Overview of the Digital Personal Data Protection Act, 2025 (DPDPA)

The Digital Personal Data Protection Act, 2025 represents a comprehensive overhaul of data privacy regulation in India. This updated version of the DPDPA, 2023 brings in more detailed provisions to regulate the collection, storage, processing, and transfer of personal data in the digital environment. The law emphasizes individual rights over personal data, the responsibilities of data fiduciaries, and mechanisms for regulatory oversight.

Key features of the DPDPA 2025 include:

• Expanded Data Subject Rights: Including a right to explanation about automated decision-making, data portability, and enhanced mechanisms for consent withdrawal.

• Stronger Data Fiduciary Obligations: Specific obligations for data controllers, including transparency in data practices, data retention limits, and implementation of privacy-by-design and-by-default.

• Cross-Border Data Transfers: The law stipulates more stringent rules regarding international transfers, ensuring data security and protection standards.

• Penalty Provisions: Escalated fines and penalties for non-compliance, particularly around the unauthorized sharing or processing of personal data.

Impact on the Insurance and Insurtech Sectors

The DPDPA 2025 will have significant implications for the insurance and insurtech sectors, especially given their reliance on sensitive customer data for underwriting, claims, fraud detection, and customer engagement. The key impacts include:

1. Consent Management:

   • The updated DPDPA 2025 reinforces the requirement for explicit, informed consent before collecting, processing, or sharing personal data. For insurers and insurtech firms, this means building more robust consent management platforms (CMPs) that ensure consent is freely given, informed, and revocable. Consent for automated decision-making in insurance applications (e.g., underwriting) will need to be handled carefully, with customers fully aware of how their data will be used.
     

2. Automated Decision-Making and Profiling:

   • The DPDPA 2025 provides a new right to explanation for individuals whose data is processed using automated decision-making (e.g., for risk assessment, pricing, or claims processing). Insurance firms will need to disclose how algorithms are used to make decisions that affect policyholders and possibly provide manual review processes for individuals impacted by automated decisions.
     

3. Data Minimization and Purpose Limitation:

   • Data minimization is reinforced in the 2025 update, meaning insurers and insurtech firms must restrict data collection to only what is necessary for specific purposes, such as policy issuance or claims. This could limit the use of customer data for non-essential functions, like targeted advertising or cross-selling.
     

4. Data Security and Data Storage:

   • The law significantly strengthens provisions on data security and privacy-by-design. Insurers must now implement enhanced data protection measures, including encryption, secure storage, and access controls. Firms will need to ensure compliance with robust cybersecurity practices that meet both DPDPA 2025 and IRDAI Cybersecurity Guidelines 2023 standards, to protect personal data from breaches or unauthorized access.

   • The local data storage requirement, for firms operating in India, remains critical. Insurance firms must store personal data within India or in countries with equivalent data protection standards, requiring updates to data storage strategies for multinational insurers.
     

5. Right to Access, Correction, and Erasure:

   • As per the DPDPA 2025, consumers now have stronger rights to access, correct, and erase their personal data. Insurtech platforms and insurance companies will need to provide easier mechanisms for policyholders to exercise these rights. This means creating clear workflows to handle data requests, ensuring policies are in place to delete or anonymize personal data when requested.
     

6. Enhanced Penalties for Non-Compliance:

   • Non-compliance with the DPDPA 2025 could result in substantial fines, especially for firms found guilty of misusing data or failing to implement adequate data protection measures. This will increase operational risks for insurers and insurtechs, who will need to ensure compliance at every step of their data processing lifecycle.
     

Overlap with IRDAI Cybersecurity Guidelines 2023

The IRDAI Cybersecurity Guidelines 2023 and the DPDPA 2025 share several key objectives, especially around ensuring the privacy and security of personal data. The primary areas of overlap include:

1. Data Security Measures:

   • Both the DPDPA 2025 and IRDAI Guidelines mandate robust data security protocols to prevent breaches, unauthorized access, or cyberattacks. Insurers and insurtech firms will need to implement comprehensive cybersecurity frameworks, which address both technical and organizational safeguards to ensure the protection of sensitive data.
     

2. Third-Party Vendors and Data Processing:

   • Both frameworks emphasize that insurers must ensure third-party vendors handling data (such as cloud service providers, fraud detection partners, etc.) comply with the necessary security and privacy standards. This overlap emphasizes the need for due diligence and contractual safeguards when engaging third-party service providers.

   
   

3. Breach Notification:

   • In the event of a data breach, both the DPDPA 2025 and IRDAI Guidelines require insurers to have incident response plans in place, which include notifying affected individuals and regulatory bodies. The DPDPA 2025 specifies tighter timelines for breach notifications, which must be communicated to data subjects within a stipulated period (usually within 72 hours of detection).
     

4. Data Retention and Disposal:

   • Both sets of regulations emphasize that personal data should be stored no longer than necessary and should be securely deleted or anonymized once it is no longer required. Insurers and insurtech companies must establish and enforce data retention policies in compliance with both the DPDPA 2025 and the IRDAI Cybersecurity Guidelines.
     

5. Regulatory Oversight:

   • Both the IRDAI and the DPDPA 2025 establish specific oversight bodies (IRDAI and the Data Protection Authority, respectively) that will monitor compliance, address violations, and impose penalties. The DPDPA 2025 also introduces more extensive regulatory requirements for data fiduciaries, which will affect insurance companies, especially regarding cross-border data transfers and privacy audits.
     

Conclusion

The Digital Personal Data Protection Act, 2025 significantly affects how insurers and insurtech companies in India collect, manage, and protect personal data. The emphasis on explicit consent, automated decision-making transparency, and robust data security is aligned with the goals of improving consumer privacy rights and enhancing cybersecurity.

Insurance firms must prioritize data protection and compliance infrastructure to meet the stringent requirements of both the DPDPA 2025 and IRDAI Cybersecurity Guidelines 2023. This will require substantial investments in technology, employee training, and legal frameworks. While there is significant overlap between the two sets of regulations, insurers must ensure that their data handling and cybersecurity practices are robust enough to meet both privacy and security obligations under these frameworks.

In summary, the DPDPA 2025 will drive the adoption of privacy-conscious and security-first practices within the insurance and insurtech sectors, ultimately fostering greater consumer trust in digital financial products and services.

Disclaimer: The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of IIA and IIA does not assume any responsibility or liability for the same.