Whitepaper provided by EPIC’s Worldwide Broker Network (WBN) partner in India, Prudent Insurance Brokers. Prudent is the only independent, all-India insurance broker with placement capabilities across all lines of commercial insurance in India.

India’s Data Protection Bill regulates the processing of personal data of individuals (Data Principals) by government and private entities (Data Fiduciaries) incorporated in India and abroad. Further, the Bill mandates setting up of a national-level Data Protection Authority to supervise and regulate the working of Data Fiduciaries.


Broader Definition of Sensitive Personal Data (SPD)

Unlike GDPR, the Bill has defined SPD to include health data, sexual orientation, gender, financial data, biometric data, caste or tribe. Various multinational companies and foreign companies would need to implement a strong compliance strategy to avoid a breach of SPD under the Bill.

Excessive Liability

The Bill imposes liability on every officer of the company who, at the time of commission of the offence, was in charge of the conduct of the business of the company. However, no person shall be liable if he proves that the offence was committed without his knowledge.


The Data Fiduciary is obligated to provide the Data Principal with adequate notice before collecting and processing their data. The notice is required to be clear and concise, and if necessary and practicable, the notice shall be in multiple languages. In a country like India with
multiple languages, this may be an operational challenge and may increase the cost of compliance.

Periodic Review of Stored Personal Data

The Bill specifies that Data Fiduciaries are obligated to conduct periodic review of the personal data stored with them so that it is not retained beyond the period necessary for the purpose of processing. There is no time-frame defined under the Bill for such reviews to take place. Further, this is most likely to increase operational costs for Data Fiduciaries.


Under the Bill, consent of Data Principals is not required in employment related matters with respect to use of personal data. However, such data would not include sensitive personal data within its ambit.


Any offence punishable under this Bill shall be cognizable and non-bailable. The penalties for the offences under this Bill could range between INR 5 Crores* or 2% to INR 15 Crores or 4% of the company’s total worldwide turnover.

How is the Bill Different than GDPR?

  1. There is no obligation on the Data Fiduciary to share with the Data Principal how long the data will be stored while collecting or at any time, as GDPR mandates.
  2. Unlike GDPR, Indian draft legislation does not require the Data Fiduciary to share the names and categories of other recipients of the personal data with the Data Principal.
  3. In case of a breach, there’s no requirement under the Bill to notify data breach to the Data Principal. Rather, the Data Protection Authority shall determine whether such breach should be reported to the Data Principal. Under GDPR, it is mandatory for the Data Protection Authority to share such news with the Data Principals without unnecessary delay if they are of the opinion that such a breach would be a high magnitude risk for them.

Data Breaches after GDPR

In September 2018, leading airline British Airways announced that it had suffered a data breach caused due to a malicious criminal attack and that customer data had been lost. The company released details that the theft had occurred between August 21, 2018 and September 5, 2018, and that as many as 380,000 transactions had been affected.

This was one of the first large instances of data loss since the introduction of GDPR and the regulator announced its intent to impose a hefty fine on British Airways.

The GDPR stipulates that organizations must report a data breach within 72 hours of becoming aware of it. British Airways managed to announce the data breach within a day of discovery as well as providing specific details of who had been affected, and the kind of data that could have been compromised. Nevertheless, the company suffered a hack, and this could indicate that they had not taken adequate precautions to protect their customers’ private data.

Theoretically, British Airways could be fined as much as €20 million or 4% of their global turnover – whichever is higher (and in their case, this would be the global turnover). However, in terms of a data breach, this is not a truly catastrophic data loss. Some industry figures have suggested that the fine could be somewhere between €5 million and €10 million.

Data Protection Regime and Cyber Insurance 

Whenever the new data protection regime comes into force, the risk and the liability landscape for businesses will alter significantly. There will be a greater need for adequate insurance cover for protection against cyber and data breach exposure of companies, especially in light of the proposed monetary penalties and criminal sanctions.

In Asia, several carriers are offering policies with coverage for insurable fines and penalties. Reputed legal counsel do not foresee any prohibitions with respect to insurability of GDPR fines and penalties across major Asian markets. Insurers offering such coverage have signaled that they would pay related claims if legally permissible. Companies, however, should, of course, seek specific legal advice on insurability of such fines and penalties within the relevant jurisdiction in Asia.

The Way Forward

With growing digitization across all industries and an ever increasing flow of personal data across national borders, lawmakers face the challenge of balancing between the privacy rights of individuals and the legitimate needs of business to use personal data. We are monitoring the Bill’s progress and will update you on further developments.

Meanwhile, companies need to look into their internal processes and must take appropriate precautionary measures to prevent data breach.

Notwithstanding the technological and other interventions, a data or cyber breach is unforeseeable. Hence, it is now imperative for companies to also seek necessary support to examine the appropriate insurance covers in order to protect themselves against potential financial exposures including but not limited to fines and penalties when the new regime is operationalised.

Cyber liability insurance protects businesses from losses or damages resulting from cyber attacks and data breaches. These expenses can include data loss and restoration, extortion, legal fees, and regulatory fines and penalties.

Thoughts from Javier Yturralde

“If you’re a multinational company operating in India, you need to be aware of everything India’s Data Protection Bill asks of you,” said Javier Ytrurralde, EPIC’s Global Solutions Director. “Take particular note of how this bill is different than the General Data Protection Regulation (GDPR). For questions, contact me. Keeping up with compliance regulations across the globe is exactly why we’re here, closely connected and in daily communication with our partner firms in the Worldwide Broker Network.”

EPIC Global Benefits Solutions

EPIC recognizes the challenges that multinational organizations face in the deployment and management of a global workforce. Our Global Benefits Team supports these organizations by developing benefits and reward strategies that confidently meet global HR standards, and respond to local competitive and regulatory requirements.



Full Report (PDF)

Our Leaders

Javier Yturralde Headshot
Javier Yturralde

Director, Global Solutions