DPDPA’S IMPACT ON INSURANCE DATA PROTECTION 

Article by Tsaaro

7 min read

DPDPA’S IMPACT ON INSURANCE DATA PROTECTION 

INTRODUCTION 

The industry of insurance services is all about fiddling with risks for which the data of the insured people is vital. Insurance companies practice collecting vast amounts of data from various policy holders which includes medical history, financial records, debt related data and much more. These types of data are critical for underwriting rules and help in designing various premium plans, customization of offerings etc. With time the insurance industry has witnessed a massive shift towards tech-driven operational structures which requires them to streamline their own operations to handle and protect customer data.  

Building and maintaining trust between the insurers and policyholders relies largely on transparency. Insurance firms must set up clear expectations of the data, and their collection, usage and the security measures that shall be put in place. Such openness fosters trust and accountability, hence reassuring customers that their data is managed responsibly. To achieve such transparency, insurers must provide clear and concise privacy policies which are easily accessible to customers. Regular updates on data protection measures, information on security protocols and educational content about data privacy can also enhance policyholders’ sense of security.  

India has introduced the DPDPA to address the need for robust data protection regulations. This Act governs the processing of personal sensitive data. And ensures that individuals have privacy rights over their own personal data. It focuses on the necessities of obtaining explicit consent from individuals prior to data collection and enforces strict penalties for any data breaches. Insurance companies which manage large volumes of personal and sensitive data are required to adhere to these regulations. Failure to comply can result in substantial penalties and damage to the company’s reputation, thereby diminishing policyholders’ trust. 

INDIAN REGULATORY LANDSCAPE 

The Insurance Regulatory and Development of India (IRDAI) oversees the protection of policyholders and consumers in the insurance sector. It has established a regulatory framework to safeguard policyholder’s data, which complements the IT Act, 2000 and the IT Rules, 2011. The IRDAI’s regulatory framework for data protection includes several key regulations which apply to all insurers, insurance intermediaries and policyholders. However, they do not provide a uniform framework which is necessary due to technological advancements. The introduction of the Digital Personal Data Protection Act marks a progressive step toward safeguarding consumer rights in a data-centric environment. Nonetheless, its enforcement would pose compliance challenges for many such insurers and intermediaries which can be categorized as Data Fiduciaries under this Act. Under Section 6 of the Act, it is required that a consent by the data principal must be “unambiguous, clear, specific, free and unconditional.” Such consent must be for a specific purpose and limited to the appropriate amount of data necessary. Under Section 9 the question of collection of medical history data for health insurance and the need for parental consent for their child’s data arise.  

The Act’s impact on long-standing policies which need to be renewed is quite unclear.   Furthermore, the DPDPA affects the insurance intermediaries like other brokers who usually handle customer data raising flags of third-party insurance transparency. The Act defines a “data fiduciary” under Section 2(j) as any person who determines the purpose and means of processing personal data, implying that insurers and intermediaries are held responsible for customer data.  

Recently IRDAI introduced Managing General Agents (MGAs) in the insurance industry who have held authority from specific insurers. The DPDPA raises several questions about dividing compliance responsibility among these entities. Non-regulation of such intermediaries may lead to significant data breaches in the insurance sector.  

Unlike the GDPR, the DPDA does not distinguish between personal data and sensitive data. Although the SPDI Rules, 2011 safeguard sensitive data but lack uniformity, their enforcement can create confusion. Section 10 of the DPDP Act addresses the obligations of “Significant Data Fiduciaries” which raises questions about whether insurance companies fall within the same category. The threat raised by such data breaches is quite significant if the sector does not adopt to nuanced technological advancements. Personal and sensitive data from the customers should be encrypted and secured from any such breaches. Section 8 of the DPDPA outlines the general obligations of a data fiduciary, specifying that they should prevent any personal data breaches, defining the insurers’ liability for data collected and processed by intermediaries.  

THE WAY FORWARD 

In the way forward it would be interesting to see how IRDAI would address certain issues along with the DPDPA. The underlying objectives of the regulations and the Act must foster good data protocols and uphold customer confidence in the insurance sector. Although insurers would be affected by the DPDPA Act, the current data protection regime in the sector aligns with the Act. IRDAI’s enforcement elements must develop solutions to prevent any such regulatory overlap and fill compliance loopholes. Customers must have the right to consent to data processing, have access to their information and understand who accesses their data. IRDAI should implement measures for data portability and allow customers to delete or reduce shared data, in line with the DPDP Act. The regulator must also acknowledge the rise of Insurtech companies and provide room for innovation while maintaining data protection standards. 

CONCLUSION 

The insurance sector’s evolution towards technologically driven operations requires robust data protection measures to maintain policyholder trust. The DPDPA represents a significant shift in safeguarding the consumer data by mandating explicit consent and imposing strict penalties for any such breaches. Industry must prioritise encryption and secure data handling while embracing technological advancements. By fostering transparency, granting customers control over their data and facilitating data portability, the insurance sector can uphold the confidence of the customer and drive innovation.  

Tsaaro Consulting

At the Singapore International Cyber Week 2024, The Cyber Security Agency (CSA) of Singapore released Guidelines on Securing Artificial Intelligence …

Tsaaro Consulting

The European Data Protection Board (EDPB) on 8th October 2024, issued draft Guidelines 1/2024 on processing of personal data based …

Tsaaro Consulting

Introduction   With data playing a pivotal role in business operations, ensuring data privacy compliance has become a key focus in …

Tsaaro Consulting

The FinTech industry has transformed the financial landscape, offering customers digital solutions that make banking, lending, insurance, and investing more …

Tsaaro Consulting

In a rapidly evolving financial landscape, the global open banking market is set to skyrocket from $7.29 billion in 2020 …

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them