If you don't review privacy responsibilities when processes change, you can accidentally expose customer or employee data, break data protection laws, or get caught by a compliance audit without proper safeguards in place. For example, a Delhi-based e-commerce company started using a cloud vendor to store customer payment data without reviewing what data protection measures were needed, and when a breach happened, they faced DPDP Act penalties and lost customer trust. Without this check, you may also inherit privacy risks from new vendors or processes that weren't properly evaluated, resulting in regulatory fines, customer lawsuits, or loss of business.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no documented process to check privacy responsibilities when changes happen. When a new system or process is rolled out, IT just implements it without any privacy review, and no one tracks what personal data is involved.
Initial
Someone occasionally remembers to ask about privacy when a big change happens, but there is no formal checklist or process. A few privacy reviews may have happened in the past, but they are not consistent or documented.
Developing
You have a basic checklist of privacy questions that someone reviews when a new system or vendor is added. The checklist exists but is informal, and sometimes gets skipped if the person responsible is busy.
Defined
You have a formal change management process that requires a privacy review before any new system, vendor, or process is approved. The review is documented, and there is a clear owner who signs off on privacy aspects before go-live.
Managed
Privacy reviews are built into your change management process, documented in a policy, and tracked in a log. Each change is assessed for data risks, and remediation steps are tracked to completion before the change is deployed.
Optimised
Privacy impact assessments are mandatory for all business process changes, tracked in a dashboard, and lessons learned are fed back into your privacy program. Risk ratings are assigned, stakeholders are notified, and the process is audited regularly by internal or external teams.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Hold a one-time meeting with the business head, IT lead, and owner to discuss what business changes happened in the last year (new vendors, systems, customer data types) and what privacy issues could have been missed. | Owner or Privacy Lead | 1 day |
| 1 → 2 | Create a simple one-page Privacy Change Checklist with 5–7 questions (e.g., 'What personal data is involved?', 'Is a new vendor handling it?', 'Do we have a data processing agreement?') and share it with IT and process owners. | Privacy Lead or Compliance Officer | 1 week |
| 2 → 3 | Write a formal Change Management & Privacy Review Policy that requires all process changes to go through a privacy checklist before approval. Assign a single person (or small team) as Privacy Reviewer. Document decisions in a simple log with date, change description, and sign-off. | Compliance Officer or Policy Lead | 2–4 weeks |
| 3 → 4 | Build privacy risk scoring into the change log (mark changes as Low, Medium, High risk). For medium/high risk changes, require a written privacy risk assessment and documented mitigation steps (e.g., encryption, access controls, vendor contract clauses). Track completion in a simple spreadsheet or tool. | Privacy Lead and IT Lead | 1–2 months |
| 4 → 5 | Automate privacy review reminders in your change management system, create a quarterly dashboard showing all changes reviewed and risks closed, and conduct a yearly audit of the process to identify gaps and improve the assessment criteria. | Compliance Officer and IT Lead | Ongoing (4–6 hours per quarter) |
Documents and records that prove your maturity level.
- A Privacy Change Checklist or template used whenever a new system, process, or vendor is introduced
- A Change Management & Privacy Review Policy document (even a one-page policy is sufficient) that describes when and how privacy reviews are triggered
- A Privacy Review Log or spreadsheet showing date of change, description, reviewer name, privacy risks identified, and sign-off
- For each significant change: a Privacy Risk Assessment document or form that identifies what personal data is involved, who handles it, and what controls are in place
- Vendor contracts or Data Processing Agreements (DPAs) that include privacy and data security clauses, especially for vendors handling customer or employee data
Prepare for these questions from customers or third-party reviewers.
- "Walk me through the last three business process changes in your organization. For each one, show me evidence that a privacy review was performed before the change was implemented."
- "What is your process for identifying when a privacy review is needed? Do you have a policy or checklist that describes this?"
- "When was the last time you reviewed privacy responsibilities for a new vendor, system, or data type? What did you find, and how did you document the decision?"
- "If I pick a recent change from your change log, can you show me the privacy assessment, risk rating, and any mitigation steps that were taken?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track change requests and attach privacy reviews to each change | Google Forms + Google Sheets or Airtable free tier (simple and low-cost) | Atlassian Jira (₹300–500/user/month) or ServiceNow (custom pricing, typically ₹2–5 lakh/year) |
| Create and maintain privacy assessment templates and checklists | Google Docs or Microsoft Word templates shared in OneDrive | Compliance software like OneTrust or TrustArc (₹5–15 lakh+/year for full suite) |
| Document and track vendor data processing agreements and security questionnaires | Google Sheets with shared vendor risk register or open-source templates | Vendor management platforms like Vanta or Drata (₹3–10 lakh/year) |
- Skipping privacy review for 'small' or 'internal' changes—a local payroll software change that touches employee data still carries privacy risk and should be reviewed
- Relying on IT to spot privacy issues without involving business process owners—IT may not know what sensitive data a new process will handle, so both IT and the business process owner must be part of the review
- Not updating the privacy review when a vendor is replaced or a system is upgraded—you assume the new vendor has the same controls as the old one, but they may not; each change must be independently assessed
- Treating privacy review as a one-time checkbox rather than a trigger for ongoing monitoring—you review the change once, then forget to verify that privacy controls are actually implemented and working in production
- Not documenting privacy review decisions—months later, when a customer asks why their data is in a certain system, you have no evidence of what was approved and why, which makes compliance audits harder
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6 (Principles for processing personal data) and Section 8 (Data Protection Impact Assessment) |
| CERT-In Guidelines 2022 | Direction 4.2 (Change management and configuration management) and Direction 4.7 (Data classification and handling) |
| ISO 27001:2022 | Clause A.8.3.3 (Segregation of duties), A.8.1.1 (User registration and access management), and A.5.2.1 (Information security policies and procedures) |
| NIST CSF 2.0 | Govern (GV) function—GV.PO-2 (Policies and processes are managed and communicated) and Protect (PR) function—PR.DS-1 (Data is managed consistent with the organization's risk strategy) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →