If you don't know which rules apply to your business, you can't comply with them—leading to government penalties, customer data breaches causing loss of trust, and failed audits that cost contracts. For example, if you handle customer payment data but don't follow RBI guidelines for card security, you could face penalties up to ₹10 lakh and lose your ability to process payments. A manufacturing business in Bangalore was fined ₹50 lakh under the DPDP Act after a data breach because it had no documented understanding of its compliance obligations. When a customer audit discovers you don't even know which laws apply, they may terminate your contract immediately.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no written list of which cybersecurity or data protection laws apply to your business. When someone asks what rules you follow, staff give different answers or say 'we're not sure.'
Initial
You have a basic, informal list of laws someone created (maybe during a conversation with an accountant), but it's not documented, not regularly reviewed, and staff don't know where to find it.
Developing
You have a written compliance checklist or document listing applicable laws (DPDP Act, RBI guidelines, industry rules), and it's been reviewed at least once. However, you haven't assessed whether you're actually following each one.
Defined
You have a formal, documented list of applicable laws and regulations specific to your business, updated annually or when laws change. You've assigned someone to track new regulations and notify the leadership team.
Managed
Your compliance register is maintained by a designated person or team, reviewed quarterly, and linked to specific business processes and departments. You track compliance status for each regulation and document gaps or action items.
Optimised
Your regulatory landscape is continuously monitored using automated tools or subscriptions, reviewed monthly, and integrated into annual risk assessments. All staff know which rules apply to their role, and compliance changes trigger immediate workflow updates.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | List all laws and regulations your accountant, auditor, or industry body has ever mentioned. Write them down in a simple table with the law name, what data it protects, and when it was last checked. Include DPDP Act 2023, RBI Payment Systems guidelines, GST data retention rules, and any industry-specific rules (e.g., healthcare, finance, telecom). | Business Owner or Office Administrator | 1 day |
| 1 → 2 | Create a formal Compliance Checklist document in Google Docs or Excel. For each law, add columns: Regulation Name, Applicability (Yes/No/Maybe), Key Requirements, Affected Business Areas, and Last Review Date. Ask your accountant or a compliance consultant to validate the list (₹2,000–5,000 for 2–3 hours). | Business Owner with Accountant support | 1 week |
| 2 → 3 | Assign one person (IT manager or office manager) to own compliance tracking. Have them conduct a gap assessment for each regulation: Is the business currently complying? If not, what's missing? Document findings in the checklist. Set a calendar reminder to review every quarter. | IT Manager or Compliance Owner | 2–4 weeks |
| 3 → 4 | Integrate the compliance register into your business process documentation. Link each regulation to the specific departments and processes it affects (e.g., 'Data Protection' links to HR, Customer Service, and Finance). Conduct a formal annual compliance review and document sign-off from leadership. | IT Manager with Department Heads | 1–2 months |
| 4 → 5 | Subscribe to a regulatory update service (e.g., industry newsletter, MEITY notifications, or automated compliance tool) and establish a monthly review cycle. Automate notifications when new laws or amendments are announced. Update staff training materials quarterly when regulations change. | IT Manager or Compliance Officer | Ongoing (2–3 hours per month) |
Documents and records that prove your maturity level.
- Formal Compliance Register or Checklist document listing all applicable laws, regulations, and industry standards with dates of last review
- Gap Assessment Report showing which regulations your business currently complies with and which have gaps, with remediation plans
- Assignment of Responsibility memo or email clearly identifying which person or role owns compliance tracking and monitoring
- Evidence of Regulatory Updates: subscription confirmations, regulatory body newsletters, or email logs showing you actively monitor new laws
- Compliance Review Meeting Minutes from at least one quarterly or annual review, signed by leadership, showing which regulations were discussed and any action items
Prepare for these questions from customers or third-party reviewers.
- "Walk me through your list of applicable cybersecurity and data protection regulations. How do you stay informed when new rules are introduced?"
- "Which laws and regulations do you believe apply to your business, and why? Can you show me your documented assessment?"
- "How often do you review your compliance obligations, and who is responsible for keeping this information current?"
- "Can you describe the process you follow to translate a new regulation into business practice? Give me an example from the past 12 months."
- "If a customer asks you to confirm compliance with DPDP Act Section 6 or ISO 27001, how would you respond and what evidence would you show?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track and organize applicable laws and regulations in a structured format | Google Sheets or Microsoft Excel with a custom compliance checklist template | Compliance.ai or Hyperproof: ₹30,000–50,000/year (overkill for early-stage MSMEs) |
| Receive automated updates when new Indian cybersecurity or data protection laws are announced | MEITY notifications (sign up at meity.gov.in), CERT-In advisories (cert-in.org.in), Indian Chamber of Commerce newsletters | Klokwork or similar legal update services: ₹15,000–25,000/year |
| Create a simple risk and compliance matrix linking regulations to business processes | Google Docs or Canva with a template; NIST Cybersecurity Framework reference documents (free PDF) | Domo or Tableau for advanced visualization: ₹20,000+/year (not necessary for small business) |
- Assuming only the DPDP Act applies, and ignoring industry-specific rules like RBI Payment Systems guidelines, telecom regulations, or healthcare data rules that may apply based on your customer base or data types.
- Creating a compliance list once and never updating it, missing new amendments or rules released by government bodies; for example, missing DPDP Rules 2024 updates or RBI circular changes affecting your payment processing.
- Assigning compliance responsibility to the IT person without giving them time or authority, resulting in a stale list that no one maintains and no one believes is current.
- Not understanding the difference between corporate compliance (GST, Company Act) and cybersecurity compliance (DPDP, CERT-In), leading to data protection laws being treated as an accounting problem rather than an IT priority.
- Treating a one-time consultant's compliance audit as 'done,' rather than establishing an ongoing process to monitor and respond to regulatory changes quarterly.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 4 (definitions and scope), Section 6 (responsibilities of data processors and controllers), and Schedule 1 (exemptions) |
| CERT-In Guidelines 2022 | Rule 3.4 (cybersecurity incident reporting obligations) and Rule 4 (security practices for service providers) |
| ISO 27001:2022 | Clause 4.2 (Understanding the organization and its context) and Clause 5.1 (Leadership and commitment to compliance) |
| NIST CSF 2.0 | Govern function, GV.RO-03 (Regulatory and Legal Requirements) and GV.RO-04 (Governance metrics and reporting) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →