HomeGuidesApplication & Product Security › AD-19
AD-19 Application & Product Security 6% of OML score

Are data locations and assets reviewed after major business changes?

When your business changes—like when you acquire another company, open a new office, hire a lot of staff, or reorganize departments—do you check where all your customer data, financial records, and other important files are actually stored and who can access them? This question asks whether you're actively tracking and reviewing your data locations every time something big happens in your business.

Why This Matters to Your Business

If you don't review where data goes after big changes, you risk losing track of sensitive customer information, failing compliance audits (especially under DPDP Act 2023), and exposing yourself to breaches. For example, when a Bangalore IT services firm merged with a smaller subsidiary, nobody updated the data inventory—customer records ended up in an unsecured shared folder on the subsidiary's server, leading to a data breach that cost ₹50 lakhs in fines and customer trust. Without this control, regulators can fine you, customers can sue, and you won't even know where your own data is.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You don't have a formal list of where data is stored. When asked where customer records live, people point to different folders, cloud accounts, or backup drives without documentation. Nobody checks this after mergers or restructuring—data just ends up wherever it ends up.

Level 1
Initial

You have a basic list (maybe a spreadsheet or email) of where critical data lives, created once or occasionally updated. After a business change, someone updates it manually, but the process isn't documented and depends on one person remembering to do it.

Level 2
Developing

You maintain a documented data inventory that lists locations, types of data, and owners. After major business changes, a responsible person (like the office manager or IT person) reviews the inventory, updates it, and records when it was checked. This happens somewhat consistently.

Level 3
Defined

Your data inventory is formal and reviewed quarterly or after every major business event (merger, office opening, restructuring). You have a defined process showing who updates it, when, and what gets reviewed. Approval from a manager confirms completeness before and after changes.

Level 4
Managed

Data location reviews are automated where possible (e.g., IT systems report where data resides). Reviews happen at least quarterly and immediately after major business changes. You compare new findings against the previous inventory to identify unauthorized movements or new locations. Exceptions are investigated and documented.

Level 5
Optimised

Data locations are continuously monitored using IT tools and reviewed in real time. Within 48 hours of any significant business change, new locations are identified, classified, and assessed for compliance. Anomalies are automatically flagged, investigated, and reported to leadership monthly.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Create a simple spreadsheet listing where your critical data is stored right now (customer database, financial records, HR files, backups). Ask your IT person or whoever manages servers/cloud accounts what they know. Save this as your first inventory. Office manager or IT person 1-2 days
1 → 2 Document a formal process: define who owns data in each location, what type of data it is (customer/financial/operational), and when it will be reviewed. Create a checklist or form that gets filled out and signed by the responsible person after you do this review. IT person with approval from business owner 1 week
2 → 3 Set a quarterly review schedule on the calendar. After each major business event (new hire, office opening, reorganization), trigger an immediate review using your documented checklist. Keep records of every review dated and approved by a manager. Test this process at least once. IT person or designated data manager 2-3 weeks (including testing)
3 → 4 Use IT tools (like your server admin panel or cloud console) to generate automatic reports of where data is stored. Compare each report against your documented inventory to spot new locations or unauthorized movement. Document findings and who investigated any discrepancies. IT person with technical training 4-6 weeks (including setup and process refinement)
4 → 5 Implement continuous monitoring using Data Discovery and Classification tools that scan your systems automatically. Set up alerts to notify you immediately when new sensitive data appears in unexpected locations. Review and act on alerts within 48 hours. Report findings to leadership monthly. IT person or external consultant, with security tool vendor Ongoing (2-3 hours per week for monitoring and alerting)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Data inventory spreadsheet or document listing all locations where critical data is stored, types of data, owners, and date created/last reviewed
  • Documented process or procedure document describing when and how data location reviews happen (e.g., quarterly schedule, post-restructuring checklist)
  • Signed records of data location reviews performed after each major business change (merger, office opening, reorganization) with date and reviewer name
  • Comparison reports or notes showing old vs. new data locations after business changes, with notes on any unauthorized movements or new locations discovered
  • Approval sign-offs from management confirming that data location reviews were completed and findings were acceptable
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "When was the last time you reviewed where all your customer and financial data is actually stored, and what triggered that review?"
  • "Walk me through what happened to your data locations when you opened your new Pune office last year. How did you ensure data didn't end up in unauthorized places?"
  • "If you merged with another company or acquired a team, how did you identify and secure their data locations? Show me the records."
  • "How do you know if sensitive data has moved to a location not on your official list? Do you have a process to detect unauthorized storage of company data?"
  • "What would you do if we found customer data stored on someone's personal laptop or an unencrypted shared drive after a restructuring?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and maintain your data inventory list with automatic reminders for quarterly reviews Google Sheets or LibreOffice Calc with shared access and comment notifications Airtable (₹5,000–₹15,000/year for team) or Smartsheet (₹10,000–₹30,000/year)
Scan your network and cloud storage to automatically detect where sensitive data is stored and flag risky locations Windows File Server reports or basic cloud storage access logs (manual review) Varonis (₹50,000–₹2,00,000/year), Microsoft Purview (₹3,000–₹10,000/month), or Tenable (₹1,50,000–₹5,00,000/year)
Track business changes and trigger automated reminders to review data locations after mergers, office openings, or restructuring Google Calendar with email reminders, Trello board for tracking changes ServiceNow (₹20,000–₹1,00,000/year), Jira (₹5,000–₹50,000/year)
🛡
How This Makes You More Resilient
When you regularly review data locations after business changes, you prevent customer data from disappearing into uncontrolled places, catch security breaches early before they cause damage, and pass compliance audits without scrambling. Your business becomes less vulnerable to expensive fines, customer lawsuits, and the chaos of discovering sensitive data stored insecurely months or years after a merger.
⚠️
Common Pitfalls in India
  • Creating a data inventory once and never updating it after business changes. Indian MSMEs often forget that a merger or new office means new data locations that must be reviewed—the inventory becomes outdated within months.
  • Assuming the IT vendor or cloud provider 'handles' data location security. Many Indian businesses don't realize they are still responsible for knowing where their data actually is, even if it's stored with a third party.
  • Losing track of data in subsidiaries or acquired teams. When you acquire a smaller company or hire contractors, their data (and where it lives) often gets forgotten because nobody formally integrates it into your main inventory.
  • Relying on one person to remember to do reviews. If your sole IT person leaves or gets busy, data location reviews stop happening—you need a documented process and calendar reminders.
  • Not checking cloud storage and backup locations. Indian businesses often inventory on-premise servers but forget to check AWS, Google Cloud, OneDrive, or personal backups where sensitive data may have migrated without permission.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (Purpose Limitation), Section 9 (Collection Limitation), and Schedule 2 (lawful basis for processing and storage location transparency)
CERT-In 2022 Guideline 7.2 (asset inventory and management) and Guideline 7.3 (data inventory and classification)
ISO 27001:2022 A.5.9 (Inventory of assets), A.8.1 (asset management), and A.8.2 (information and other assets classification)
NIST CSF 2.0 GV.1 (Organizational context and objectives), ID.AM-1 (Physical and software assets are catalogued), and ID.GV-4 (Locations of information and resources)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →