Without documented purposes, you cannot defend yourself during a data breach inquiry, customer complaint, or regulatory audit—and India's DPDP Act 2023 now makes this a legal requirement with potential fines up to ₹50 lakhs. A textile exporter collecting employee Aadhaar numbers without documenting why cannot prove legitimate purpose if data leaks; customers and auditors will assume misuse. You also cannot tell your team what data to protect, so staff mishandle or overshare customer information by accident. If you cannot explain your data collection to a bank or e-commerce partner during onboarding, they may refuse to work with you or demand expensive compliance fixes.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You collect customer names, phone numbers, addresses, and payment details but have no written record of why each field is collected or how it is used. Your team stores data wherever is convenient—spreadsheets, WhatsApp groups, emails—with no documented retention or deletion rules.
Initial
You have a rough list (even handwritten or in a basic document) of what data you collect, but the purposes are vague—e.g., 'for business' or 'customer records'—with no detail on how long you keep it or who can access it. Some team members know why certain data is collected, but there is no formal written policy.
Developing
You have a documented Data Collection and Usage Register that lists each type of personal data, its purpose (e.g., 'billing', 'delivery', 'marketing'), and basic retention period (e.g., 'kept for 5 years for tax'). The document exists but is not regularly reviewed or shared with your team.
Defined
Your Data Collection and Usage Register is updated at least annually, covers all systems and touchpoints (website, shop, WhatsApp, delivery partner), and is shared with your team during onboarding. You can explain to any auditor or customer why you collect each data element and how long you keep it.
Managed
Your data purposes are documented in a formal Data Privacy Impact Assessment (DPIA) and Privacy Notice shared with customers. You have a formal process to review and update purposes when business processes change, and staff training confirms everyone understands what data is collected and why.
Optimised
You have a mature Data Inventory that covers all collection points, integrates with your data retention and deletion schedules, and is automatically reviewed and updated when systems change. Regular audits confirm purposes remain valid, and customer consent flows (where required) are explicitly tied to documented purposes.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Meet with your owner/manager and team lead to list every type of customer and employee personal data you collect (name, phone, email, address, Aadhaar, bank account, etc.). Write down next to each one why you collect it in plain language (e.g., 'phone number—to send delivery updates'). | Business owner or IT lead | 1 day |
| 1 → 2 | Create a simple one-page Data Collection and Usage Register (template: columns for Data Type, Where Collected, Purpose, How Long Kept, Who Can Access). Fill it in for all data types. Share with your team and ask them to flag anything missed. | IT lead or designated compliance person | 3-5 days |
| 2 → 3 | Review your register against all business systems: website, CRM, billing software, delivery apps, WhatsApp Business, email. Add any data points you missed. Set a reminder to update the register every 6 months when business changes occur. | IT lead with input from sales, operations, and finance | 2 weeks |
| 3 → 4 | Create a simple Privacy Notice (even 1–2 pages) explaining to customers what data you collect and why; get legal review using a DPDP Act template. Train your team to share this notice during customer signup or purchase. Document consent where needed (e.g., marketing emails). | Compliance lead with external legal advisor | 4-6 weeks |
| 4 → 5 | Build a complete Data Inventory linked to your systems (even a spreadsheet with system names, data fields, purposes, retention rules). Conduct a formal Data Privacy Impact Assessment for high-risk processing (e.g., Aadhaar, payment data). Schedule quarterly reviews with your team. | Data Protection Officer or designated lead | Ongoing quarterly review and annual audit |
Documents and records that prove your maturity level.
- Data Collection and Usage Register: a document listing all personal data types collected, the business purpose for each, retention period, and who can access it
- Privacy Notice or Privacy Policy: a customer-facing document explaining what data is collected, why, how long it is kept, and customer rights
- Data sources inventory: a record of all systems, apps, and processes where personal data is collected (website forms, CRM, billing software, WhatsApp, point-of-sale, delivery partner integrations, etc.)
- Consent records or opt-in logs: evidence that customers were told why their data is collected and agreed, especially for marketing or non-essential purposes
- Staff training records: proof that your team has been shown the data purposes and understands what data to protect and why
Prepare for these questions from customers or third-party reviewers.
- "Can you show me a document that lists all the personal data you collect, why you collect each field, and how long you keep it?"
- "If I pick a random customer record, can you explain to me why you are holding their phone number, email, and address? What business purpose does each serve?"
- "Do your customers know what data you collect about them and why? Can you show me your Privacy Notice or where you disclose this on your website or in-store?"
- "If you stopped using a particular data field tomorrow (e.g., you no longer send SMS marketing), would your team know to delete that data from customer records? How do you manage data deletion?"
- "Walk me through your systems: your website, billing software, CRM, delivery partner links, WhatsApp Business. For each one, what personal data flows through it and why?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and manage your Data Collection and Usage Register with templates and guidance | Google Sheets or Microsoft Excel; use NIST or DPDP Act templates available free online | OneTrust (enterprise tool, ₹5-10 lakhs/year) or TrustArc (₹2-3 lakhs/year) — overkill for MSMEs |
| Draft a Privacy Notice or Privacy Policy compliant with DPDP Act 2023 | MEITY template or free DPDP Act Privacy Policy generator online; consult a local lawyer for review (₹10-20k one-time) | LawBite or similar legal tech platforms (₹5-15k for a custom notice) |
| Track data retention and deletion schedules to ensure you keep data only as long as needed | Simple spreadsheet with data type, collection date, and deletion date columns; set calendar reminders | Compliance automation tools like Hyperproof or Drata (₹3-5 lakhs/year) — for larger enterprises |
| Document consent and customer preferences for data use (e.g., marketing opt-ins) | Typeform or Google Forms for customer consent collection; record responses in a spreadsheet | Termly or Osano consent management platform (₹2-4 lakhs/year) |
| Train your team on data purposes and responsibilities | In-house training using your own Privacy Notice and Data Register; create a simple checklist for staff | LinkedIn Learning or Coursera course on data protection (₹500-2000 per person) |
- Collecting Aadhaar, PAN, or bank details 'just in case' without a clear, documented purpose—this violates DPDP Act Section 6(a) and invites regulatory action if data is breached
- Sharing customer data with delivery partners, payment gateways, or marketing vendors without documenting the purpose or the legal basis (legitimate interest, consent, etc.); auditors will ask you to prove why this sharing is necessary
- Assuming that because you use WhatsApp Business or a CRM, you do not need to document data purposes—even free tools trigger DPDP Act obligations, and you must show auditors why you chose that tool for that data
- Keeping customer data indefinitely 'for records' without a retention policy; DPDP Act Section 10 requires data to be kept only as long as necessary, and indefinite storage increases breach risk and liability
- Never updating your data purposes when business changes (e.g., you start offering a new service or stop using a marketing channel); auditors will find outdated purpose statements and question your controls
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6(a) (lawfulness of processing), Section 8 (consent), and Schedule 1 (legitimate uses); Section 17 (notice to data principals on collection) |
| CERT-In 2022 | Guideline 4.2 (data classification and inventory) and Guideline 6 (awareness and training) |
| ISO 27001:2022 | Annex A, Control A.5.1.1 (policies for information security) and A.8.1.1 (user responsibility) |
| NIST CSF 2.0 | Govern Function (GV): GV.RO-01 (roles, responsibilities) and Manage Function (MA): MA.DM-01 (data inventory) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →