PDPA Risk Insurance

India is in the threshold of a new legislation called Personal Data Protection Act (PDPA-2020). One of the most striking factors that this legislation represents is that organizations processing “Personal Data” in any form, including the Government departments will here-after  have to worry about a new kind of financial liability that they may face. It is the risk of being fined by the Data Protection Authority for “Non Compliance of the provisions of the Act”.

While the organizations that process the personal data need to be ready with the knowledge and preparations of how to stay compliant with the law, one of the solutions that every personal data fiduciary/processor in India would be looking forward to would be an Insurance policy with which they could get themselves covered.

It is possible to consider that the administrative fines that may arise consequent to non compliance of PDPA 2020 can be also considered as a consequential loss of running the business and hence could be technically covered under the current Business related insurance policies.

However, since the PDPA administrative fines were not envisaged when the policies were underwritten and the amount involved could be as high as 4% of the global turnover of the company, it is difficult for the Insurance companies to consider the risk covered unless a fresh endorsement is made and additional premium collected.

The organization will therefore have to take a view on what risks to be insured under PDPA, whether to restrict it only to first party risk of administrative fines only or include the third party risks of payment of compensation to the data principals.

The Insurance companies also need to structure a policy that suits the requirements of the PDPA.

We are certain that the Insurance Companies in India are far from thinking on structuring a policy for  PDPA risk coverage and it is possible that they will look to the west for re-insurance terms before they start underwriting the risks.

The PDPA risk coverage will be complex because the underlying asset is Personal Data which is intangible, goes through a life cycle of varying value, the asset ownership is unclear, losses are difficult to estimate, etc.  The fines arise if there is negligence in implementation of PDPA compliance and whether the insurance companies relish insuring negligence is a moot point.

May be there is a lot to debate in this field and the discussions have just started..

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.