong
I have to say this honestly because the audit findings keep telling the same story. Most BFSI compliance heads I sit with treat DPDP compliance for BFSI as a tooling problem. They buy a DLP product, label a folder “personal data”, train approx 200 employees, and call the programme done. That is not what any of the three regulators are asking.
DPDP, IRDAI ICSG and RBI MD are all asking for operating model evidence: who owns the answer, how is the answer produced, what is the audit trail, and how fast can you produce it under stress. None of that is solved by a product purchase. The product purchase is the smallest line on the spend table; the largest lines are people, process, governance, and audit.
That is the polarising point. The “buy a DPDP tool” instinct is what BFSI vendors are selling because that is what they have to sell. The IRDAI auditor knows it. The DPDP enforcement framework (when it lands, expected by H2 2026) will know it. The Big-4 statutory auditor already knows it. The buyer is the only one who does not. If you spend Rs.40 lakh on a tool and Rs.6 lakh on the operating model, you have a compliance problem dressed up as a procurement win. Theek hai, that is harsh, but it is also the working-paper finding I have read approx 14 times in the last year.
The fix is not more tooling. The fix is a board-mandated CISO/DPO who owns one operating model that runs across all three regulators, with a documented breach playbook, a tested grievance channel, and an annual audit programme that satisfies the strictest of them. That is what real DPDP compliance for BFSI looks like at the audit-finding layer.
Priya’s take
The BFSI firms that get DPDP compliance right are the ones whose CISO and Compliance Lead already share a calendar before the regulator forces them to. Ashwin’s firm landed a clean IRDAI ICSG audit and a defensible DPDP readiness paper in 12 months because the CFO approved Year 1 plus a 24-month sustain commitment in the same board paper. Most insurers I work with split that into two papers and one of them never gets signed. The second paper is the one that decides whether you have a programme or a project. Boss, get both papers signed in the same meeting or you will be having this conversation again in 14 months.
FAQ
Does DPDP apply to insurers and banks separately from IRDAI and RBI?
Yes. DPDP applies to every Data Fiduciary processing personal data of Indian data principals, regardless of sector. IRDAI ICSG and RBI Master Directions are sector-specific cyber and IT governance regimes that overlap with DPDP on approx 60 percent of controls. You comply with all three; you do not pick one. The trick is to build one operating model that produces evidence for all three.
Can I have one person serve as CISO and DPO?
Yes, and most 200-1,000 person BFSI firms in India do exactly this. The DPDP Act does not prohibit dual-hatting the CISO and DPO roles. IRDAI ICSG and RBI MD already require a CISO; DPDP adds a DPO obligation that the CISO can absorb if the board mandate is written that way. The boundary to watch is independence; if your CISO reports to IT and your DPO reports to Compliance, you have a structural mismatch the auditor will flag.
What is the breach reporting timeline I should plan for?
Plan for two filings on the same incident. IRDAI ICSG requires a 6-hour notice from detection (insurers); RBI Master Direction requires 6 hours for banks and 24 hours for NBFCs; DPDP requires notice to the Data Protection Board within 72 hours of becoming aware. Build a playbook that files the sector regulator first (hour 4 to 6) and the Data Protection Board second (hour 24 to 48). Tabletop the playbook twice a year.
What is the rupee penalty exposure if I get this wrong?
DPDP caps penalties at Rs.250 crore per violation (with multiple classes of violation possible per incident). IRDAI can impose up to Rs.1 crore per direction violation, plus Rs.5 lakh per day for continuing default. RBI Master Direction penalties run up to Rs.5 lakh per day for continuing breach plus restrictions on business expansion. A single mishandled breach can trigger penalties under all three regimes simultaneously.
Do I need a separate Data Protection Impact Assessment (DPIA)?
If you are likely to be designated a Significant Data Fiduciary (large data volume, sensitive data class, sectoral risk), yes, the DPDP Act requires a DPIA. Most large insurers and banks will meet the Significant Data Fiduciary threshold once the enforcement framework rules drop. Smaller NBFCs and intermediaries may not. Run the DPIA in Month 10 of the 14-month plan; do not wait for the enforcement framework to land.
Heads-up before you brief the Audit Committee
By the way, did you know we keep a one-page BFSI compliance overlap map that shows exactly which IRDAI ICSG, RBI MD and DPDP controls overlap, which ones contradict, and the operating-model answer for each? It is the document Ashwin’s CFO read in 90 seconds before signing the Year 1 spend. Reply BFSI on WhatsApp and we will send it across before your next Audit Committee meeting.
Free BFSI compliance readiness assessment
Approx 11 Indian BFSI firms have done this DPDP compliance for BFSI assessment with our compliance team in the last 14 months. Response within 4 hours. If we do not find at least one IRDAI ICSG or DPDP control your current programme is missing, the assessment is free and you keep the overlap map.
Book your free BFSI compliance assessment on WhatsApp
For the underlying detail see our Secure Data Guard data protection practice, the DPDP Act penalties breakdown for mid-size companies, and the Device Lifecycle Management practice page for the device-fleet controls that anchor the DLP rollout.
P.S. The BFSI overlap map we use on every DPDP compliance for BFSI assessment is a one-page PDF. Reply BFSI on WhatsApp and we will send it across. It includes the seven-control architecture, the 6/24/72-hour breach filing sequence, and the 14-month sequencing pattern that 11 Indian BFSI firms have used to close IRDAI ICSG and DPDP in one programme.
External authority: PRS India’s DPDP Act 2023 explainer and the IRDAI Information & Cyber Security Guidelines circular anchor the regulatory citations in this guide.
About the author
Priya Sharma is Compliance Lead at Sirius Star Enterprise Technologies, where she runs DPDP readiness and Secure Data Guard programmes for BFSI, pharma, manufacturing and ITES clients across India. She has supported 11 BFSI compliance engagements in the last 14 months covering IRDAI ICSG, RBI Master Direction, and DPDP Act, and works out of Vashi, Navi Mumbai.
Profile: /author/priya-sharma/
