At the ET CISO Data Protection & Privacy Summit 2025, top technology, risk and privacy leaders from India’s largest life insurers examined how enterprises must redesign their operating models to meet the Digital Personal Data Protection Act (DPDPA). Moderated by Muqbil Ahmar, Executive Editor, ETCISO, the discussion explored the sector’s unique challenges—legacy systems, fragmented data environments, complex partner ecosystems and the critical question of who should own and govern privacy.

Opening the conversation, Bhavna Longani, DPO, Axis Max Life Insurance, rejected the commonly used analogy equating data to oil. “Data is the new electricity—it powers every business requirement today,” she said, adding that the industry was divided between organisations waiting for regulatory clarity and those seeking early-mover trust advantages. Implementing explicit consent, aligning legacy systems with modern privacy tech, and onboarding third-party partners under uniform obligations remain practical hurdles. She noted: “The Act brings challenges that demand major changes across journeys, processes and infrastructure.”

Dr. Pawan Chawla, CISO & DPO, Tata AIA Life Insurance, said readiness remains aspirational across the sector. “Nobody is ready so far… the most valuable resource an organisation has today is data,” he remarked. For legacy insurers with decades of records, locating, classifying and mapping personal data is a prerequisite to compliance. He emphasised that consent systems, UI/UX flows and data-erasure obligations will require fundamental redesign. “For each click, you need separate consent—and erasure must follow the same mapping,” he noted, adding that data localisation expectations add further complexity.The dual hat of CISO and DPO sparked a critical debate. Chawla argued the roles can coexist temporarily but will diverge as the regulatory environment matures. “Both roles complement each other, but eventually clarity will be needed,” he said. For now, many organisations are experimenting with different reporting structures due to an absence of harmonisation in the rules.

Longani reiterated the structural uncertainty: “There is no harmonisation yet. Some DPOs report to risk, some to legal, some to the CISO. The Act is 30% legal, 70% technology.”

Kiran Belsekar, EVP – CISO & IT & Data Governance, Bandhan Life, articulated the collaborative need: “Security and privacy are pillars of the same bridge—together, they build trust in financial services.” He said ownership models must reflect both technological control and cultural influence. The DPO, he argued, needs institutional authority to push back on business pressures, particularly as explicit consent and cookie governance create friction. “The role requires seniority. It should not sit below the CISO,” he said, recommending reporting to the CRO or CEO.

Shailendra Kothavale, Chief Compliance & Risk Officer, Aditya Birla Sun Life Insurance, emphasised embedding DPDPA into enterprise risk frameworks. “Just as cybersecurity evolved into a top board concern, privacy will follow,” he said. Boards are increasingly asking how insurers will overlay new privacy mandates on existing tech, security and legal frameworks. He added: “The focus shifts from the internal customer to the external one. Courts and enforcement bodies will now test how fair you are to the customer.”

Longani further framed privacy as a top-tier risk. “Privacy must be treated as enterprise risk—not just functional risk,” she said. To operationalise this, dashboards across consent, vendor due diligence and DPIAs must be jointly owned by CISOs and DPOs. “Privacy cannot be achieved without security. These roles must co-lead the metrics,” she added, while insisting the DPO should remain independent.

As the panel closed, consensus emerged on three structural imperatives for the sector:

• Privacy must be integrated into enterprise risk management, with KPIs and KRIs aligned to customer rights.
• Security-by-design must evolve into privacy-by-design, embedded into every process, product and customer interface.
• Regulatory harmonisation will mature gradually, with clarity from the Data Protection Board shaping long-term reporting structures.

Summarising the industry’s sentiment, Chawla noted the pragmatic path ahead: “With every regulation, maturity takes time. Go with the flow, but go with readiness.”

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!