India is in the threshold of a new legislation called Personal Data Protection Act (PDPA-2020). One of the most striking factors that this legislation represents is that organizations processing “Personal Data” in any form, including the Government departments will here-after have to worry about a new kind of financial liability that they may face. It is the risk of being fined by the Data Protection Authority for “Non Compliance of the provisions of the Act”.
While the organizations that process the personal data need to be ready with the knowledge and preparations of how to stay compliant with the law, one of the solutions that every personal data fiduciary/processor in India would be looking forward to would be an Insurance policy with which they could get themselves covered.
It is possible to consider that the administrative fines that may arise consequent to non compliance of PDPA 2020 can be also considered as a consequential loss of running the business and hence could be technically covered under the current Business related insurance policies.
However, since the PDPA administrative fines were not envisaged when the policies were underwritten and the amount involved could be as high as 4% of the global turnover of the company, it is difficult for the Insurance companies to consider the risk covered unless a fresh endorsement is made and additional premium collected.
The organization will therefore have to take a view on what risks to be insured under PDPA, whether to restrict it only to first party risk of administrative fines only or include the third party risks of payment of compensation to the data principals.
The Insurance companies also need to structure a policy that suits the requirements of the PDPA.
We are certain that the Insurance Companies in India are far from thinking on structuring a policy for PDPA risk coverage and it is possible that they will look to the west for re-insurance terms before they start underwriting the risks.
The PDPA risk coverage will be complex because the underlying asset is Personal Data which is intangible, goes through a life cycle of varying value, the asset ownership is unclear, losses are difficult to estimate, etc. The fines arise if there is negligence in implementation of PDPA compliance and whether the insurance companies relish insuring negligence is a moot point.
May be there is a lot to debate in this field and the discussions have just started..