Without a complaint process, small problems spiral into big ones: a customer's mislaid phone number turns into identity theft, they post negative reviews online, and you lose business. Under the DPDP Act 2023, you can be fined up to ₹50 crore for not responding to data complaints properly. If you're doing contract work for larger companies (IT vendors, BPOs, retailers), they'll audit you and find no complaint process—you lose the contract. A Bengaluru logistics startup ignored a customer complaint about data leakage; the customer filed a police report, the startup faced regulatory inquiry, and their enterprise clients paused contracts for 3 months until they fixed it.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no written process for handling complaints. When someone complains about their data, whoever answers the phone handles it however they think best, and there's no record of what happened or what you promised to fix.
Initial
You have a basic email address or phone number where complaints can be sent, but there's no template or standard way to respond. You fix things when you remember, but there's no written log of complaints or follow-up.
Developing
You have a documented one-page process: customers can complain via email or phone, complaints are logged in a spreadsheet with the date and issue, and you respond within 30 days. However, there's no defined owner and compliance is inconsistent.
Defined
A named person (e.g., HR manager or data officer) owns the complaint process. Complaints are logged with date, complainant, issue, action taken, and resolution. You respond in writing within 15 days and keep records for 3 years. Training is done once a year.
Managed
The process is documented in a policy, with clear roles, timelines, and escalation rules. You track metrics (complaints received, resolution time, repeat issues). All staff who touch customer data know how complaints are handled. You review the process quarterly to improve it.
Optimised
Complaints are handled with documented SLAs (e.g., acknowledge within 2 days, investigate within 10 days). You have a dedicated system (software or structured log) to track all complaints, you analyze trends to prevent future issues, and you communicate resolutions to complainants in writing. The process is audited annually by a third party or internal audit team.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a single email address (e.g., dataprivacy@yourcompany.com) or designate one person to receive complaints. Write a one-paragraph note explaining that this is the contact point for data concerns. Send the note to your team. | Business owner or office manager | 2 hours |
| 1 → 2 | Draft a simple one-page complaint procedure: define how to log a complaint (date, name, email, issue), create a complaint register (Excel sheet or Google Sheet), set a 30-day response deadline, and assign one person to review the register monthly. Publish this procedure on your website or send it to customers. | Business owner, HR manager, or IT person | 3-4 days |
| 2 → 3 | Appoint a Data Complaints Officer (can be HR or IT manager). Create a formal policy document (2-3 pages) defining the officer's role, complaint intake methods, investigation steps, resolution timelines (14-21 days), and record retention (3 years). Brief all staff on the policy. Test by filing a dummy complaint and verifying it is logged and acknowledged. | Business owner with input from HR/IT manager | 2-3 weeks |
| 3 → 4 | Implement a simple tracking system (spreadsheet with built-in reminders or free tool like Airtable) that captures complainant details, complaint date, category (access request, deletion request, unauthorized sharing), actions taken, and closure date. Define and document escalation rules (e.g., if not resolved in 15 days, escalate to management). Run quarterly reviews with the complaints officer to identify patterns and process gaps. | IT person or Data Complaints Officer | 4-6 weeks |
| 4 → 5 | Formalize SLAs in writing: acknowledge complaints within 2 days, complete investigation within 10 days, provide written resolution within 21 days. Use a dedicated complaint management system with automated workflows and reporting. Conduct annual internal audits of complaint handling and third-party audits if feasible. Publish an annual summary of complaints (anonymized) to demonstrate transparency and continuous improvement. | Data Complaints Officer, IT person, and internal/external auditor | Ongoing (monthly reviews, annual audit) |
Documents and records that prove your maturity level.
- Written complaint handling policy or procedure document (1-3 pages) that includes who to contact, how to file a complaint, and expected response timeframe
- Complaint register or log (spreadsheet, database, or software record) with at least 3 months of historical entries showing date received, complainant name/contact, issue description, action taken, and resolution date
- At least two sample complaint files (either from real complaints or test complaints) showing the full complaint lifecycle: intake, acknowledgment email to complainant, investigation notes, and closure letter
- Training record or email showing that staff have been informed of the complaint process and their role in it
- Evidence of monitoring or review: quarterly or annual summary of complaints (even if count is zero), identifying trends or improvement actions
Prepare for these questions from customers or third-party reviewers.
- "Walk me through your process when a customer emails you to say you're still holding their data even though they requested deletion. Show me the policy and a real example of how you handled a similar complaint."
- "How many personal data complaints have you received in the last 12 months? Show me your complaint register and tell me the average time you took to resolve them."
- "Who is responsible for handling complaints about data? If that person leaves, how will the next person know what to do?"
- "If a customer complains on a Friday and you're on holiday the following week, how do they know their complaint was received and when it will be resolved?"
- "Show me evidence that you've actually resolved a complaint—not just acknowledged it. What did you do, how did you confirm it was fixed, and how did you tell the customer?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Log and track complaints with automatic reminders and status updates | Google Forms (to collect complaints) + Google Sheets (to log and track) | Airtable (₹300-800/month), Zoho CRM free tier (basic complaint tracking) |
| Create and store complaint handling policy documentation | Google Docs or LibreOffice Writer | Microsoft 365 (₹99-749/month if not already subscribed) |
| Set reminders and monitor response deadlines | Google Calendar or Outlook Calendar (built-in) | Asana free tier or Monday.com (₹500-2000/month) |
| Generate reports and metrics on complaints over time | Google Sheets with pivot tables | Zoho Creator (₹500-3000/month) or Freshdesk (₹200-1200/month includes complaint tracking) |
| Send secure, dated acknowledgments and resolutions to complainants | Gmail with read receipts or Google Forms automatic response | DocuSign (for signed acknowledgments; ₹500-2000/month) or Zoho Sign (₹200-600/month) |
- Treating complaints as a nuisance and dismissing them without investigation. Many Indian MSMEs think a complaint from a customer is unfair criticism and avoid engaging—this leads to the customer escalating to regulatory bodies. Instead, treat every complaint as legitimate feedback and respond in writing.
- No written record of complaints, so you can't prove you investigated or resolved anything. When an auditor or regulator asks 'show me how you handled data complaints,' you have nothing. Keep a simple log (spreadsheet) with date, issue, and resolution—even if it's just three entries, it shows you're trying.
- Only one person knows the complaint process (e.g., the owner's secretary). If that person is sick or leaves, complaints go unanswered. Document the process in writing and brief at least two people on it so there's continuity.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 18 (Right to grievance redressal; data principal can lodge a complaint), Section 8(1) (Data fiduciary must respond to data principal requests), and Schedule 2 (organizational requirements for grievance redressal) |
| CERT-In 2022 | Rule 4(8) requires 'incident response and recovery procedures' which includes receiving and responding to data breach complaints |
| ISO 27001:2022 | Clause 5.1.2 (Information security policies), Annex A 5.16 (Management of information security incidents), and Annex A 5.1 (Policies for information security) |
| NIST CSF 2.0 | Govern Function (GV): Establish organizational context and risk management for information security; Manage Function (Mg): Manage processes for reporting and responding to information security events |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →