If customer personal data leaks—say a hacker steals 500 customer phone numbers and addresses from your CRM—you face DPDP Act fines up to ₹250 crores, must notify each affected customer, lose customer trust, and damage your brand permanently. A real example: a Delhi-based e-commerce MSME had unencrypted customer databases on a shared server; when a junior employee's login was compromised, attackers sold 50,000 customer records including payment card details on the dark web, resulting in ₹45 lakh in chargeback fraud and complete loss of repeat business. Without differential data handling, your business treats a customer's home address the same as a price list—when breached, the consequences are catastrophic.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You store all data in the same place with the same access rules—customer phone numbers sit in an Excel file on a shared folder with the same password as general vendor lists. You have no separate security measures for sensitive data, and anyone who can access one file can access everything.
Initial
You've identified which data is personal (customer names, phones, addresses, payment details) but you're only storing it separately in protected systems without a written policy. You have a vague understanding that personal data matters more, but no documented process or training yet.
Developing
You have a written Data Classification Policy that names which data is personal, who can access it, and basic security rules like password protection and limited sharing. You've implemented one specific control like storing customer data in a locked folder with restricted access, but other controls are inconsistent across systems.
Defined
You have documented and enforced rules: personal data is encrypted at rest, access is logged, only authorized staff can view it, and you have a simple audit trail. You conduct annual training for staff on personal data handling and have a basic incident response process if data is accidentally exposed.
Managed
Your personal data handling is mature and integrated: encryption is automatic, access controls are role-based (sales staff see only customer names and phones, finance sees only payment info), all access is logged and reviewed quarterly, and data retention policies ensure old customer data is securely deleted. You conduct regular security assessments and staff understand consequences of mishandling.
Optimised
You have continuous real-time monitoring of all personal data access, regular penetration testing specifically targeting personal data stores, automated alerts for suspicious access patterns, and real-time compliance reporting. Your process is regularly audited by third parties, staff receive quarterly training with testing, and your incident response is tested twice yearly.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | List all types of customer and personal data your business collects (names, phone numbers, addresses, email, PAN, Aadhaar, bank details, payment card info) and document where each is currently stored | Business owner or IT person | 1 day |
| 1 → 2 | Create a one-page Data Classification Policy that defines 'Personal Data' vs 'Business Data' and specify which systems must have passwords, who gets access, and that personal data must be in separate files or folders from general business data | Business owner with IT person | 3-5 days |
| 2 → 3 | Implement encryption for all files/folders containing personal data, set up access logs (even basic: username, date, time of file access), create a simple one-page procedure for staff on what they can and cannot do with personal data, and conduct one training session | IT person with business owner sign-off | 2-3 weeks |
| 3 → 4 | Implement role-based access control (different staff see only the personal data they need for their job), set up a quarterly access review checklist, define data retention rules (delete customer records 3 years after last transaction), and document your incident response procedure | IT person with HR and business owner | 4-6 weeks |
| 4 → 5 | Set up automated monitoring alerts for unusual personal data access, conduct annual penetration testing targeting personal data, maintain a change log for all access control updates, and schedule quarterly review meetings with documented findings and remediation | IT person or external managed security service | Ongoing (2-3 hours/month for reviews) |
Documents and records that prove your maturity level.
- Written Data Classification Policy document listing what counts as personal data, where it is stored, and who may access it
- Access control records or screenshots showing that personal data folders/files have restricted permissions (only certain staff/groups can open them)
- Data retention policy or procedure document stating how long customer records are kept and when they are securely deleted
- Staff training records (sign-in sheet, email confirmation, or test results) showing that employees have been trained on personal data handling
- Incident log or response procedure document describing what staff must do if personal data is accidentally exposed or lost
Prepare for these questions from customers or third-party reviewers.
- "Show me your policy or procedure that distinguishes how you handle customer personal data differently from general business data like invoices or vendor lists."
- "Who in your organization has access to customer phone numbers and addresses? Can you show me the access control list and prove only those people can actually open that data?"
- "If a customer asks you to delete their personal data, what is your process? Can you show me documentation of at least one deletion you've performed?"
- "When was the last time you reviewed who has access to personal data, and did you remove anyone who no longer needs it? Show me records of that review."
- "Describe what happens if an employee accidentally emails a customer list to an external vendor. What is your incident response, and can you show me an example of how you handled a similar incident?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Encrypt files and folders containing personal data so they are unreadable without a password | Windows BitLocker (built into Windows Pro/Enterprise) or Linux dm-crypt; for individual files use 7-Zip with AES-256 encryption | Trend Micro Maximum Security (₹3,000–5,000/year) or Kaspersky Total Security (₹2,500–4,000/year); includes encryption and file shredding |
| Create and maintain a log of who accessed personal data files, when, and what they did (view, edit, delete) | Windows File Server Auditing (built-in; configure via Group Policy) or osquery (free open-source tool for system monitoring) | Splunk (starts ₹5,00,000/year for small deployment) or ManageEngine AuditPlus (₹1,50,000–3,00,000/year for 10–50 users) |
| Track and enforce who is allowed to access specific personal data folders or files based on their job role | Native Windows/Linux file permission systems; document with a simple spreadsheet | Microsoft Azure AD or Okta (₹2,000–5,000 per user/year) for centralized role management; or SailPoint IdentityIQ (enterprise pricing, typically ₹20,00,000+/year) |
| Securely delete old customer records so they cannot be recovered even if storage media is found | BleachBit (free, open-source secure deletion) or CCleaner free version (limited) | Eraser (free, open-source) or Acronis True Image with secure deletion (₹4,000–8,000/year) |
| Create, store, and share your Data Classification Policy and access control procedures securely with staff | Google Drive (with restricted sharing) or LibreOffice (free document creation) | Microsoft 365 Business Standard (₹4,000–6,000/month for organization; includes SharePoint and OneDrive with encryption) |
- Treating all customer data equally: Many Indian MSMEs store customer Aadhaar numbers and bank details in the same unencrypted Excel or Google Sheet as their mailing addresses, without realizing that financial and identity data require much stronger protection under DPDP Act.
- Assuming 'local storage is safer': Small businesses often think keeping everything on the owner's laptop or an old desktop in the office is safer than cloud storage, but this creates no access controls, no audit trail, and single points of failure (if the laptop is stolen, all customer data is gone).
- No distinction between staff access: Receptionist, accountant, and delivery person all have the same password and access to the same customer database, meaning any one person leaving or being compromised exposes all data to potential misuse.
- Forgotten about deleted data: When you delete a customer record from an Excel file or database, the data often remains recoverable on the hard drive for months; without secure deletion procedures, old customer information can be extracted by attackers or competitors even after you think it's gone.
- Training only happens once: Many businesses conduct one training session when hiring and then assume staff remember; six months later, staff are forwarding customer lists via unencrypted email or taking photos of customer data on personal phones without realizing the risk.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(1) (Processing personal data fairly and lawfully), Section 8(3) (Security of personal data), Section 10 (Purpose limitation), Section 17 (Data retention and deletion) |
| CERT-In 2022 | Direction 2: Implement access control and user authentication; Direction 3: Implement encryption for sensitive data; Direction 5: Audit and maintain logs |
| ISO 27001:2022 | Annex A.5.3 (Segregation of duties), A.6.2 (Access to information and other associated assets), A.8.3 (Cryptography), A.8.15 (Logging) |
| NIST CSF 2.0 | Govern (GV) Function: Data governance and security roles; Protect (PR) Function: Access control and encryption |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →