DPDP and Insurance Sector: What lies ahead?
The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is India’s landmark legislation that reshapes how personal data is managed in India. As the country’s digital economy expands, the DPDP Act introduces stringent data protection measures that will have profound implications across various sectors, including the insurance industry. The insurance sector is inherently data-driven, relying heavily on the collection and processing of vast amounts of customer data. This includes detailed information on physical health, financial status, employment history, and more.
Insurers, who are reliant on data for operations, customer relations, and risk management, will need to carefully navigate the new regulatory landscape. Through this article, we attempt to highlight the existing regulations that govern the privacy parameters in the sector and the effect DPDP will have on the sector.
Extant Legislations and Guidelines
Given the critical nature of data requirement of the sector, there are existing regulations that direct the insurance companies and related players to have certain internal standards for protection of data and its usage, among other things. For instance, IRDAI’s cybersecurity and privacy guidelines1 control the security of the vast information assets handled by insurers and insurance intermediaries. IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017 control the scope and manner of activities outsourced by insurers with obligation on insurers to ensure that the outsourcing service provider’s security policies are robust enough to protect insured person’s data and to retrieve all customer data from an outsourcing service provider in case the contract with such outsourcing service provider terminates. Additionally, IRDAI Guidelines on Insurance Repositories, 2015 (“Repositories Guidelines”) facilitate the maintenance of insurance policies in electronic form by repositories on behalf of insurers and require strict controls on access to insured data. Repositories Guidelines also direct data minimization and require consent from policyholders for their data to be stored and processed electronically.
In addition to the above, adherence to general laws like the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures Sensitive Personal Data or Information) Rules, 2011 is required for implementation of reasonable security
practices while handling sensitive personal data. However, the presence of various regulations can complicate the implementation process, highlighting the need for a more focused approach to safeguarding individuals’ digital privacy.
Even after the DPDP Act takes effect, most of the above-mentioned regulations are likely to remain in force. While it remains to be seen whether these regulations will complement the DPDP Act or merely result in redundancy and excessive compliance burdens for industry participants, one might argue that each regulation serves a distinct purpose, different from the objectives of the DPDP Act and its associated rules. Intrinsically, the regulatory framework will be complex for the sector.
DPDP Act and Sector Impact
For the insurance sector, DPDP Act mandates strict compliance with data processing, storage, and sharing norms. Insurers must now ensure that their data practices align with the principles of consent, transparency, and accountability to build trust and meet regulatory requirements. A lot of clarity will be available after the advent of rules but for the time being it is important to understand some of the basic principles set forth by the DPDP Act that would entail substantial change in the current practices and systems.
Consent
Under the DPDP Act, consent is a cornerstone for processing personal data. Insurers must obtain explicit and informed consent from policyholders before collecting, using, or sharing their data. This involves clearly communicating the purpose, scope, and implications of data processing. However, the Act also recognizes certain legitimate uses where consent may not be necessary, such as processing data for fraud detection or regulatory compliance. In these cases, insurers are required to demonstrate that such processing is necessary and proportionate, ensuring that data is handled responsibly and securely while upholding the rights of individuals.
Insurance companies will have to update their forms to ensure that consent is obtained in a clear and explicit manner. Insurance forms should now include comprehensive consent clauses that clearly explain how personal data will be collected, processed, and used. These clauses must
outline the specific purposes for data usage, such as underwriting, claims processing, or marketing, and provide policyholders with the option to consent to or decline each use. Additionally, the forms should offer a mechanism for policyholders to withdraw their consent at any time, ensuring that they maintain control over their personal data.
When policies are issued through a proposer and occasionally the insured may be a different individual (e.g. dependant spouse or parents), it is unclear whether it would be the policy holder or the insured, whose consent will be required.
Data Fiduciaries and Data Processors
One of the core aspects of the DPDP Act is the distinction it makes between data fiduciaries and data processors, which is particularly relevant in the insurance sector. In this context, insurance companies often act as data fiduciaries, determining the purpose and methods of processing policyholders’ and insured individuals’ data. The DPDP Act has introduced a new category of data fiduciary as may be notified by the Central Government, if they meet certain criteria. Significant Data Fiduciaries have onerous obligations like appointment of a data protection officer, undertake periodic data protection impact assessment and periodic audits.
Data Fiduciaries are primarily responsible for ensuring that data protection laws are followed. On the other hand, third-party service providers, such as claims processing firms or IT service providers, typically function as data processors, handling data according to the insurance company’s instructions. This distinction is crucial for insurers to understand and manage their compliance obligations, ensuring that personal data is protected throughout all stages of processing.
In insurance transactions, personal data is managed by various entities such as third-party broking houses, third-party administrators, marketing partners, and repositories. Due to the expansive definition of a data fiduciary, it remains uncertain whether both the insurer and the intermediary would be classified as data fiduciaries. Insurers may need to reassess their contracts and data-sharing arrangements with these parties to ensure compliance. To illustrate, modern car insurance policies often include telematics-based coverage, where devices installed in vehicles track driving data such as distance and speed. The driving data collected through telematics devices—such as distance, speed, and driving behaviour—constitutes personal data. Typically, the original equipment manufacturers (“OEMs”) serve as data fiduciaries, while insurers act as processors. Both insurers and OEMs will need to collaborate more closely to ensure that personal data collected from telematics devices or other sources is processed in line
with the law. This will likely lead to more detailed contracts and data processing agreements between insurers and OEMs, clearly outlining each party’s obligations under the DPDP Act.
Data Localization and Cross-Border Data Transfers
Data localization and cross-border data transfers are critical considerations for the insurance sector under the DPDP Act. The Act may impose requirements for storing and processing certain categories of personal data within India, which impacts how insurance companies manage customer information. Insurers must ensure that sensitive personal data, such as health records or financial details, is either stored locally or that they comply with stringent regulations when transferring data across borders. This could also include obtaining explicit consent from policyholders. Such data transfers could impact insurers that operate globally or use offshore processing centres. Insurers may need to revise their data storage and transfer practices, potentially leading to increased costs and operational challenges.
Conclusion
The DPDP is set to reshape the landscape of data protection in India, and the insurance sector will not be exempt from its impact. Insurers must proactively adapt to these changes by revisiting their data handling practices, enhancing compliance frameworks, and ensuring that their partnerships align with the new regulatory expectations. As the DPDP evolves, so too will the operational and legal landscape for insurance providers, necessitating continuous vigilance and adaptation.
By Rashmi Deshpande and Navaneeta Kanjilal
