Bibhu Krishna, Chief Information Security Officer, Policybazaar.com
For the insurance sector, the draft rules introduce challenges as well as opportunities to formulate a robust data privacy landscape
The draft Digital Personal Data Protection (DPDP) Rules, 2025, marks a significant milestone in India’s digital transformation journey.
Designed to operationalize the Digital Personal Data Protection Act, 2023 (DPDPA), these rules promise to reshape the data ecosystem for digital platforms, users, and various industries, including the insurance sector. The wide-ranging implications of these rules are set to influence how businesses operate and interact with customers, ensuring a more secure and transparent digital environment for consumers.
Broad implications for digital platforms and users
The DPDP rules are poised to redefine the approach of enforcing stringent requirements for data collection, processing, and management. At the core of these rules is the mandate for explicit, informed consent from users before processing their personal data.
The new rules will ensure that users or data principals have greater control over their data, aligning with global data protection practices like the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the USA.
For digital platforms, this means overhauling existing data management practices to prioritize transparency around consent management as well as data processing. The emphasis on privacy notices detailing data categories and processing purposes will necessitate clearer communication strategies to ensure users or data principals are well-informed.
Impact on the Indian insurance industry
For the insurance sector, the draft rules introduce challenges as well as opportunities to formulate a robust data privacy landscape. Insurance companies, including insurance intermediaries, regularly handle vast amounts of sensitive information, ranging from personally identifiable information and financial details to health records. The draft emphasizes that data governance methodologies will require significant adjustments in data processing and storage practices.
An interesting example of such a strategy is to exhibit and ensure the due diligence around algorithmic software used for processing data [Rule 12 (3)].
The draft focuses on principles of consent management and data minimization, which strongly aligns with the insurance industry’s shift towards customer-centric models of transparency while processing data. By adhering to these principles, organizations have the opportunity to establish trust with their customers, enhancing customer satisfaction and loyalty.
However, the industry must also navigate potential challenges, such as implementing robust and clear consent management systems, ensuring data portability and deletion upon user request –withdrawal of customer consent.
The challenges do not necessarily affect directly but also via the supply chain. Categorization and sub-categorization of data, along with the mechanism of data processing at the facilities of data processors and sub-processors, is an important aspect of establishing the governance of data across data lifecycle, leading all the way to ensure compliance with Section 8 (7) via Rule 13 (2) stating right to the erasure of data.
Interactions and collaborations
Insurance companies frequently collaborate with hospitals, clinics, and other healthcare providers to process claims and offer health-related services. The rules’ stipulations on cross-entity data sharing will necessitate the establishment of secure, consent-based data exchange mechanisms.
These entities must coordinate to ensure that data flows are compliant with the new regulations, safeguarding patient confidentiality while facilitating seamless service delivery.
Hospitals and insurers will need to invest in interoperable systems that can handle data requests and consent revocations efficiently.
Progressive steps for safeguarding people and businesses The draft DPDP rules are a testament to the government’s commitment to safeguarding personal data while fostering a conducive environment for business innovation.
By mandating explicit consent and promoting transparency in data practices, the government is taking progressive steps to protect the rights of individuals and ensure ethical data handling practices.
Enhanced User Rights
The rules empower users with the right to access, correct, and delete their personal data,fostering a sense of control and ownership over their information.
Focus on Data Minimization
Businesses are encouraged to collect only the data necessary for their operations, reducing the risk of data breaches and enhancing data security.
Secure Data Transfers
The rules establish stringent guidelines for cross-border data transfers, ensuring that personal data remains protected even when shared internationally.
Protection for Children’s Data
Special provisions are included to safeguard the personal data of children, reflecting a commitment to protecting vulnerable sections of society.
Accountability and Compliance
The introduction of the Data Protection Board of India emphasizes accountability, ensuring that businesses adhere to the regulations and maintain high standards of data protection.
Conclusion
The draft DPDP rules represent a pivotal shift in India's data protection framework, with extensive implications for digital platforms, users, and industries like insurance. Compliance presents challenges but also offers an opportunity to enhance trust and transparency in digital transactions. The government’s progressive approach to data protection ensures a balance between safeguarding personal data and enabling business growth, paving the way for a robust digital ecosystem that benefits all stakeholders.