Cross-regulator · India Deep Dive
Regulator Overlap Matrix
Auditors use this matrix to avoid duplicating compliance programmes — and to spot the genuine conflicts (data retention vs erasure, 6-hour vs 72-hour clocks, localisation vs whitelist transfers) that need a documented position.
Last verified: 2026-06-17| Compliance Dimension | DPDP Act 2023 | RBI (MD-ITGRC) | SEBI CSCRF | IRDAI 2023 Guidelines | Conflict? |
|---|---|---|---|---|---|
| Data Retention | Retain only as long as purpose exists; right to erasure | Retain financial records 5–8 years per statute; payment data 10 years | Retain investor records 5 years (SEBI regulations) | Retain policy and claims records as per Insurance Act | YES — right to erasure vs statutory retention |
| Breach Notification Timeline | 72 hours to DPB and data principals | 6 hours to RBI CSITE | 6 hours to SEBI Cybercell | 6 hours to IRDAI | YES — run parallel workflows; CERT-In 6-hr pace governs |
| Consent for Data Processing | Explicit consent required; purpose limitation; withdrawal anytime | Regulatory mandate is a lawful basis — no separate consent needed | Regulatory mandate is a lawful basis — no separate consent needed | IRDAI requires consent for health data specifically | PARTIAL — DPDP consent not needed where RBI/SEBI mandate exists |
| Third-Party / Vendor Risk | Data processor contracts required; processor bound by fiduciary instructions | TPRM due diligence mandatory; audit rights; annual vendor review | TPRM obligations in CSCRF; cloud vendor risk assessment | Outsourcing guidelines mandate security requirements and audit rights | NO — broadly aligned; DPDP adds contractual obligations |
| Cross-Border Data Transfer | Permitted only to countries notified by Central Government; whitelist model | Payment data must stay in India; strong localisation stance | No specific prohibition but cloud risk assessment applies | No specific prohibition; outsourcing guidelines apply | YES — RBI localisation stricter than DPDP's whitelist model |
| Grievance Redressal | Data principal can file complaint with DPB; DF must have grievance officer | RBI Banking Ombudsman for customers; no DPDP-specific mechanism | SCORES platform for investor complaints; no DPDP mechanism | Insurance Ombudsman; IRDAI IGMS portal | PARTIAL — separate grievance channels; DPDP channel is new and additional |