If you store customer phone numbers, addresses, Aadhaar numbers, and bank details when you only need their email and order history, a data breach exposes far more sensitive information than necessary. A logistics company in Delhi that collected Aadhaar details from all delivery staff lost that data in a ransomware attack, leading to identity theft cases and ₹8 lakh in compensation claims. Regulators under the DPDP Act can fine you up to ₹5 crore for collecting data without justification, and customers will stop trusting you once word spreads.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You collect whatever data fields are easiest to grab—your form asks for phone, email, address, Aadhaar, PAN, date of birth, mother's name, all at once because the form template includes them. Nobody has documented why each field is actually needed.
Initial
You've listed the data fields you collect in a spreadsheet, but you haven't reviewed whether each one is truly necessary, and legacy forms still ask for old fields that aren't used anymore.
Developing
You have a basic data inventory document that shows which data you collect for each business process (e.g. customer signup, employee onboarding, vendor payments), and you've removed a few obviously unnecessary fields from your forms.
Defined
You maintain a formal Data Collection Form for each business process signed off by a manager, listing only the data needed; you've performed a one-time review and updated your online forms, email templates, and paper forms to match; staff are aware they should not ask for extra details.
Managed
You have a documented Data Minimization Policy reviewed annually; each new form or process is checked against this policy before launch; you regularly audit collected data against your inventory and remove fields no longer in use; teams understand the 'why' behind each data field.
Optimised
You conduct quarterly data minimization audits using automated discovery tools; your policy is integrated into system design (databases are built to store only approved fields); you have a formal exception approval process for any additional data collection; staff training includes data minimization as part of onboarding.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | List all data fields you currently collect in a spreadsheet (customer forms, employee records, vendor records, support tickets, etc.) by reviewing actual forms, databases, and Google Forms you use. | IT person or admin staff member | 2-3 days |
| 1 → 2 | Review the inventory with your manager and business owners; for each field, write down the business reason (e.g. 'phone for order delivery' or 'email for invoice'). Delete or mark as 'optional' any field without a clear reason. | Manager or business owner with IT person | 1 week |
| 2 → 3 | Create a one-page Data Collection Form template for each major process; update all actual forms (paper, web, spreadsheet) to match; communicate to all teams which data to collect and why. | IT person with manager review | 2-3 weeks |
| 3 → 4 | Write and approve a formal Data Minimization Policy (1-2 pages); require new projects to reference it before collecting data; train staff on the policy during monthly meetings. | Manager or compliance lead, IT person | 4-6 weeks |
| 4 → 5 | Implement quarterly automated audits using data discovery tools; update policy based on new business needs; refine data collection during system upgrades and process reviews. | IT person or external consultant | Ongoing (4 hours per quarter) |
Documents and records that prove your maturity level.
- Data Inventory spreadsheet or document showing all data fields collected, by business process, with business justification for each field
- Updated customer, employee, and vendor forms (paper and digital) that show only necessary fields marked as required or optional
- Data Minimization Policy document signed by management, outlining what data can be collected and approval process for new data collection
- Email or meeting notes showing staff communication about data collection rules and examples of fields that are no longer collected
- Audit log or checklist showing date and results of last review of collected data, with evidence of fields removed or added
Prepare for these questions from customers or third-party reviewers.
- "Walk me through your customer registration form—why do you collect each field listed? Can you show me the business process that requires each one?"
- "What is your policy for deciding whether to collect a new data field (e.g. when building a new feature or form)? Who approves it?"
- "Show me your data inventory. How recent is this, and when was it last reviewed? Which fields have you removed in the past 12 months because they were not needed?"
- "If I look at your database or spreadsheet of stored data right now, are there fields in there that are no longer being used by any business process? How do you identify and clean those up?"
- "How do you handle optional vs. required fields on forms? Can customers or employees skip fields that are marked optional, or is there pressure to fill them in anyway?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Scan databases and storage to find what data fields actually exist and how much of each type is stored | Manual SQL queries or Google Sheets data review (no cost, time-intensive) | ManageEngine DataSecurity Plus (₹2–4 lakh/year) or Informatica Data Quality (₹8–15 lakh/year) |
| Create and manage forms that only ask for necessary fields, with conditional logic to skip optional ones | Google Forms or Jotform free tier (basic forms only) | Typeform (₹1,500–5,000/month) or Microsoft Forms with Office 365 |
| Document and version-control your data collection policy and approval workflows | Google Docs or LibreOffice (free, open-source) | Confluence (₹5,000–15,000/month for teams) or Microsoft SharePoint |
- Collecting Aadhaar, PAN, or other identity numbers from all customers or vendors 'just in case' because your form template has always included them—but you rarely use them for your actual business, exposing everyone to identity theft risk if breached.
- Using personal mobile numbers of employees, delivery partners, or freelancers for business communication without clear justification, then storing those numbers in multiple systems (WhatsApp, CRM, email, attendance sheet) with no cleanup, multiplying breach surface area.
- Gathering 'optional' fields during signup (date of birth, mother's maiden name, spouse name) for demographic reports that are never actually run, creating a false sense of security while storing sensitive data you don't need.
- Storing old customer data from past orders, support tickets, or employee records forever because 'we might need it someday for legal reasons,' without a documented retention policy or periodic deletion schedule.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6(c) – Principle of data minimization; Section 8 – Collection of personal data only for specified, explicit, and legitimate purposes |
| CERT-In 2022 | Direction 2.1 – Implement data classification and minimize data storage; Direction 2.2 – Data retention policy |
| ISO 27001:2022 | A.5.2 (Information security policies), A.7.2 (Personnel onboarding), A.8.2 (Asset management – limiting data collection) |
| NIST CSF 2.0 | Govern (GV) function – GV.RO-01 (Organizational context and objectives include data minimization); Protect (PR) – PR.DS-01 (Data classification and handling) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →