HomeGuidesRisk & Compliance › RC-01
RC-01 Risk & Compliance 20% of OML score

Has the business identified its most important information (customer data, financial data, employee data)?

Do you know exactly what sensitive information your business holds and where it is stored? This question asks whether you have made a list of your most valuable data—such as customer details, payment information, employee records, and financial reports—so you know what needs protection.

Why This Matters to Your Business

If you don't know what data you have, you cannot protect it, and you will not know when it has been stolen. A common scenario in Indian MSMEs: a small e-commerce business stores customer payment card data in an unencrypted Excel file shared across WhatsApp, loses a phone, and customer data is stolen—then faces angry customers, potential RBI fines for non-compliance with payment security rules, and loss of trust. Without data inventory, you also cannot comply with DPDP Act notices, cannot respond properly to customer data requests, and will fail any customer or bank security audit.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You do not have any formal list of what data your business holds or where it lives. When asked what sensitive information exists, different team members give different answers or no answer at all.

Level 1
Initial

You have mentioned to staff that customer and financial data exist and are important, but there is no documented list. Data storage locations are known informally (someone knows the password to the customer database, but it is not written down).

Level 2
Developing

You have created a basic written list of the types of data you hold (customer names, phone numbers, GST files, employee salary details) and where most of it is stored (accounting software, email, shared folders). The list is incomplete or not regularly updated.

Level 3
Defined

You have a documented inventory of all major data types your business collects and stores, including customer data, financial records, and employee information. The list shows data location, approximate volume, and who has access. It is reviewed and updated at least once per year.

Level 4
Managed

Your data inventory is comprehensive, up-to-date, and categorized by sensitivity level (public, internal, confidential). You have mapped data flows—what data comes in, where it goes, who uses it, and when it is deleted. Changes to data systems are logged and inventory is updated within 30 days.

Level 5
Optimised

Your data inventory is automated, continuously updated, and integrated with your access control and backup systems. Data classification is enforced at the point of creation, data flows are monitored in real-time, and the inventory feeds automated security controls and compliance reporting.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Call a 30-minute meeting with the owner, accountant, and IT person (or IT service provider). Ask: What data do we collect from customers? What financial records do we keep? What employee information do we store? Write down the answers on paper or in a Google Doc. Business owner or senior manager 1 day
1 → 2 Create a simple one-page spreadsheet or form with columns: Data Type, Where It Is Stored, Who Can Access, Why We Keep It. Fill in rows for customer data (names, emails, phone, addresses, payment info), financial data (invoices, GST records, bank statements), and employee data (names, salaries, documents). Save it in a secure location. IT person or business manager 1 week
2 → 3 Expand the spreadsheet to include data sensitivity classification (mark each data type as Confidential, Internal, or Public), approximate volume (e.g., 5000 customer records, 50 employee records), retention period (how long you keep it by law or business need), and data owner (person responsible). Get sign-off from the business owner and IT lead. Store with version dates. IT person with business owner approval 2-4 weeks
3 → 4 Document how data moves through your business: where each data type enters the system (customer signup form, bank downloads, email receipts), what systems touch it (accounting software, CRM, email, laptops), how long it is kept, and when and how it is deleted. Create a simple data flow diagram (can be hand-drawn or using Google Draw). Update the inventory quarterly. IT lead with input from finance, sales, and operations 1-2 months
4 → 5 Implement automated data discovery tools (such as Netwrix Auditor or Microsoft Purview if you use Office 365) to scan your systems monthly and flag new sensitive data. Integrate results into your inventory. Set up automated alerts when data leaves authorized locations. Link inventory to access control and backup schedules. IT lead with vendor support if needed Ongoing (1-2 hours per month for review and updates)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • A signed and dated Data Inventory document or spreadsheet listing all data types (customer, financial, employee), locations, sensitivity levels, volume, and data owners
  • A Data Classification Policy stating how you define Confidential, Internal, and Public data, and which data types fall into each category
  • A Data Flow Diagram or written description showing where each data type originates, which systems process it, who accesses it, and retention/deletion rules
  • Proof of recent review: email or meeting notes showing the inventory was checked and updated within the last 12 months with signature/approval
  • Access control or system configuration records showing that identified sensitive data is restricted to authorized users only
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you show me a complete list of all sensitive data your business collects and where it is stored?"
  • "How do you classify data by sensitivity level, and what is your retention schedule for each data type?"
  • "When a customer provides their phone number or payment information, what systems does that data flow through from entry to storage?"
  • "How often do you review and update your data inventory, and who is responsible for maintaining it?"
  • "How do you ensure that only authorized staff can access sensitive customer or financial data, and how is this documented?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and maintain data inventory spreadsheet with version control Google Sheets (free, cloud-based, shareable) or LibreOffice Calc Microsoft Excel with OneDrive (₹500-1500/month per user) or specialized tools
Document and visualize data flows and connections between systems Google Draw, Lucidchart (limited free version), or Draw.io (free, open-source) Visio (part of Microsoft 365, ₹500-1500/month) or Lucidchart paid (₹5000-15000/year)
Automatically discover and catalog sensitive data across files, databases, and cloud storage None practical for Indian MSMEs; manual discovery or open-source alternatives (limited) Netwrix Auditor (₹150000-400000/year), Microsoft Purview (₹5000-20000/month), or Varonis (₹300000+/year)
🛡
How This Makes You More Resilient
When you know exactly what data you have and where it is, you can secure it properly—encrypt customer payment data, control who sees salary records, back up financial files. This means when an incident happens (breach, ransomware, accidental deletion), you respond faster because you know what is affected and you have backups. You also avoid compliance fines because you can prove to regulators and customers that you know what data you hold and are protecting it.
⚠️
Common Pitfalls in India
  • Creating a one-time inventory and never updating it—new systems are added, data grows, but the list stays the same; a customer audit finds data you forgot about and loses trust
  • Treating all data the same—marking everything as 'confidential' means nothing is actually protected; focus protection only on genuinely sensitive data like payment cards, GST numbers, and employee salaries
  • Storing the inventory itself in an unprotected location—printing a list of all sensitive data and leaving it on a desk or in an unlocked spreadsheet defeats the purpose; keep the inventory itself secure and access-controlled
  • Not involving finance or operations teams—IT lists only technical data, missing important business data stored in spreadsheets, emails, or filing cabinets; data inventory must be cross-functional
  • Forgetting about data in cloud tools—many Indian MSMEs use WhatsApp, Google Drive, or free cloud apps to share invoices and customer lists; these are often not included in formal inventory and create uncontrolled copies of sensitive data
⚖️
Compliance References
StandardRelevant Section
Digital Personal Data Protection Act (DPDP), 2023 Section 6 (Data Fiduciary obligations) and Schedule 1 (processing of personal data); Section 8 (consent requirements); Section 10 (disclosure and notice)
CERT-In Directions 2022 Direction 4 (maintain logs and audit trails), Direction 5 (vulnerability management), Direction 6 (data backup), Direction 7 (incident response)
ISO 27001:2022 Clause 5.12 (information and communication), Annex A: A.1.1 (policies for information security), A.5.8 (management of removable media), A.8.2 (access control)
NIST Cybersecurity Framework 2.0 Govern (GV): GV.SC-01 (Organizational Cybersecurity Program) and GV.RO-01 (Risk Management Program); Identify (ID): ID.AM-01 (Asset Management) and ID.SC-01 (Supply Chain Risk Management)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →