Without clear responsibility, sensitive data gets lost, misused, or stolen—and no one admits fault or takes action. If a customer's payment details leak because your accountant and IT person both thought the other was securing it, you face regulatory fines from RBI or CERT-In, loss of customer trust, and possible legal cases. A Delhi fintech firm lost ₹2.3 crore in customer deposits when no one was assigned responsibility for backup security, and the regulator fined them ₹50 lakh plus forced them to halt operations for 6 months. Your competitors will win those customers, and you may never recover.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no written job descriptions or responsibility assignments for handling data. Everyone handles customer or financial information without anyone knowing who should protect it, audit it, or respond if it's breached.
Initial
You have a general IT person or manager, but their data-handling responsibilities are not written down or communicated. During a data incident, you waste time figuring out who knew about it.
Developing
You have a written list of who handles what data (e.g., accountant handles invoices, HR handles employee records, admin handles customer contact info). However, it is not regularly reviewed or updated, and staff may not know it exists.
Defined
You have a written Data Responsibility Matrix that names individuals for each type of sensitive data (customer PII, financial records, employee details), shared with all staff. You review it annually or when someone changes roles.
Managed
Your responsibility matrix includes specific actions: who collects, stores, shares, deletes, and audits each data type. Training records show staff understand their duties, and you measure compliance with spot checks.
Optimised
Responsibilities are embedded in automated controls, audit logs, and role-based access. Responsibilities are reviewed quarterly, updated within 1 week of role changes, and compliance is measured continuously with dashboards and third-party audits.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Meet with your IT person and/or business manager for 1 hour. Identify: who currently handles customer data, financial records, employee information, and passwords? Write down their names and basic responsibilities in a simple Word document or Google Sheets. | Owner or office manager | 1 day (2 hours meeting + 2 hours documentation) |
| 1 → 2 | Expand your document into a 'Data Responsibility Matrix': list all types of sensitive data your business holds (customer contact info, payment details, employee PII, client contracts, tax records). For each type, write who is responsible for collecting, storing, protecting, and deleting it. Distribute it to staff via email or printed copy. | IT person and/or manager, approved by owner | 1 week (4–5 hours initial mapping, 2 hours review, 1 hour distribution) |
| 2 → 3 | Formalize the matrix as a policy document with sign-off. Add a version number, date, and statement that staff must acknowledge receipt. Schedule a brief (15-minute) team meeting to explain responsibilities. Collect signed acknowledgment forms from each team member and keep them on file. | Manager or compliance lead, owner sign-off | 2–4 weeks (8 hours drafting, legal/compliance review if external, 2 hours meeting + follow-up) |
| 3 → 4 | Extend the matrix to include specific actions: who approves access to sensitive data, who reviews logs, who responds if data is lost or breached, and timelines for each action (e.g., breach notification within 24 hours). Conduct annual refresher training with sign-off. Perform quarterly spot checks (audit 1–2 data-handling processes per quarter and document findings). | Compliance officer or senior manager, with IT input | 1–2 months (16 hours design + training, 2 hours/quarter for audits) |
| 4 → 5 | Integrate responsibilities into role-based access control (RBAC) in your systems: IT person provisioning access based on the matrix, automatic log reviews, alerts if responsibilities are breached. Conduct quarterly compliance reviews and third-party security audit annually. Update matrix within 1 week of any role change or new data type introduced. | IT manager and external auditor or consultant | Ongoing (1 hour/month reviews, 1 week/quarter for updates, annual audit) |
Documents and records that prove your maturity level.
- Written Data Responsibility Matrix or Policy document (dated, versioned) listing who handles each data type and their specific duties
- Signed acknowledgment forms from all staff confirming they received and understood the policy
- Job descriptions or role documents that include data-handling responsibilities
- Incident response plan naming who investigates, who notifies, and who communicates with customers/authorities in case of a breach
- Audit trail or checklist showing that responsibility assignments were reviewed in the past 12 months and updated when roles changed
Prepare for these questions from customers or third-party reviewers.
- "Show me the document that lists who is responsible for protecting customer data. Who is named for each type of sensitive information your business holds?"
- "If a customer's personal information was leaked today, who in your organization would be notified first, and who would decide how to respond?"
- "Can you prove that your staff have been informed of their data-handling responsibilities? Where are the signed acknowledgments?"
- "When an employee leaves or changes roles, how do you update responsibilities and revoke their access to sensitive data? Show me the process and recent examples."
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain the Data Responsibility Matrix with easy version control and distribution | Google Docs or Google Sheets (built-in sharing and version history) | Microsoft Word/Excel with OneDrive (included in Microsoft 365 Business at ₹450–600/user/month) |
| Track signed acknowledgments and staff training completion | Google Forms (collect responses, limited analytics) or Airtable free tier (database with forms) | DocuSign (₹5,000–15,000/month for eSignature) or JotForm (₹1,500–4,000/month) |
| Log and audit who accessed sensitive data and when, to verify responsibilities are being followed | Linux/Windows built-in audit logs (file access logs, Event Viewer); OpenSource tools like osquery | Splunk (₹8,000–25,000/month depending on data volume) or Fortinet FortiSIEM (₹50,000–2,00,000/year) |
- Creating a responsibility document but never sharing it with staff—employees don't know the policy exists or what is expected of them, so nothing changes
- Assigning all data responsibility to a single person (e.g., the IT guy) without backup—if that person leaves or is sick, no one knows what to do, and data handling collapses
- Not updating responsibilities when staff turnover occurs—a person who quit 6 months ago still 'owns' customer data access on paper, creating confusion and security gaps during incidents
- Copying responsibility from another company's policy without adapting to your actual business processes—the matrix does not match reality, so staff ignore it and do things their own way
- Failing to document incident response ownership—when a breach happens, you spend critical hours arguing who should call the police, notify customers, or preserve evidence instead of acting fast
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (accountability) and Schedule 2 (data protection obligations) require organizations to designate roles responsible for personal data protection |
| CERT-In 2022 Guidelines | Direction 4.1 on organizational roles and responsibilities for incident reporting and cyber hygiene |
| ISO 27001:2022 | Clause 6.2 (competence and role assignment) and Annex A.6.1 (roles and responsibilities for information security) |
| NIST CSF 2.0 | Govern Function: GV.OC-01 (organizational context and governance); Protect Function: PR.AA-01 (access control and responsibilities) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →