In the latest article curated by DPO Club, the authors(seasoned privacy & security professional - Aniket Karekar and research analyst - Shivang Mishra) explore the operational privacy challenges confronting the Indian insurance sector. By examining the impact of digital transformation, the rise of insurance aggregators, legacy technology, and data management practices, this article highlights the critical need for robust privacy frameworks to protect sensitive customer information and ensure compliance with emerging regulations.

Introduction

Insurance companies collect, store and process vast amounts of personal data, including medical records and financial details, which, if compromised, can lead to identity theft, fraud, loss of customer trust, non-compliance to laws & regulations and hefty penalties (in specific regions of the world). India has a population of around 1.4 billion people, and with an insurance penetration rate of approximately 4%, it can be assumed that personal data of approximately 6 crore Indians is processed by insurance companies annually.

The Insurance Regulatory and Development Authority of India (IRDAI) has released guidelines to ensure that insurers adhere to adequate privacy and security requirements to protect the data that they possess and process. The IRDAI Information and Cyber Security Guidelines, 2023 mandate insurers to maintain robust controls around the identification, collection, processing, disclosure, storage, transfer and destruction of Personally Identifiable Information (PII). The Digital Personal Data Protection Act, 2023 (DPDP Act) has imposed important implications for the insurance industry. This landmark legislation not only mandates informed consent from the users, but also reinforces principles like data minimization and purpose limitation. As with every industry, innovations and new developments have also been witnessed in this industry, but with the DPDP Act on the horizon, all new products and innovations must be designed with privacy being an essential consideration.

Impacts to the Insurance Ecosystem-

The digital revolution has transformed traditional distribution channels in insurance. With the increasing preference for online purchases, the role of intermediaries like digital aggregators is evolving. As insurers adapt to digital channels, they must ensure that data privacy is maintained across these platforms to protect sensitive customer information.

A. The Rise of Insurance Aggregators

Digital aggregators in the insurance market offer consumers easier access to insurance products. These aggregators streamline the buying process and provide a wider range of options. Insurance aggregators have seen a phenomenal rise over the past few years. Their market share has increased from 10% to over 30% since 2018 and its still increasing. The Insurance Web Aggregator Regulations of 2017 (and subsequent amendments in 2019) mandate aggregators to adhere to specific criteria for obtaining a license, like maintaining transparency in their operations and prioritize customer interests whilst maintaining data security. The guidelines aim to ensure fair practices and protect policyholders.

The increase in market share of Insurance Aggregators (Source: NASSCOM; Note: *- Till November 2023)

However, not all data collected by these aggregators may be strictly for insurance purposes. With the enforcement of the DPDP Act soon anticipated, it is crucial to maintain data minimization practices, ensuring that only necessary data is collected and used.

It is perhaps an important question to ponder upon that how traditional routes would have to change with the new law coming in place. Traditionally brokers and agents in the insurance space are often known to source leads from questionable or unauthorized sources. Obtaining legitimate leads could become more challenging. Companies will be required to demonstrate that they have acquired leads with the explicit consent of the users. This shift necessitates a more transparent and ethical approach to lead generation. As a result, cold calling strategies, which are commonly used by insurance companies, may no longer be viable. Without prior consent from potential customers, these practices could lead to regulatory issues and penalties. Insurers will need to adopt new methods that prioritize user consent and data protection, ensuring compliance.

To provide seamless services, insurers and aggregators often partner with third-party entities such as Third-Party Administrators (TPAs) for health checkups and garages for car servicing. As data flows across these various entities, the need for clear agreements becomes paramount. Tripartite agreements between insurers, aggregators, and these intermediaries are essential for managing risks, ensuring compliance, and tracking data flows. These agreements help in defining the responsibilities and liabilities of each party, thus promoting a more secure and efficient service delivery model.

B. Legacy Technology

It is not uncommon for insurers to spend a substantial chunk of their IT budget on maintaining legacy systems. These outdated systems often lack the advanced security features required to protect personal data in the current digital age. The transition to modern, secure digital technologies is essential to safeguard data privacy and mitigate risks associated with legacy systems.

Upgrading these systems can pose significant challenges, particularly concerning availability and operational stability. As a result, companies are often reluctant to make changes to their existing technology stack. Ensuring that these legacy systems comply with the DPDP Act can prove to be a daunting task. Developing and integrating Privacy Enhancing Technologies (PETs) into these older systems presents several difficulties. Legacy systems may not support advanced techniques such as data masking or homomorphic encryption, making it challenging to maintain privacy by design. This lack of flexibility in integrating PETs can hinder efforts to protect sensitive data and meet regulatory requirements. Consequently, insurance companies face significant obstacles in modernizing their systems to align with current privacy standards.

In the advent of such challenges, insurers will need to undertake a detailed Privacy Impact Assessment (PIA) of all legacy solutions and reinforce their defences on the overlapping tech stack which relies on information passed on by the core systems. One way of managing this could be ensuring that the privacy layers are built onto all other enterprise and business systems and there are enough security gate walls in place to restrict the use of personal data from the core applications itself. While the core layer of legacy systems is potentially untouchable, the overlapping layers should be secured. It is important that access to the legacy systems remains restricted, and the best practices are adopted to secure the overlapping layers.

While core systems must remain untouched, the other layers can be secured

C. Analytics, Siloed Data, Up selling and Cross Selling

Data silos refer to the separation of data into isolated and disconnected systems or repositories. In the insurance industry, data silos can occur when different departments store and manage data independently. This fragmentation can lead to inefficiencies and data privacy risks. For example, if the underwriting, claims, and marketing departments each maintain separate databases without sharing data securely, it can hinder comprehensive data analysis and compromise data privacy.

Organizations often lack a complete understanding of where all their data is stored, which poses significant risks, especially under stringent data protection regulations. Data discovery tools can play a crucial role in identifying and managing data across various resources. However, these tools need to work in such a manner that ensures continuous scanning to effectively identify all the data stored. Data mapping thus, must be carried out in a meticulous manner and automation definitely helps here.

While data discovery tools are generally proficient at identifying structured data, they may not be as efficient with unstructured data, which can be more challenging to locate and categorize. Moreover, many discovery tools have limitations in identifying data from endpoints, where personally identifiable information (PII) often flows freely. This gap is particularly concerning, as endpoints can be vulnerable points for data breaches. Therefore, organizations need to ensure comprehensive data discovery processes that cover all potential data sources, including endpoints, to safeguard PII and comply with data protection regulations.

D. Tracking Inter-Departmental Flow of Data

Inter-departmental flow of data could be unmonitored and non-restrictive, posing significant privacy risks. It's essential to assess and manage these data flows carefully to ensure compliance with data protection principles, such as data minimization.

For example, Management Information System (MIS) reports may circulate across multiple departments. However, not all departments require access to all the information contained in these reports. The medical team, for instance, may not need access to financial data, while the servicing team would ideally not require medical records. By adhering to the principle of data minimization, organizations can ensure that each department only accesses the data necessary for their specific functions. This approach helps protect sensitive information and reduces the risk of data breaches or misuse.

E. Maintaining arm's length between entities.

Group companies should not be utilizing data between each entity freely. A number of times, a banking, financial services and insurance (BFSI) company might have multiple entities. If one entity is obtaining consent to process data, it is in no way an implication that, other entities can use that data. DPDP Act also states that consent is limited to the purpose for which it was obtained and has to be clear, unambiguous and unbundled. Each entity within a group should adhere to strict data protection measures, and bundling of consents or taking group-level consents may not always be a wise option.

Questions that Remain

Handling Consent Fatigue: In the insurance industry, there are multiple instances where customer consent is required at various stages, such as proposal forms, PCVC verification, Aadhar collection, video calls with agents (assisted journeys), penny drops to accounts, information pull from account aggregators, customer consent documents and calls via call centers. Navigating these consent requests can lead to "consent fatigue," where customers become overwhelmed and less responsive. It is crucial for insurers to streamline these processes and ensure that consents are obtained in a clear and concise manner, minimizing the burden on customers while maintaining compliance.

Organizations would have to come up with ways to obtain valid consent while tackling the issue of consent fatigue

Fraud Detection and Monitoring with AI: The advent of AI offers significant potential for detecting and monitoring fraud in the insurance sector. As the regulatory landscape evolves with new AI regulations (such as the EU AI Act) and the proposed Digital India Act, it's essential that these technologies are implemented responsibly and in compliance with legal standards. Thorough and continuous monitoring of AI systems are essential to safeguard against misuse and to maintain customer trust, especially in the light of the fact that a lot of sensitive data is involved.

Managing Privacy of Data Beyond the Organization: Once customer data leaves an organization's ecosystem, it becomes challenging to maintain control over it. While contracts and periodic audits can offer some level of assurance, organizations must seek ways to ensure continuous protection of their customers' privacy at vendor or third-party levels. This involves implementing robust data protection agreements, conducting regular audits, and establishing clear protocols for data handling and security measures. Additionally, ensuring that the third parties adhere to stringent privacy standards is crucial for protecting data and fostering consumer trust.

Conclusion

The insurance industry's digital transformation requires rigorous data privacy measures. With the DPDP Act's impending enforcement, insurers must prioritize consent, transparency, and robust data protection practices. By adopting these strategies, insurers can safeguard sensitive customer information, mitigate risks, and maintain trust in a rapidly evolving regulatory landscape.

*𝘋𝘪𝘴𝘤𝘭𝘢𝘪𝘮𝘦𝘳- 𝘋𝘗𝘖 𝘊𝘭𝘶𝘣 𝘪𝘴 𝘢 𝘯𝘰𝘵-𝘧𝘰𝘳-𝘱𝘳𝘰𝘧𝘪𝘵 𝘳𝘦𝘴𝘦𝘢𝘳𝘤𝘩 𝘪𝘯𝘪𝘵𝘪𝘢𝘵𝘪𝘷𝘦 𝘢𝘪𝘮𝘦𝘥 𝘢𝘵 𝘳𝘢𝘪𝘴𝘪𝘯𝘨 𝘢𝘸𝘢𝘳𝘦𝘯𝘦𝘴𝘴 𝘳𝘦𝘨𝘢𝘳𝘥𝘪𝘯𝘨 𝘥𝘢𝘵𝘢 𝘱𝘳𝘪𝘷𝘢𝘤𝘺. 𝘛𝘩𝘦 𝘷𝘪𝘦𝘸𝘴 𝘦𝘹𝘱𝘳𝘦𝘴𝘴𝘦𝘥 𝘣𝘺 𝘵𝘩𝘦 𝘢𝘶𝘵𝘩𝘰𝘳𝘴 𝘢𝘯𝘥 𝘳𝘦𝘷𝘪𝘦𝘸𝘦𝘳𝘴 𝘢𝘳𝘦 𝘵𝘩𝘦𝘪𝘳 𝘱𝘦𝘳𝘴𝘰𝘯𝘢𝘭 𝘰𝘱𝘪𝘯𝘪𝘰𝘯𝘴 𝘢𝘯𝘥 𝘥𝘰 𝘯𝘰𝘵 𝘯𝘦𝘤𝘦𝘴𝘴𝘢𝘳𝘪𝘭𝘺 𝘳𝘦𝘧𝘭𝘦𝘤𝘵 𝘵𝘩𝘦 𝘷𝘪𝘦𝘸𝘴 𝘰𝘧 𝘵𝘩𝘦𝘪𝘳 𝘳𝘦𝘴𝘱𝘦𝘤𝘵𝘪𝘷𝘦 𝘰𝘳𝘨𝘢𝘯𝘪𝘻𝘢𝘵𝘪𝘰𝘯𝘴.