If you never review your data practices, you'll miss changes in laws, customer expectations, and security risks. A real scenario: a Bangalore IT services firm was fined ₹50 lakhs under DPDP Act 2023 because their 2019-era privacy policy didn't mention data sharing with third parties they'd added in 2022—nobody had reviewed it since launch. Another risk: if a customer asks 'where is my data stored?' and you can't answer, you lose their trust and may fail compliance audits. Without regular reviews, you also can't respond quickly to security incidents or demonstrate due diligence to clients who audit your security.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no documented privacy policy or data protection procedures. Even if someone asks how you handle their data, there's no clear written answer anywhere in your company.
Initial
You have a privacy policy document (possibly copied from a template) but it hasn't been reviewed or updated since it was first created. No one is formally responsible for keeping it current.
Developing
You have a privacy policy and you've updated it once when something changed, but there's no scheduled annual review. Reviews happen only when someone complains or you remember to do it.
Defined
You have a calendar reminder for annual privacy reviews and you've completed reviews in the last 12 months. The review covers what data you collect, basic storage locations, and retention periods, but doesn't deeply examine all third parties or new risks.
Managed
You conduct formal annual privacy reviews with documented findings and sign-off from management. Reviews include checking all data flows, third-party processors, retention policies, and comparing them against current laws and customer contracts.
Optimised
You have a continuous privacy review process with quarterly check-ins, documented decisions, trained staff awareness, and demonstrated improvements made based on review findings. External auditors or customers can see evidence of ongoing oversight and proactive updates.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Write or download a basic privacy policy template that covers: what data you collect, why, who has access, where it's stored, and how long you keep it. Get management to sign off once. | HR Manager or designated data owner (could be IT person) | 3-5 days |
| 1 → 2 | Schedule a one-time 'privacy review day' in the next month. Walk through your actual business processes (sales, invoicing, customer support) and check if the policy matches reality. Update the policy where it doesn't. | IT person or Finance person who handles data | 1 week |
| 2 → 3 | Set up an annual calendar reminder for privacy review (e.g. January each year). Create a simple one-page checklist: update check for new laws, new data types, new storage locations, customer feedback. Complete the first review and document date and who did it. | Compliance or operations manager | 2-3 weeks |
| 3 → 4 | Formalize the review process with a documented template covering: data inventory, third-party processors, retention schedules, legal changes (DPDP, CERT-In, sector rules), customer audit findings, and recommended actions. Get CFO and data owner to sign the review report each year. | Compliance officer or external consultant (if budget allows) | 4-6 weeks |
| 4 → 5 | Implement quarterly mini-reviews to catch changes mid-year. Train relevant staff (sales, IT, HR) on what triggers a privacy review. Document all findings and actions taken. Share annual review summaries with leadership and external auditors. | Designated Privacy Champion (could be part-time IT manager role) | Ongoing: 2-3 hours per quarter |
Documents and records that prove your maturity level.
- Dated privacy policy document with version history showing at least one update in the last 12 months
- Annual privacy review checklist or template completed and signed by a manager in the last 12 months
- Calendar entry or email showing scheduled annual review date(s)
- List of data types your business handles (customer names, phone numbers, email, payment info, etc.) updated in the last review
- Records of any changes made to privacy practices based on the review (e.g. updated retention policy, new processor agreement, policy clarification memo)
Prepare for these questions from customers or third-party reviewers.
- "When was your privacy policy last reviewed and by whom? Can you show me the date and the person's sign-off?"
- "Tell me about the major data types you collect and store. How long do you keep each type? Has this changed in the last year?"
- "Do you use any third-party tools or vendors to store or process customer data (cloud storage, payment gateway, CRM, email service)? Has this list changed since your last review?"
- "Have there been any changes to laws or regulations relevant to your business in the last 12 months (like DPDP Act 2023)? How did your review account for these?"
- "Can you show me a documented record of your annual privacy review—what was checked, what was found, and what actions were taken?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain a privacy policy template tailored to Indian law | Iubenda (limited free version), DPDP Act 2023 government FAQ and guidelines | Iubenda Premium (₹4,000–8,000/year), OneTrust (₹200,000+/year - overkill for most MSMEs) |
| Track your data inventory and retention schedules in one place | Google Sheets or Airtable free tier, Excel spreadsheet with password protection | Airtable Pro (₹5,000/user/month), Collibra (enterprise pricing, not suitable for SME) |
| Document and track annual privacy reviews with sign-offs | Google Docs/Forms for review checklist and responses, Trello board for tracking action items | Notion Plus (₹80/month per user), Confluence (₹75,000+/year for team) |
- Copying a privacy policy from a competitor or template without adapting it to your actual business—e.g., your policy says 'we store data in Europe' but you actually use AWS India or Google Cloud India. An auditor will spot this mismatch immediately.
- Reviewing the written privacy policy but never checking if staff actually follow it—e.g., your policy says 'customer data deleted after 1 year' but your accountant keeps backups for 3 years. The review must include a walk-through of real processes.
- Treating privacy review as a one-time compliance checkbox rather than updating it when you add new services—e.g., you launch a WhatsApp Business API for customer support but never update your policy to mention WhatsApp. New features often need privacy updates.
- Not including third-party risk in reviews—e.g., you switch from local email to Gmail or Microsoft 365 without documenting data processor agreements or reviewing their privacy terms. DPDP Act requires you to ensure third parties protect data too.
- Doing the review but not documenting or communicating findings—no one knows what was checked, what was found, or what changed. This fails audits because there's no evidence the review actually happened.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Processing of personal data), Section 6 (Principles), Clause 2.3 requiring periodic review of security practices |
| CERT-In 2022 Guidelines | Directions 4 & 5: Organizations must conduct periodic assessments of information security practices and maintain audit trails |
| ISO 27001:2022 | Clause A.5.1 (Policies for information security), Clause 6.2 (Information security objectives and planning), Clause 9.2 (Internal audit) |
| NIST CSF 2.0 | Govern function (GV): Policy & Processes; Manage function (MA): Assessments; Protect function (PR): Information Protection |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →