DPDP norms nudge insurance firms to boost tech systems, consent frameworks

Industry leaders say phased deadlines through 2027 give them time, but the compliance effort will require major process redesign

Insurance companies will have to increase investments in technology and build an effective consent mechanism to comply with the new Digital Personal Data Protection (DPDP) norms, industry experts said.

 

Insurers have allotted some amount for implementing the norms but additional expenses will be budgeted in their annual operating cycle as they require considerable capital and operating investments. The industry is still assessing the implications of the norms and the changes required.

 

The DPDP rules, which came into effect on Friday, require companies to implement a data protection and consent management system by November 2026. Systems for data mapping or seeking individual consent must be in place by May 2027.

 

“We have mobilised teams internally to comply with the requirements. The Act is quite in line with our operating philosophy of sharing the customer data in a secure manner with full accountability. The phased timelines give us the room to create sustainable processes and build privacy-centric frameworks in every business process,” said Parag Raja, managing director (MD) and chief executive officer (CEO), Bharti AXA Life Insurance.

 

“I understand that compliance needs significant transition effort and changing existing processes, plus there is the complexity of aligning the partnership ecosystem with this complexity,” he said.

 

Another industry executive said that “insurers will have to incur tech spending which is more infrastructure and IT components related. We will also require some additional staff to manage it. However, we are yet to decide how much; we are still going through it.”

 

According to experts, the consent mechanism will require additional effort from insurers considering the amount of information collected during underwriting. It is also important for insurers to have a simple consent mechanism for policyholders, they said.

 

“I don’t expect the tech spending to be very large. Mainly, the effort and investment will be needed to create a consent mechanism — creating the backend tables, cleaning up the data, being able to continuously refresh it and store it in our database, and then being able to reflect it accordingly in the front-end journals,” said Pallavi Malani, MD & partner, insurance, BCG.

 

Insurers will have to develop systems that give customers clear visibility of the data sources in “an automated, tech-driven way,” she said. 

Tech push

• New DPDP norms require insurers to implement data protection and consent mgmt system by Nov ‘26
• Systems for data mapping to be in place by May ‘27
• Firms expect higher infra spend and added manpower needs
• Consent mechanism will require more effort due to information collected during underwriting
• Insurers say additional expenses will be incurred because of significant capital and operating investment