If customer data leaks—say a hacker gets your e-commerce customer list with phone numbers and email addresses—you face government fines under DPDP Act 2023 (up to ₹50 crore), lawsuits from angry customers, and loss of business trust. A real example: a Delhi-based fintech startup lost ₹2 crore in business after customer payment card data was exposed because it was stored in the same unsecured folder as employee photos. Banks and large retailers your business works with will audit you, reject you as a vendor, or demand expensive fixes if you can't prove personal data gets special treatment. Your insurance may also refuse to cover a breach if you haven't shown basic separation of sensitive data.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find customer data mixed in with general files—spreadsheets with customer names and addresses sitting in a shared folder next to marketing flyers, with no password protection or access controls. Everyone in the office can see everything, and backup copies are stored on whoever's laptop happens to have them.
Initial
You've started putting some customer files in a separate folder with a password, but the password is written on a sticky note and shared among staff, and not all customer data is included (some still sits in general shared drives). Backups happen occasionally but are not tracked, and there's no documented list of who should have access.
Developing
You have a dedicated folder or database for customer data with password protection, and access is limited to specific staff roles (e.g., only the sales team can see customer names and phone numbers). A basic backup is done weekly, but there's no formal policy written down, and no one has formally documented what counts as 'customer data' versus general data.
Defined
You have a written Data Handling Policy that clearly defines what counts as personal/customer data, who can access it, and how it must be stored (encrypted, password-protected). You audit access once a month, employees sign a confidentiality agreement, and backups are done automatically twice a week with basic encryption—but testing of backups is not yet routine.
Managed
Your Data Handling Policy is detailed, enforced by role-based access controls in your systems (e.g., database permissions set up properly), and all personal data is encrypted both when stored and when moving between systems. You conduct quarterly access audits, run backup recovery tests every quarter, maintain a data inventory spreadsheet, and train new hires on data handling before they access customer information.
Optimised
You have an automated data classification system that tags all personal data as it enters your systems, encryption is enforced at every layer (storage, transmission, backups), access logs are monitored continuously for suspicious behavior, and you conduct annual penetration testing to verify customer data is isolated. Staff training on data handling happens annually with documented attendance, and you have a documented incident response plan tested at least once a year—with evidence of lessons learned and improvements made.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Identify and list all files and locations where customer/personal data currently lives (customer lists, order records, payment info, contact details); move all of them to a single dedicated folder and protect it with a strong password (no sticky notes); create a one-page written list of what counts as customer data so your team knows | Business owner or office manager | 1-2 days |
| 1 → 2 | Write a simple one-page Data Handling Policy stating what data is sensitive, who can access it (by job role), how it should be stored (password-protected folder or basic database), and that backups must happen weekly; print and post it; set up automatic weekly backups to an external drive kept in a locked cabinet | Business owner with IT support (freelancer if needed) | 1 week |
| 2 → 3 | Expand the Data Handling Policy to include encryption requirements, a data inventory list (Excel: what data, where stored, who accesses it, last update), monthly access review process (who logged in when), and a basic confidentiality agreement template from a local lawyer; have staff sign and keep records | Business owner, HR/office manager, IT person | 2-3 weeks |
| 3 → 4 | Implement user account access controls (different login credentials per person, not shared passwords), enable encryption on the folder/database storing customer data, set up automatic encrypted backups twice weekly, create a quarterly backup recovery test checklist, and conduct staff training with a sign-in sheet documenting attendance | IT person or external consultant | 1-2 months |
| 4 → 5 | Deploy automated tools to monitor access logs in real-time for unusual activity (e.g., someone accessing customer data at 2 AM), conduct annual penetration testing or security audit by third party, document all findings and improvements made, update policy annually based on audit results, and maintain a breach response plan with annual practice drill | IT person, external security consultant, business owner | Ongoing (quarterly reviews, annual testing) |
Documents and records that prove your maturity level.
- Written Data Handling Policy document (even 1-2 pages) that defines what is personal/customer data, who can access it, and how it must be protected
- Data Inventory spreadsheet or list showing: data type (customer names, addresses, payment cards, etc.), storage location, who has access, last updated date
- Access control records or screenshots showing role-based permissions in place (e.g., 'Sales team can view customer names and phone numbers; Finance team cannot')
- Signed confidentiality or data handling agreement forms from staff members, kept in personnel files
- Backup and recovery test logs showing date, what was backed up, tested recovery success, any issues found and fixed
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your Data Handling Policy and tell me specifically what counts as personal or customer data in your business?"
- "Who in your organization has access to customer data, and can you prove that access is limited to only those who need it for their job?"
- "If a customer's phone number or address was accidentally deleted, could you recover it from backup? When was the last time you tested this?"
- "What happens if a staff member quits? How do you remove their access to customer data, and do you have a record showing this was done?"
- "Has anyone in your organization received training on how to handle and protect customer data? Can you show me training records or attendance sheets?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and store encrypted password-protected folders or databases for customer data, with access logs | LibreOffice Base (simple database), VeraCrypt (folder encryption), Google Drive with sharing restrictions (limit who can access a shared folder) | Microsoft Access ₹4,000-6,000/year; Zoho Creator ₹5,000-15,000/year; QuickFile ₹3,000-8,000/year |
| Track who accessed customer data and when (access logs and audit trails) | Windows Event Viewer (built-in), file permissions audit via right-click Properties | Veeam ONE ₹10,000-50,000/year; Netwrix Auditor ₹2,50,000+/year (enterprise, skip for MSME) |
| Automate encrypted backups of customer data folders | Duplicati (open-source, encrypted), Bacula Community Edition | Acronis Backup ₹8,000-15,000/year; Nakivo ₹20,000-50,000/year |
| Encrypt files and folders to protect customer data at rest | VeraCrypt (open-source), 7-Zip with AES encryption, built-in Windows BitLocker (Pro/Enterprise versions) | WinRAR ₹2,000 one-time; SecureFile ₹5,000-10,000/year |
| Create and manage access control policies and documentation | Google Docs/Sheets, LibreOffice Writer, GitHub (for policy version control) | Microsoft 365 ₹5,000-12,000/year; Confluence ₹10,000-30,000/year |
- Treating 'Data Handling Policy' as a one-time checkbox instead of something actually enforced—policy sits in a drawer, but staff still email customer lists to personal Gmail accounts unencrypted
- Storing customer data across too many places (spreadsheet on one person's laptop, old database on a shared server, printed copies in a filing cabinet) and losing track of what exists where—making it impossible to protect or audit
- Confusing 'password protection' with real security—using a simple password that never changes, shared among all staff, written down, or using the same password for every sensitive folder
- Not testing backup recovery—assuming backups work but discovering during a real emergency that encrypted backups can't be restored because the password was lost or the file is corrupted
- Hiring or firing staff without revoking/granting access to customer data systems—ex-employees or new hires accessing files they shouldn't, or leaving customer data exposed when someone leaves
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Principles of processing personal data) and Section 10 (Security of personal data) require different handling and reasonable security measures for personal data vs. general data |
| CERT-In 2022 | Guidelines Section 3 (Data Protection & Confidentiality) recommends role-based access control and encryption for sensitive personal data |
| ISO 27001:2022 | Annex A.5.1 (Access control policy), A.8.2 (Classification and handling of information), A.8.3 (Handling of access rights) |
| NIST CSF 2.0 | Protect Function, Manage Data / Information / Processes (Subcategory GV.DM-02: Data classification and handling) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →