A Project by Meridian Bridge Strategy
Archived analysis

This page is old. ICICI Lombard General Insurance was reviewed on 2026-05-14.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
InsurTech / BFSI

ICICI Lombard General Insurance

Ready Score 68/100
Moderate Risk vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 14 May 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

ICICI Lombard has made significant strides in DPDP Act 2023 readiness compared to its peers, formally initiating a 'DPDP Compliance Roadmap' and updating its Information Security framework as of April 2026. However, its public-facing privacy policy remains legacy-heavy, particularly regarding consent architecture and the new 'Right to Nominate.' While its security posture is top-tier, the transition from 'regulatory compliance' (IRDAI) to 'data principal empowerment' (DPDP) is still a work in progress.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-05-14
  • Company: ICICI Lombard General Insurance
  • Readiness score: 68/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Consent is still bundled with website usage — 'By using this website... you authorize us' fails the 'freely given' standard under Section 6
  • No explicit mention of the Right to Nominate (Section 14) in the primary privacy policy
  • Erasure clause is tied to 'authenticity' and 'records' rather than specific 'purpose fulfillment' triggers as required by Section 9
  • Grievance redressal focuses on the Insurance Ombudsman/IRDAI without acknowledging the Data Protection Board (DPB) as the ultimate appellate authority
  • Cross-border data transfer clause is broad and lacks the 'notified countries' restriction defined in Section 16

✅ Strengths

  • Explicit recognition of DPDP Act 2023 in current governance documents (Version 3, April 15, 2026)
  • Robust Board-level oversight via Information Security and Risk Management Committees
  • High standard of technical safeguards including 24/7 SOC, DDoS protection, and ISO 27001:2022 alignment
  • Detailed disclosure of third-party sharing categories (TPA, surveyors, and group companies)

Overview

ICICI Lombard is one of India’s leading private general insurers. Handling millions of policies involving sensitive personal data (health records, financial details, and KYC), the company faces high scrutiny under the DPDP Act 2023. Their 2026 ESG and Cyber Security updates indicate a proactive shift toward compliance, though the user-facing interface still mirrors older IT Act 2000 paradigms.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

The policy currently relies on “deemed consent” or bundled acceptance. The phrase “By using this website… you hereby authorize us” is common throughout the document.

DPDP Requirement: Consent must be a “clear affirmative action” that is free, specific, informed, unconditional, and unambiguous.

Gap: Users cannot selectively consent to data processing for insurance underwriting while opting out of “customization” or “marketing” via the primary interface. The notice is not yet provided in multiple languages as suggested by Section 5.

Section 8 — Obligations of Data Fiduciary ✅

This is a major strength for ICICI Lombard. Their 2026 ESG Policy (Version 3) confirms:

  • Implementation of a Board-approved Information & Cyber Security Policy.
  • Regular independent audits based on ISO 27001:2022.
  • A 24/7 Security Operations Centre (SOC).

Strength: They meet and likely exceed the “reasonable security safeguards” requirement to prevent personal data breaches.

Section 9 — Data Retention 🔴

The policy states: “We store this information for our records and to verify authenticity.”

DPDP Requirement: Data must be erased once the purpose for collection is fulfilled, or upon withdrawal of consent, unless a legal obligation (like IRDAI’s record-keeping rules) mandates retention.

Gap: There is no mention of automated erasure or “right to be forgotten” workflows. While insurance laws require long retention for claims (often 10+ years), the DPDP Act requires the fiduciary to define this period clearly and purge data thereafter.

Section 11 — Rights of Data Principal ⚠️

The policy allows for data correction and access but lacks the full suite of DPDP rights:

  • Right to Nominate (Section 14): Missing. There is no mechanism for a user to nominate a person to manage their data rights in case of death or incapacity.
  • Right of Erasure: Only partially addressed; the policy emphasizes storage for “records” over the user’s right to request deletion of non-essential data.

Section 12 — Right of Grievance Redressal ⚠️

ICICI Lombard has a sophisticated 3-step grievance process involving a Grievance Redressal Officer (GRO) and an Appellate Officer.

Gap: The process directs users to the Insurance Ombudsman or IRDAI Bima Bharosa. Under DPDP, a Data Principal must have an explicit path to escalate data privacy grievances to the Data Protection Board of India (DPB). The current policy fails to mention the DPB.

Section 16 — Cross-Border Data Transfer ⚠️

The policy mentions sharing information with “other ICICI Bank Group Companies” and “statutory bodies.”

Gap: Section 16 of the DPDP Act allows the Central Government to restrict transfers to certain countries (“Negative List”). The policy currently uses a blanket authorization that may not hold up once the government notifies restricted jurisdictions.

Risk Assessment

CategoryRisk LevelCompliance Gap
Consent ManagementHighLack of granular, itemized consent; “Take-it-or-leave-it” terms.
Data Principal RightsMediumNo Right to Nominate or easy erasure mechanism.
Data RetentionMediumRetention is indefinitely linked to “records” without clear expiry.
Security SafeguardsLowStrong SOC, ISO 27001:2022, and regular auditing.
Regulatory ConflictHighTension between IRDAI’s retention mandates and DPDP’s erasure rights.

Recommendation

ICICI Lombard should transition from its current “Terms of Use” style privacy policy to a Layered Notice format. This should include a “Consent Manager” interface that allows users to toggle specific data uses and provides a clear mechanism for Section 14 Nomination. While the technical backend is compliant, the legal framework requires an update to recognize the Data Protection Board as the primary authority for privacy-related disputes.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Consent Management Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call