If you don't know what personal data you're collecting, you cannot protect it, comply with laws, or respond properly when something goes wrong. For example, a Delhi-based e-commerce business was fined ₹50 lakhs by a customer court because it could not prove it knew what customer data it held or where backups were stored, even after a breach complaint. If a cyber-attack happens or a customer asks for their data under DPDP Act 2023, you'll be unable to answer quickly, lose customer trust, and face regulatory penalties. Many Indian businesses collect data through forms, websites, and WhatsApp but have no central record—making compliance audits and breach investigations impossible.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no documented list of personal data collected. When asked what customer information you store, different team members give conflicting answers or you say 'we'll have to check the files'.
Initial
You have a rough, incomplete list of data types written down somewhere (maybe a notebook or single spreadsheet), but it's not organized by department or regularly updated. Some team members know what they collect, but it's not formally documented.
Developing
You have a documented Data Inventory spreadsheet that lists the main categories of personal data (customer names, phone, email, addresses, payment info) and which department collects each. The list exists but is not reviewed or updated more than once a year.
Defined
You maintain an updated Data Inventory that includes data categories, where each type is collected, who stores it, how long it's kept, and who can access it. This document is reviewed and updated at least twice a year when new processes or systems are added.
Managed
You have a formal Data Mapping document (sometimes called a Data Asset Register) that covers all personal data types, collection points, storage systems, retention periods, legal basis, and data flow across departments. It is reviewed and tested quarterly, and changes are logged.
Optimised
You have an automated or systematically maintained Data Register integrated with your IT asset management. All data flows are documented, mapped to DPDP Act obligations, tested annually, and linked to your Privacy Impact Assessments and breach response procedures.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Conduct a half-day Data Collection Audit: Interview each department (Sales, HR, Accounts, Operations) and write down every type of personal data they collect, how they collect it (form, email, phone, system), and where they store it. Create a simple one-page list. | Owner or IT Manager with departmental leads | Half day |
| 1 → 2 | Organize the list into a structured spreadsheet with columns: Data Type, Department, Collection Method, Storage Location, and Approximate Quantity. Add a date and review instruction at the top. | IT Manager or Office Administrator | 1–2 days |
| 2 → 3 | Expand the Data Inventory to include: Purpose of Collection, Retention Period (e.g., 'Until customer inactive for 2 years'), Access Controls (who can see it), and Legal Basis (e.g., 'Customer consent for marketing'). Assign one person to review it every 6 months and sign off. | IT Manager with HR and Legal input | 2–3 weeks |
| 3 → 4 | Create a formal Data Mapping document that includes Data Flow Diagrams (showing how data moves from collection to storage to disposal), links each data type to DPDP Act clauses, documents third-party access, and establishes a quarterly review cycle with change logs. | IT Manager or external Privacy Consultant (₹30k–₹50k for small business) | 4–8 weeks |
| 4 → 5 | Integrate the Data Register into your IT asset management system (or use a dedicated privacy management tool); automate notifications when retention periods expire; link data inventory to your Privacy Impact Assessment and incident response procedures; conduct annual validation testing. | IT Manager and external IT/Privacy Consultant | Ongoing (quarterly reviews and updates) |
Documents and records that prove your maturity level.
- Documented Data Inventory or Data Register listing all personal data types collected (e.g., customer names, email, phone, addresses, payment info, employee salary, vendor bank details)
- A spreadsheet or document showing where each data type is collected (web form, manual entry, API, third-party tool), stored (database, file share, email, cloud), and who has access
- Retention Schedule defining how long each category of personal data is kept before deletion (e.g., 'Customer data retained for 3 years after last transaction')
- Data Flow Diagram or written description showing the journey of personal data from collection through storage, processing, and disposal
- Evidence of at least one documented review or update of the inventory in the past 12 months (dated sign-off by responsible person)
Prepare for these questions from customers or third-party reviewers.
- "Can you show me a current, written list of all types of personal data your business collects? Who maintains this list and when was it last updated?"
- "Walk me through how customer data flows from the point of collection (e.g., your website form) to final storage—where does it sit, who touches it, and how long do you keep it?"
- "If I asked your HR team, your Finance team, and your Operations team right now what personal data they collect, would they all give me the same answer? How do you ensure consistency?"
- "How do you know when you've collected a new type of personal data (for example, if you started asking customers for their Aadhaar number)? How is that documented?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain a simple Data Inventory spreadsheet | Microsoft Excel (if already licensed) or Google Sheets (free, cloud-based, easy to share and version-control) | — |
| Manage data inventory, map data flows, and track retention across multiple departments | Notion (free tier limited to 10 users) or Airtable (free tier with 1,200 records) | OneTrust (from ₹5–10 lakhs/year for SMEs) or TrustArc (from ₹4–8 lakhs/year) |
| Document data flows visually and create Data Protection Impact Assessments (DPIA) | draw.io (free, open-source) for diagrams; LibreOffice Writer for documentation | Lucidchart (₹40k–₹60k/year) or Microsoft Visio (₹12k–₹20k/year) |
- Collecting data but storing it only in WhatsApp, email inboxes, or handwritten registers—then claiming you have 'no system' when asked for a list. DPDP Act requires documented knowledge regardless of storage method.
- Creating a Data Inventory once and never updating it. When you add a new online form, CRM, or vendor, the inventory becomes out of date and unreliable during audits or breach investigations.
- Treating customer and employee data separately without a unified view. A small business owner may know customer data flows but forget that HR collects salary, Aadhaar, bank account, and family details—leading to unprotected exposure of sensitive employee information.
- Outsourcing data collection to a third party (e.g., a marketing agency or logistics partner) but not documenting what data they collect on your behalf. When asked, you don't know if your data is being duplicated or stored insecurely outside your control.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 7 (Rights of Data Principal), Section 8 (Consent), Section 10 (Obligation of Fiduciary to maintain records of processing activities) |
| CERT-In 2022 | Direction 3 (Maintain an up-to-date, documented inventory of all IT assets and data holdings) |
| ISO 27001:2022 | Clause 5.23 (Information Security Incident Management) and Annex A Control A.5.9 (Access Control), which require knowledge of what data exists to be protected |
| NIST CSF 2.0 | Govern (GV) function: GV.OC-01 (Establish and maintain governance structure to manage cybersecurity risk) and GV.RV-01 (Establish risk management strategy based on understanding of assets and threats) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →