When personal data is sitting around for anyone to access, the risk of theft, misuse, or accidental exposure shoots up. A real example: a Delhi-based e-commerce startup stored customer addresses and phone numbers on a shared Excel file with no password; an angry ex-employee downloaded it and sold it to a spam marketing firm, flooding customers with scam calls and destroying the company's reputation. Under the Digital Personal Data Protection Act 2023, you are legally responsible for protecting this data—if there's a breach because access wasn't restricted, you face penalties up to ₹5 crore, plus customer lawsuits. Your business could also lose certifications, customer contracts (especially if you work with government or large enterprises), and your ability to operate.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no idea who has access to what data. Customer files sit in shared folders, databases have one login everyone uses, and paper records are in an open cupboard that anyone can walk into.
Initial
You've made a mental note of who 'should' have access, but there's no formal process or system to enforce it. The operations manager has a spreadsheet of customer data, the finance person has an old laptop with client lists, and passwords are often shared or written on sticky notes.
Developing
You've assigned basic access roles (like 'accountant can see invoices, sales person can see customer contact info'), but there's no regular review of who actually has access. You're using some password protection, but the same person who left last year might still have a login, and you haven't checked in three months.
Defined
You've created a documented access policy that says which roles can see which data types, and you've set up basic user accounts with individual logins. You review access every quarter when someone joins or leaves, and you've disabled old logins—but you haven't tested whether the access controls actually work or logged who accessed what data.
Managed
You maintain an up-to-date access control list showing exactly who can see what data and why. Your systems log who accessed which data and when, you review access quarterly against current employee roles, and you can quickly spot if someone accessed data they shouldn't have. You've tested that the controls actually prevent unauthorized access.
Optimised
Your access controls are automated—the system grants or revokes access based on job role, and access is reviewed and updated in real time. You have detailed audit logs of every data access, automated alerts if someone tries to access data outside their role, regular penetration testing to confirm controls work, and a documented incident response plan for access breaches. You review effectiveness quarterly and adjust based on risk changes.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Document who needs to access what data by role (e.g., 'Accountant needs to see invoices and customer payment methods; Sales person needs customer names and phone numbers; HR needs employee salary data'). Walk through each person's job and write down what data they actually need. | Business owner or office manager | 2-3 days |
| 1 → 2 | Set up individual user logins for every person (no shared logins). Use a simple access control tool (Google Workspace, Microsoft 365, or a basic ERP if you have one) to assign each person to a role that matches what you documented in Level 1. Remove access for people who have left. | IT person or external consultant | 1-2 weeks |
| 2 → 3 | Create a written Access Control Policy (a 1-2 page document) that lists which roles can access which data and why. Set a quarterly calendar reminder to review access against current staff and job changes. Document the review in an access review log. | Business owner with IT person | 2-4 weeks |
| 3 → 4 | Enable audit logging on your systems (databases, file servers, Google Drive, etc.) so every data access is recorded with who, what, when. Set up a simple monthly report showing unusual access patterns. Test that access controls actually block unauthorized attempts by trying to access data from a wrong role. | IT person or system administrator | 4-6 weeks |
| 4 → 5 | Automate access provisioning so access is granted/revoked automatically when someone joins or leaves (via your HR system feeding into your IT system). Set up real-time alerts for suspicious access attempts. Conduct quarterly penetration testing. Review control effectiveness and adjust based on new risks (e.g., new data types, new regulations). | IT person or external managed service provider | Ongoing (2-3 hours per month) |
Documents and records that prove your maturity level.
- Access Control Policy document listing which roles can access which data categories and the business reason why
- Access Control List or spreadsheet showing current employee names, job roles, and what systems/data they have access to (updated at least quarterly)
- Access review log showing dates of quarterly reviews, who performed them, and what changes were made (e.g., 'Reviewed 15-Jan-2024: Added access for new sales hire, removed access for departed employee')
- System audit logs or access reports (from database, file server, or cloud application) showing dates, times, user IDs, and what data was accessed
- Evidence of access control testing (e.g., a simple test report: 'Tested 20-Jan-2024: Attempted to access salary data from Sales account—correctly blocked')
Prepare for these questions from customers or third-party reviewers.
- "Show me your list of who has access to customer personal data and explain why each person needs that access."
- "Can you prove that the person who resigned three months ago no longer has access to any systems?"
- "How do you know who looked at customer data yesterday? Do you have logs? Can you show me an example?"
- "What controls stop your delivery driver or warehouse staff from opening the customer database or file folder?"
- "If I came in today and tried to open employee salary records from a random computer, what would stop me?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| User access management and role assignment for small teams | Google Workspace Admin (free tier limited; ₹1,800-3,600/user/year for paid) - lets you manage who logs in and what Google services they can use | Microsoft 365 (₹300-600/user/month) - more advanced access controls for email, files, and apps |
| File and folder access control (who can open what documents) | Windows NTFS permissions (built into Windows) or Linux file permissions - if your data is on local computers or servers | Nextcloud (₹50,000-200,000/year for self-hosted or cloud) - more user-friendly file access control with audit logs |
| Database access logging and monitoring | MySQL or PostgreSQL audit plugins (requires technical setup) - built-in logging | Fortanix (₹10,000-50,000/year depending on usage) or AWS Secrets Manager (₹400-600/month) - manages database access securely |
| Simple access tracking and review documentation | Google Sheets or LibreOffice Calc - create an access control list and review log yourself | ServiceNow or Monday.com (₹5,000-20,000/month) - automates access requests, reviews, and audit trails |
| Sending secure documents and managing who can access them | Google Drive with detailed sharing settings - you control exactly who can view/edit each file | DocuSafe or ShareFile (₹10,000-50,000/year) - more robust document access control with expiration dates and download logs |
- Thinking 'we're too small to need access controls'—this is exactly why small businesses get hit; attackers know you have weak controls and less monitoring.
- Using one shared login for multiple people (e.g., 'everyone uses the admin password')—you can't trace who did what, and you can't revoke access for one person without breaking it for everyone.
- Never reviewing access after someone leaves—old employees or contractors often keep login credentials and can access data months or years later (this happens regularly in Indian MSMEs).
- Storing sensitive data in unprotected shared folders or Excel files—data sitting on a shared drive is visible to everyone on the network unless you specifically lock folder permissions.
- Mixing IT access with business access (e.g., your IT vendor has the same level of data access as your accountant)—third parties should always have minimal access, limited by contract, and reviewed separately.
- Not documenting who has access to what—when you can't list it, you can't control it, and auditors will flag you immediately.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(1) and Schedule 1 - requires data fiduciaries to implement reasonable data security practices including access control |
| CERT-In Guidelines 2022 | Appendix B, Item 7 - recommends role-based access control and regular access reviews |
| ISO 27001:2022 | Annex A.7.2 (User Access Management), A.8.3 (Access Control), A.6.1.2 (Information Security Risk Assessment) |
| NIST CSF 2.0 | Govern (GV.RO: Risk Oversight), Protect (PR.AC: Access Control), Detect (DE.AE: Anomalies and Events) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →