When data leaks from a vendor or partner you shared it with, you are still legally responsible under the DPDP Act 2023—you cannot blame them and walk away. A manufacturing company in Pune shared employee salary data with an unvetted HR outsourcing firm, which was then compromised; the company faced regulatory action and lost employee trust. Without approval records, auditors (especially for export certifications or customer audits) will mark you as non-compliant, blocking future business. Data shared carelessly with telecalling vendors or logistics partners often ends up being misused for spam or fraud, damaging your brand and customer relationships.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal list of who receives your customer or employee data, and data sharing happens verbally or informally. Your team sends files to vendors via WhatsApp or email without anyone reviewing what's in them first.
Initial
You have an informal understanding of which vendors need data, but there's no written approval process and no record of what was shared or when. Different people in your company might share the same data multiple times without knowing it.
Developing
You have a list of vendors who receive data and you keep basic records of who received what, but the approval process is inconsistent and there's no formal data-sharing agreement with most vendors. Some approvals are documented, others are not.
Defined
You have a written Data Sharing Register that lists all external parties receiving data, the type of data, business reason, and approval date signed by the owner. All vendors have signed a data protection addendum or confidentiality clause before receiving any data.
Managed
You conduct quarterly reviews of all active data-sharing arrangements, update them when needed, revoke access when a vendor relationship ends, and track what data each vendor actually uses. Your vendors must confirm annually they are protecting data properly.
Optimised
You have an automated data-sharing approval workflow integrated into your systems, real-time monitoring of data access by external parties, automated alerts if unauthorized sharing is detected, and annual third-party audits confirming vendors meet your security standards.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple one-page Data Sharing List showing: Vendor Name, Type of Data Shared, Business Reason, and Date Started. Talk to each department head for 30 minutes to collect this information. | Business owner or Operations Manager | 2-3 days |
| 1 → 2 | Design a Data Sharing Request Form requiring: Requester name, Vendor name, specific data fields needed, business justification, and signature of approval by a manager or owner. Keep all completed forms in a shared folder. | Business owner or IT lead with input from management | 1 week |
| 2 → 3 | Create a Data Sharing Agreement template (2-3 pages) including confidentiality obligations, data security requirements, and data deletion timelines. Get a local lawyer to review once, then use with all new and existing vendors. Maintain a register of who signed and when. | Business owner with legal advisor | 3-4 weeks |
| 3 → 4 | Build a Data Sharing Register (Excel or simple database) tracking: Vendor ID, Data Categories, Approval Date, Approver, Agreement Status, Last Review Date. Conduct a quarterly audit to remove vendors no longer needing data and follow up with vendors on compliance. | IT lead or Data Coordinator (hire if needed) | 6-8 weeks including quarterly reviews |
| 4 → 5 | Implement a cloud-based data governance tool (like a DLP system or simple workflow automation) to log all data sharing requests, send automatic approval notifications, and flag sharing of sensitive categories. Link to your CRM or ERP if possible. Conduct annual vendor security assessments via questionnaire or audit. | IT lead with external consultant support | Ongoing (2-3 months initial setup, then 4-6 hours per month) |
Documents and records that prove your maturity level.
- Data Sharing Register or Log showing each external party, data types shared, approval date, and approver signature
- Completed Data Sharing Request Forms for each vendor or partner receiving data (retained for at least 2 years)
- Data Protection Addendum or Data Sharing Agreement template signed by each vendor or third party
- Approval records (email, signed form, or system log) showing owner/manager authorization before sharing personal data
- Quarterly or annual audit records showing review of active data-sharing arrangements and removal of outdated ones
Prepare for these questions from customers or third-party reviewers.
- "Show me your list of all external parties who have access to personal data. How do you ensure they only get data they actually need?"
- "Walk me through how you approve a request to share customer or employee data with a new vendor. Who decides yes or no?"
- "Can you show me the data protection agreement you have with [specific vendor]. What obligations do they have to protect the data?"
- "When you stop using a vendor, how do you ensure they delete or return all the personal data you shared with them? Show me an example."
- "Have you ever had a data breach involving a vendor or partner? If so, what did you do and what controls did you add to prevent it?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track and approve all data sharing requests centrally | Google Forms + Google Sheets (collect requests and maintain register) | Jira Service Management (₹8,000–15,000/year) or Microsoft Forms + SharePoint |
| Send automatic approval workflows and maintain audit trail | Zapier free tier limited to 100 tasks/month, or Microsoft Power Automate free tier | Zapier Pro (₹2,000–5,000/month) or n8n self-hosted |
| Manage and store vendor agreements and data-sharing contracts in one place | Google Drive or OneDrive (folder structure and naming rules) | DocuSign (₹15,000–25,000/year for small team) or Citrix ShareFile (₹20,000+/year) |
- Sharing data 'just this once' with a telemarketer, event organizer, or logistics partner without documenting it; these uncontrolled shares often lead to spam calls and customer complaints
- Assuming a verbal agreement with a vendor is enough; auditors and DPDP enforcers require written, signed approvals and agreements
- Forgetting to revoke vendor access after the contract ends, leaving your data in someone else's hands indefinitely
- Sharing full datasets (all customer emails, phone numbers, addresses) with vendors who only need a small subset, increasing breach risk
- No one person owning the data-sharing approval process, resulting in inconsistency—some people ask permission, others do not
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Consent for data processing) and Section 9 (accountability of data fiduciaries); You remain liable for third-party processing |
| CERT-In 2022 Guidelines | Guideline 3.2 (Access Control) and 4.2 (Third-Party Management); requires documented approvals for data access |
| ISO 27001:2022 | Clause A.6.2 (Supplier relationships) and A.8.1 (User access management); requires documented agreements with suppliers handling personal data |
| NIST CSF 2.0 | GOVERN > GV.RO-03 (Third-party risk management) and PROTECT > PR.AC-02 (Data access and use); requires monitoring and approval of data sharing |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →