Data privacy Checklist - India startups

Due Diligence
Files & media

Data Collection & Storage

  • Categories of user data collected from customers
  • How is consent taken for collecting sensitive personal data?
  • List of third party tools/services used to process or store data
  • Geographical locations where data is stored and processed

Data Security Controls

  • Encryption mechanisms used to protect sensitive data in transit and at rest
  • Authentication mechanisms for various interfaces and dashboards
  • Access control policies - password policy, principle of least privilege etc
  • Backup policy & retention period for user data

Data Handling Policies

  • Process for dealing with user data access and modification requests
  • Policy for data sharing with third parties (if any)
  • Data retention schedules and policy
  • Mechanisms to allow users to delete data or close account

IT Systems & Servers

  • Architecture diagrams of various application components and data flow
  • List of internal servers, systems and their purposes
  • IT security controls like firewalls, intrusion detection, audit logs etc.

Compliance Frameworks

  • Implementation status of security policies aligned with ISO 27001
  • Adoption of standard privacy frameworks like GDPR
  • Undertaken third party audits in last 2 years? If yes, share reports
  • Registered with Data Protection Authority in India?