India’s Digital Personal Data Protection Act (DPDPA) raises the bar on how businesses collect, process, and store personal data. With this transformation comes greater responsibility for organisations to protect their customers’ data, ensure they are following data protection regulations, and consider their cyber risk.
This matters beyond compliance, and 2023 marks a pivotal shift in India’s regulatory landscape. Cyber insurance brokers who understand this regulation’s structural shift and adapt early will define the next phase of cyber insurance growth in India.
The DPDPA therefore represents an important development in India’s cyber insurance market. It gives organisations a clearer framework for data protection, while giving brokers a more substantive advisory role: helping clients think through not only regulatory change, but the cyber and operational exposures that come with it and make more informed risk transfer decisions. One of the leading cyber brokers in India, K M Dastur, has been actively adapting to the DPDPA:
.png?width=100&height=133&name=Asset%201@4x%20(1).png)
“The DPDP Act is not just a compliance milestone — it is India’s inflection point for cyber risk quantification. As organisations race to meet breach notification timelines and consent obligations, the demand for sophisticated, data driven cyber insurance solutions have never been more urgent” — Sriharsha KVR, Senior Vice President at K M Dastur Insurance and Reinsurance Brokers Private Limited.
To understand why this matters for brokers and organisations, it is important to first look at what the Act requires.
What is the DPDPA?
The Digital Personal Data Protection Act, 2023 establishes a framework for processing digital personal data in a way that recognises both an individual’s right to protect their personal data and an organisation’s need to process it for lawful purposes. It applies to digital personal data processed within India and, in certain circumstances, to processing outside India if it relates to offering goods or services to individuals in India.
The Act introduces strict obligations for “Data Fiduciaries” (organisations), including:
- Lawful Consent: Notices must be itemised and available in multiple languages.
- Purpose Limitation: Data can only be used for the specific reason it was collected.
- Significant Penalties: The Data Protection Board can impose fines reaching up to ₹250 crore per instance.
This highlights the seriousness of this regulation — organisations will need to take a closer look at how they govern personal data. For brokers, it sharpens the question of whether existing cyber programmes are aligned to the exposures clients now face.
Ultimately, the DPDPA moves India towards a more structured and enforceable privacy regime, aligning it more closely with global data protection standards and strengthening trust in its growing digital economy.
What does the DPDPA mean for organisations?
Organisations must ensure they are properly securing personal data and meeting regulatory requirements. Cyber insurance brokers must ensure their clients revisit how they collect consent, manage data lifecycles, monitor third-party processors and respond to incidents. This requires:
- Clear documentation of data flows and processing purposes
- Robust breach detection and notification mechanisms
- Strong contractual oversight of vendors and service providers
- Board-level visibility into data governance practices
Importantly, the Act raises the accountability threshold. Data protection can no longer sit solely within IT or legal functions; it demands cross-functional coordination across compliance, cybersecurity, operations, and executive leadership.
The Act applies across sectors and organisation sizes, meaning manufacturers, small and medium-sized enterprises (SMEs), and micro, small, and medium enterprises (MSMEs) must also comply with its requirements..
What does the DPDPA mean for cyber risk?
While the DPDPA is a privacy regulation, its practical impact extends into cyber risk management. These new regulations highlight the importance of following cybersecurity best practices ensuring organisations have the appropriate cyber insurance coverage.
There are a range of cyber risks that should be considered:
|
Emerging risk |
What it is |
Why it matters |
|
Ransomware attacks |
Systems or data are encrypted and held for ransom, often disrupting access |
Leads to prolonged downtime, financial loss and potential regulatory scrutiny if personal data is impacted |
|
Data breaches |
Unauthorised access to or exposure of sensitive or personal data. The breach may not be limited to a cyber attack. |
Can trigger regulatory penalties under DPDPA, as well as reputational and financial damage |
|
Network outages |
Disruption to systems or IT infrastructure due to cyber incidents |
Interrupts business operations and may prevent organisations from meeting regulatory obligations |
Together, these factors elevate cyber resilience from a technical priority to a regulatory imperative.
.png?width=100&height=134&name=Asset%202@4x%20(2).png)
Neha Anand, Senior Vice President, Head of Speciality (Direct & Reinsurance) at KM Dastur notes: “The premise of cyber risk quantification (CRQ) has further sharpened for companies in India with the enactment of DPDPA. Data compromise is a significant exposure which now has guardrails set by the regulators. Thresholds have been set for fines and penalties that enterprises can be subjected to. It is imperative to account for this under CRQ.”
Building operational resilience amid new regulations
The DPDPA represents a defining moment for India’s cyber insurance market because it raises the standard of accountability around personal data and brings regulatory, cyber, and operational considerations into closer alignment. For brokers and organisations alike, the real question is no longer whether this matters, but how it should change decision-making in practice.
The cyber insurance market must adapt as privacy regulation becomes more relevant to how organisations assess cyber exposure and insurance needs. Brokers who treat the DPDPA as a compliance footnote will fall behind; traditional policies that focus narrowly on breach response may not fully reflect the regulatory, operational and reputational exposures organisations now face. Those who treat it as a catalyst for more substantive advisory leadership will shape the next phase of cyber growth.
For Indian organisations, the message is clear: data protection and cyber risk are now inseparable. The DPDPA reinforces that managing personal data responsibly is not only about compliance, it is about building operational resilience and long-term trust in an increasingly digital economy.
Learn more about the DPDPA, find out more about K M Dastur, one of India's leading cyber brokers who understand the challenges that Indian organisations face today when it comes to cyber.
.png)
.png)
