Data Security Policy Template for Indian SMEs

Why Small Businesses Need a Data Security Policy

Indian SMEs handle sensitive data — employee Aadhaar numbers, customer contact information, financial records, and business contracts. Despite this, most small businesses operate without a documented security policy. The DPDP Act 2023 now mandates reasonable security practices for all data fiduciaries, including SMEs.

Policy Scope

This policy applies to all employees, contractors, vendors, and third parties who access company data or systems. It covers: data classification, access control, password management, device security, network security, incident response, and data retention.

Data Classification

• Public: Marketing materials, job postings, press releases. No restrictions on sharing.
• Internal: Internal policies, org charts, training materials. Available to all employees.
• Confidential: Customer data, financial records, employee PII, contracts. Access restricted to need-to-know.
• Restricted: Trade secrets, intellectual property, board materials. Access granted only by explicit approval.

Access Control Requirements

• Every user has a unique account. Shared accounts are prohibited.
• Role-based access — users get only the permissions they need for their role.
• Quarterly access reviews — managers confirm their team's access is still appropriate.
• Immediate revocation on employee offboarding — access disabled within 1 hour of notification.
• Multi-factor authentication (MFA) enforced on all systems containing confidential or restricted data.

Password Policy

• Minimum 12 characters with a mix of uppercase, lowercase, numbers, and symbols.
• Passwords changed immediately if a breach is suspected, otherwise no forced expiry (NIST 2024 guidelines).
• Password manager recommended for all employees — no sticky notes, no browser-saved passwords on shared devices.
• Default passwords changed before any system is put into production.

Incident Response

Any suspected security incident — lost device, phishing click, unusual account activity, system breach — must be reported to IT within 1 hour. IT triages and classifies the severity within 2 hours. For confirmed data breaches involving personal data, the board and affected Data Principals must be notified within 72 hours per DPDP Act requirements.

Policy Review

This policy is reviewed annually or after any significant security incident. All employees acknowledge the policy upon joining and after each update. Non-compliance may result in disciplinary action up to and including termination.