Without clear guidance, employees often store sensitive data in unsafe places—like unencrypted Excel files on personal email, shared WhatsApp groups, or public cloud folders—and don't realize the risk. A data breach can result in losing customer trust, facing penalties under the Digital Personal Data Protection Act 2023, and damaging your business reputation in your market. For example, if a textile exporter's customer list gets leaked through an unsecured email share, competitors can poach clients and you may face legal action if customer data was mishandled. Audits, vendor assessments, and compliance checks will fail if you cannot show documented data handling practices.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find customer data stored in multiple places with no clear rules: personal Gmail accounts, WhatsApp backups, USB drives left at desks, and shared folders anyone can access. Employees have never been told how to handle sensitive information safely.
Initial
You have noticed data is stored insecurely but have only given verbal instructions during meetings; no written policy exists. Some employees might remember the guidance, but there is no consistent way to enforce or verify compliance.
Developing
You have a written data handling policy that covers basic rules like 'don't email passwords' and 'lock your computer,' and you've shown it to your team once. However, the policy is not updated regularly and there is no way to check if people are actually following it.
Defined
You have a clear, written Data Handling & Sharing Policy that covers storage, sharing, and access controls, reviewed annually. All employees sign an acknowledgment when hired, and you conduct spot checks to verify compliance.
Managed
Your data handling policy is regularly updated based on feedback and new risks, integrated into onboarding, and supported by secure tools (encrypted cloud storage, password managers). Employees receive yearly refresher training and you track compliance through audits.
Optimised
You have a mature data governance program where data handling practices are embedded in every process, monitored automatically through tools, continuously improved based on risk assessments, and audited by third parties. Employees understand not just the rules but the 'why' behind them.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Call a team meeting and verbally explain three basic rules: (1) never share passwords by email, (2) lock your computer when you leave, (3) don't store customer data on personal devices. Document the date and attendees. | Business Owner or IT Manager | 1 day |
| 1 → 2 | Create a one-page Data Handling Policy document in simple Hindi/English covering: where to store data (approved folder only), how to share securely (encrypted link, not email), what NOT to do (personal cloud, USB drives, chat apps). Print and post on the office wall. | Business Owner with input from IT or HR | 3-5 days |
| 2 → 3 | Expand the policy to 2-3 pages with specific examples for your business, add a sign-off sheet, and conduct a 30-minute training session with all staff. Keep sign-off sheets on file for audit purposes. | IT Manager or designated compliance person | 1-2 weeks |
| 3 → 4 | Set up a secure file-sharing tool (Google Workspace, OneDrive, or similar) with role-based access, implement password manager for shared credentials, and provide quarterly refresher training with practical examples. Document all training. | IT Manager with vendor support if needed | 4-8 weeks including tool setup and staff training |
| 4 → 5 | Conduct annual risk assessments to identify new data handling gaps, update policy based on emerging threats, integrate data handling into performance reviews, and hire an external auditor to verify compliance annually. | Compliance Manager or IT Manager with external auditor | Ongoing (monthly review, quarterly audits, annual external assessment) |
Documents and records that prove your maturity level.
- Written Data Handling & Sharing Policy document (signed and dated, with version control)
- Employee acknowledgment forms or sign-off sheets showing each team member has read and agreed to the policy
- List of approved tools and systems for storing and sharing data (e.g., 'Only use Google Drive Folder X, not personal email')
- Training records showing dates, attendees, and topics covered (e.g., 'Cybersecurity and Data Safety Training - 15 Jan 2024')
- Audit or spot-check logs documenting compliance verification (e.g., 'Checked 5 employee devices for unauthorized storage - passed')
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your written policy on how employees should store and share business data? Is it current and available to all staff?"
- "How do you know your employees are actually following the data handling rules? Can you show me evidence of training or compliance checks?"
- "What happens if an employee stores customer data on their personal WhatsApp or email? Is there a consequence, and how would you detect it?"
- "If I interview your team, will they be able to tell me the correct way to share a sensitive document with a customer or partner?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Securely store and share business files with controlled access instead of email | Google Drive (with shared folder permissions), Nextcloud (self-hosted, free open-source), OneDrive free tier (5 GB limited) | Google Workspace ₹300-600/user/month, Microsoft 365 Business Basic ₹450-900/user/month, Tresorit ₹40-80/month |
| Manage and securely store shared passwords so employees don't write them down or email them | Bitwarden (open-source), KeePass (desktop-based, free) | 1Password ₹1,200-2,500/year/user, LastPass Teams ₹2,400-3,600/year/user |
| Track and monitor which files were accessed by whom and when, and enforce data retention policies | Google Workspace audit logs (included), basic file versioning in Drive/OneDrive | Microsoft Purview (₹12,000+/year), Varonis Data Security Platform (₹5,00,000+/year for large setups), Tenable Cloud Security (starts ₹50,000+/year) |
- Creating a policy in English only when many team members speak Hindi or regional languages—they may not understand and won't follow rules they don't comprehend. Translate key policies into local languages.
- Assuming one training session is enough—employees forget or ignore guidance given only once. Refresher training every 6-12 months and ongoing communication are essential, especially during staff turnover.
- Focusing only on 'big' data like customer lists but ignoring 'small' data like employee contact lists, supplier pricing, or internal meeting notes—attackers and competitors value all of it. Make sure your policy covers all types of business data.
- Not monitoring or enforcing the policy—if there are no consequences, employees will continue unsafe practices. Spot checks and performance reviews should include data handling compliance.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6 (Data Fiduciary's Responsibility) and Section 8 (Data Principal's Rights) – requires reasonable security measures and clear data handling processes |
| CERT-In 2022 | Guideline 4.2 (Employee Awareness & Training) – recommends documented security awareness training including data handling |
| ISO 27001:2022 | A.5.1 (Policies for Information Security), A.6.2 (Competence), A.8.1 (User Endpoint Devices) – requires documented policies and employee awareness |
| NIST CSF 2.0 | Govern > Organizational Context (GV.OC-01 Direction for Information Security); Protect > Data Security (PR.DS-01 Data Handling, PR.DS-02 Data in Transit) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →