If your employees don't know the basics of data safety, they will accidentally leak customer information, passwords, or financial records—which means your customers lose trust, you face regulatory fines under the Digital Personal Data Protection Act 2023, and your business reputation gets damaged. For example, a Delhi-based e-commerce MSME once emailed a customer list with phone numbers to the wrong recipient, leading to spam complaints and a buyer audit failure that cost them two major contracts. Without employee awareness, one careless email or unlocked laptop can turn into a data breach that takes months to fix and damages relationships with clients.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal training or awareness program. Employees casually discuss customer details over lunch, leave laptops unlocked, and share passwords with colleagues when it's convenient.
Initial
You mention data security once during onboarding in a hurried conversation. There is no written policy and no one checks whether employees actually remember or follow any rules.
Developing
You have a basic written data handling policy and new employees receive a brief acknowledgment form. However, there is no regular reminder or reinforcement, so people forget the rules after a few weeks.
Defined
You conduct annual data protection training for all staff with quizzes to check understanding. Employees can access the policy easily and posters remind them of key rules like 'lock your laptop' and 'do not share passwords.'
Managed
You run quarterly training sessions and refresher materials, track who completed training, and include data protection responsibility in employee performance reviews. You have practical guides for each role and test their knowledge through small scenarios.
Optimised
You have a continuous awareness program with monthly tips, regular phishing simulations, role-specific training modules, and measure behavior change over time. Data protection is embedded in your company culture and employees proactively report risks.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Write a one-page data handling policy stating that passwords must not be shared, customer data must be kept confidential, and suspicious emails must be reported. Have the owner or manager sign it and share with the team. | Owner or designated manager | 1 day |
| 1 → 2 | Create a simple onboarding checklist that includes data security; require new employees to read the policy and sign an acknowledgment form; file these forms for audit. | HR or Office Manager | 3-5 days |
| 2 → 3 | Develop a 30-minute training session covering password safety, phishing recognition, and reporting procedures. Deliver it to all staff, record attendance, and create simple desk reminders (posters or printed cards). | IT person or external trainer (contract basis) | 2-3 weeks |
| 3 → 4 | Schedule quarterly refresher training, create role-specific guides (e.g., what sales staff should do vs. accounts staff), add a data protection question to performance reviews, and track training completion in a simple spreadsheet. | HR/Manager with IT support | 1-2 months |
| 4 → 5 | Run monthly awareness campaigns (email tips, internal newsletters, simulated phishing exercises), analyze behavior trends, celebrate good security practices, and update training based on real incidents or near-misses. | Dedicated security champion or IT person | Ongoing (2-3 hours per month) |
Documents and records that prove your maturity level.
- Written data protection/information security policy document signed by owner and dated
- Employee acknowledgment forms or sign-off sheets showing each person read and understood the policy
- Training attendance register or log showing who received data protection training and when
- Training materials or presentation slides used to educate employees
- Incident or near-miss reports showing employees are reporting suspicious activity or data mishandling
Prepare for these questions from customers or third-party reviewers.
- "Can you show me evidence that all employees have received data protection training? When was the last training conducted?"
- "What is your data handling policy and how do you communicate it to new hires?"
- "How do you verify that employees understand the rules? Do you test their knowledge or track compliance?"
- "What should an employee do if they suspect a data leak or receive a suspicious email? Can you ask a few staff members this question?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and share training materials, track who has completed training, and store acknowledgment records | Google Forms (for quizzes and acknowledgments) + Google Drive (for storage and sharing) | Moodle or TalentLMS (Learning Management System): ₹10,000–30,000/year for small teams |
| Send simulated phishing emails to test employee awareness and identify risky staff | Phishtray (limited free version for up to 50 users) | KnowBe4 or Proofpoint: ₹50,000–150,000/year depending on headcount |
| Create simple, printable posters and desk cards with security reminders and best practices | Canva (free version) or download templates from CERT-In website | Professional design services: ₹5,000–15,000 one-time |
- One-time training only: Many Indian MSMEs conduct training once during onboarding and then never refresh it, so employees forget the rules within weeks. Plan for at least annual refreshers.
- No proof of training: Skipping the attendance register or acknowledgment form means you cannot prove to auditors or customers that training actually happened. Always document who attended and when.
- Training too technical: Employees switch off if the training is full of IT jargon and complex compliance language. Use real-life examples, stories, and simple language they can relate to.
- Ignoring your own culture: If the owner or senior managers casually discuss customer data or leave laptops unlocked, employees will not take the policy seriously no matter what you teach them. Model the behavior you expect.
- No consequences or follow-up: If employees receive training but then see colleagues breaking the rules with no consequences, they will stop caring. Reinforce expectations consistently and fairly.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Principle of Purpose Limitation and Data Minimisation) and Section 10 (Consent and Notice) require organizations to ensure employees and data handlers are trained and aware of data protection duties |
| CERT-In 2022 | Direction 3 (Data Protection and Information Security) requires eligible entities to implement data protection measures including awareness and training of personnel handling sensitive data |
| ISO 27001:2022 | Annex A.6.3 (Segregation of duties) and Annex A.8.3 (User awareness and training) require organizations to provide appropriate training and regular awareness programs |
| NIST CSF 2.0 | Govern Function (GV.HR-01) and Protect Function (PR.AT-01) emphasize awareness and training as foundational to cybersecurity governance |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →