A data breach involving physical documents can destroy customer trust and damage your reputation permanently. Under the Digital Personal Data Protection Act 2023, you are legally responsible for protecting personal data—whether digital or on paper—and face penalties up to ₹250 crore for non-compliance. For example, a Bangalore healthcare startup lost patient records when a cleaning contractor stole files from an unlocked cabinet and sold them to a competing clinic; the startup faced ₹50 lakh in regulatory fines, lost 40% of its client base, and had to spend ₹15 lakh on notification and legal fees. Banks and large customers increasingly audit supplier compliance; if an auditor finds your customer data in unsecured cabinets, they may terminate contracts immediately.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find sensitive documents (invoices, customer lists, employee records, bank details) scattered on desks, in open shelves, or in unlocked cabinets throughout the office. Anyone—employees, contractors, visitors—can read or take them without restriction.
Initial
Some sensitive files are kept in a locked cabinet in the back office, but the key is left in the drawer or shared informally among several staff members. There is no list of what should be locked away, so important documents sometimes end up unsecured on desks.
Developing
You have designated a locked storage cabinet or cupboard for sensitive documents, a written list of what must be stored securely, and only 2–3 trusted people have keys. Access is loosely monitored but there is no formal log of who accessed what or when.
Defined
All sensitive documents are stored in a lockable metal cabinet with restricted access; only the Finance Manager and Business Owner have keys. A basic log sheet records who accessed files and when. Old documents are shredded once they are no longer needed.
Managed
You have a formal document retention and disposal policy documented in writing. Files are stored in a locked cabinet in a restricted room; access is logged digitally or on a form signed each time. High-risk documents (bank statements, customer PII) are stored separately and shredded according to schedule.
Optimised
You maintain a complete Asset Inventory of all physical documents containing sensitive data, including location and destruction dates. Access logs are reviewed monthly. Document retention complies with legal requirements (GST records 6 years, labour records 3 years). Annual audits verify compliance and storage conditions are documented.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Designate one lockable cabinet or drawer as the secure storage location and move all visible sensitive documents into it immediately. Brief staff verbally that important papers must not be left on desks overnight. | Business Owner or Office Manager | 1 day |
| 1 → 2 | Create a one-page written list of what types of documents must be stored securely (customer records, invoices, bank statements, employee PII). Limit cabinet access to 2 people maximum and keep the key in your possession. | Business Owner or Finance Manager | 2-3 days |
| 2 → 3 | Set up a simple access log (paper or spreadsheet): date, who accessed files, which files, reason. Establish a monthly shredding schedule for documents older than their retention period. Train all staff on the policy in a brief meeting. | Office Manager or designated admin staff | 1 week |
| 3 → 4 | Document a formal Document Retention & Disposal Policy (1-2 pages) specifying what is kept, for how long per law, and how it is destroyed. Implement digital access logging (photo log or basic database). Audit cabinet contents quarterly. | Business Owner with Finance Manager or legal advisor consultation | 2-4 weeks |
| 4 → 5 | Create a comprehensive Asset Inventory listing all sensitive document types, locations, retention periods per GST/labour/contract law, and destruction dates. Review access logs monthly for anomalies. Conduct annual third-party or internal audit of physical security. | Finance Manager or dedicated Compliance Officer | Ongoing (monthly reviews, annual audit) |
Documents and records that prove your maturity level.
- Locked cabinet or secure storage room for sensitive documents with documented key holder list
- Written Document Retention Policy stating which records are kept, for how long (e.g. GST invoices 6 years, employee records 3 years), and disposal method
- Access Log (paper or digital) showing date, person name, file/document accessed, and business reason for at least the last 6 months
- Inventory or checklist of sensitive document types stored, their current location, and last review date
- Evidence of document destruction (shredding receipts, disposal log, or photos of shredded batches) for records older than retention period
Prepare for these questions from customers or third-party reviewers.
- "Show me where you store documents containing customer personal data, bank information, and employee records. Are they locked? Who has access?"
- "Do you have a written policy on how long you keep different types of records and how you destroy them when no longer needed?"
- "Can you show me an access log for the past 6 months proving you track who accesses sensitive files?"
- "What is your retention period for GST invoices, employee records, and customer contracts? How do you ensure they are destroyed securely after that time?"
- "Have you conducted any audit or inspection of your document storage to confirm it is secure and compliant?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Simple spreadsheet to track document access and shredding | MS Excel or Google Sheets (included with Office 365 or free Google account) | — |
| Physical document destruction service to safely shred bulk old records | Local shredding services in your city: typically ₹50–150 per kg (e.g. Delhi Shredding, Bangalore Shred-All, Mumbai Secure Waste). Annual budget ₹10,000–30,000 depending on volume | |
| Lockable filing cabinet or safe to store sensitive documents | Metal lockable 4-drawer cabinet: ₹8,000–15,000 (Amazon, Flipkart, local office furniture suppliers). Safe for high-value docs: ₹20,000–50,000 | |
| Document labeling and retention schedule poster for office walls | Create custom template in Canva (free account) or use Word template | — |
| Access control log book or register | Plain ruled register from any stationery shop (₹50–100) or use Google Forms | — |
- Locking documents in a cabinet but keeping the key in an obvious place (desk drawer, under the desk mat) or sharing it widely—defeats the purpose. Also forgetting which colleague has the spare key, creating untracked access.
- Not having a retention schedule and keeping old documents forever (creating a large target for theft) or destroying records too early and being unable to provide GST invoices (6-year requirement) during an audit.
- Assuming 'only our office staff' will access files and not accounting for cleaners, maintenance contractors, delivery staff, or visitors who may wander and see documents on desks.
- Storing originals of sensitive documents (customer contracts, bank statements) in a cabinet but leaving copies or drafts on shared desks or email attachments that are printed and left around.
- Documenting the policy but not training staff or enforcing it—files end up scattered again because employees do not understand why it matters.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (reasonable security measures) and Section 10 (data retention and deletion) |
| CERT-In 2022 Guidelines | Guideline 8 (information security practices) on physical and logical access controls |
| ISO 27001:2022 | Annex A.7.1 (physical access controls) and Annex A.8.2.3 (handling of media) |
| NIST CSF 2.0 | Govern function: GV.RO-01 (organizational context and objectives) and Protect function: PR.AC-01 (physical access control) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →