The Digital Personal Data Protection (DPDP) Act, 2023, aims to safeguard the personal data of individuals in India by setting out a comprehensive framework for the digital collection, use and processing of personal data. The Act defines personal data as ‘any data about an individual who is identifiable by or in relation to such data’, such as name, address, phone number and email address.
The insurance sector has historically been a data-intensive one as it collects and processes a significant amount of personal (customer and employee) data, including health information. Insurance companies have always been at the forefront of digital adoption and post the pandemic, data analytics and artificial intelligence are being used to boost business growth by identifying patterns in customer behaviour, predict risk, and conduct marketing campaigns more effectively.
In addition, the insurance value chain includes multiple data fiduciaries and processors that handle personal data within policy-buying channels such as third-party broking houses, both online and human brokers, contractual agents, Third Party Administrator (TPAs), marketing partners and insurance application users. Moreover, the expansion of online aggregators sourcing policies and handling customers on behalf of insurers has resulted in further diffusion of customer data across the value chain.
The DPDP Act will help create greater awareness around data privacy amongst employees and customers, leading to concerns about the use of their personal data.
The act establishes several principles that must be followed by data fiduciaries while collecting and processing such data. These include the lawful, fair and transparent use of data, purpose limitation of data and the data minimisation principle. This is set to bring about a significant shift in insurance business practices, ensuring that data fiduciaries go beyond complete transparency and take steps to protect personal data from unauthorised access, use or disclosure while preparing for newer and stronger data governance.
Below are some of the preliminary steps that data fiduciaries can take immediately:
Existing consent mechanism will need to undergo significant changes:
- Changes to the proposal forms (online and offline): Companies will need to incorporate specific consent for specific policies as per the data required for the product.
- Changes to application ecosystem: Since consent from a policyholder can be provided in multiple languages, the related digital applications will have to undergo changes. The permissions that a user gives to use mobile applications will need to be altered to comply with the consent provisions as per the act.
- Changes to data analytics: Consent will need to include all use cases built on data analytics engines for various purposes such as marketing, consumer behaviour and buying patterns. Sharing data with intermediaries and other agencies could otherwise pose compliance challenges.
- Management of consent revocation: The act allows data principals to exercise rights such as consent withdrawal, access, correction, erasure and grievance redressal, which could pose a significant challenge for the insurance sector. For instance, if an individual X’s car insurance policy is up for renewal from insurance firm Y and the individual chooses not to renew it the subsequent year, Y may have to delete all of X’s personal data.
Considering these complexities, data fiduciaries will also have the option to completely outsource their consent management mechanism.
Insurance firms may have to invest in tools such as data discovery and data leakage prevention. Firms that have already invested in these tools may have to reconfigure existing technologies in line with the requirements of the act. Close integration between data discovery and data leakage prevention systems will be critical to safeguarding personal data. The entire salesforce, be it agents, applications or systems, will need to be assessed for personal data risk exposure and controlled with the help of these solutions. In addition, investments in data anonymisation, encryption and pseudonymisation will become more important.
Insurance firms share personal data with third parties that process personal data on their behalf as part of the business model. Since the act now puts complete responsibility and accountability – even for data handled by data processors – on the data fiduciary, below are some of the areas that should be looked into:
- Additional requirements under the act would require data fiduciaries to review their agreements and ensure robust clauses around confidentiality, SLAs and penalties.
- Governance mechanisms of third parties will need to include rigour on data protection. Periodic audits will be required to assure fiduciaries that the measures to safeguard personal data are adequate.
The Insurance Regulatory and Development Authority of India (IRDAI) and Insurance Self Network Platform (ISNP) have already laid emphasis on data privacy and protection. With the DPDP Act in force, a clear actionable compliance plan will need to be developed, upon assessing current practices. This plan will need to align with all the above-mentioned regulations. The plan needs to be specific and measurable, and it should include a timeline for implementation. The initiatives that emerge from the assessment should be tracked till closure and compliance should be monitored at least annually since the industry is very dynamic.
The DPDP act is progressive and open in terms of adoption in an environment like India. While insurance companies have already dealt with challenges related to personally identifiable information, this act gives a direction to strengthen their data protection practises and aims to reassure data principals about the security of their personal data. From a medium- to long-term perspective, below are some other aspects organisations in the sector would need to consider going forward:
- Build an inventory of personal data and create data flow diagrams: Assess the current data collection and processing practices to determine whether their collection, processing, retention and deletion processes are aligned with the stipulations of the DPDP Act. For example, in a case where an individual does not wish to renew their motor insurance policy, deletion from all systems is only possible if an accurate inventory exists.
- Develop a renewed data protection policy: Ensure that the firm’s data protection policy, which outlines its approach to data protection and compliance, is in line with the DPDP Act’s provisions. The policy should cover areas such as data collection, processing, storage and sharing, as well as data retention and disposal.
- Appoint a data protection officer (DPO): Those identified as significant data fiduciaries will have to appoint a DPO who will be responsible for ensuring compliance with the provisions set out in the act. The DPO should have the necessary expertise and authority to implement the data fiduciary's data protection policy and respond to data protection issues.
- Training and awareness programmes: Include data privacy as part of ongoing training programmes and ensure that employees clearly understand the subject matter.
- Incident response and grievance mechanisms: Modify existing incident response and grievance mechanisms to cater to the requirements of the act, specifically with regard to reporting of incidents to the data protection board.
The IRDAI Information and Cyber Security guidelines and ISNP guidelines directed organisations to build robust mechanisms around data security, integrity and privacy. Now, the DPDP Act, 2023, mandates the creation of a more secure and trustworthy environment for the collection and processing of personal data. Failure to comply with the act’s provisions may result in significant financial and reputational damage.
By taking the necessary steps to ensure compliance, insurance firms can maintain their customers’ trust and confidently develop newer and more cutting-edge products and services.
