Ask a compliance head at a mid-sized Indian company how many applications in their organization collect personal data.
Most will pause.
They will name the CRM. The HRMS. The company website. Maybe the customer support tool. Then they will start to hesitate, because the honest answer is that they are not entirely sure. Someone in marketing added a chatbot last quarter. The finance team is using a cloud-based invoicing tool with a free tier. The sales team communicates with leads over WhatsApp. The IT helpdesk runs on a third-party ticketing system where employees log issues with their names and contact details.
Each of these is collecting, storing, or transmitting personal data. None of them may be in the formal data inventory.
This is not unique to one organization or one industry. It is the default state of most modern businesses. Applications accumulate faster than governance frameworks can track them. And the DPDP Act, 2023, does not make any distinction between data collected through a carefully managed enterprise system and data collected through a plugin someone installed without telling the IT team.
Where Personal Data Actually Lives
The DPDP Act defines personal data broadly as any data about an individual which is identifiable by or in relation to such data. That definition covers a much wider set of organizational touchpoints than most companies have mapped.
Customer-facing touchpoints are usually the most visible. Website contact forms, e-commerce checkout flows, app registrations, newsletter signups, chatbots, and loyalty programmes. Most organizations have some awareness of these, though the extent to which third-party tools embedded in these flows are themselves collecting and storing data is often underestimated. A website running five analytics scripts, a session recording tool, a live chat widget, and a cookie consent banner is potentially sharing visitor data with five different vendors, each with their own data processing practices.
HR and employee data is frequently underinvested in from a privacy perspective. Recruitment platforms collect candidate data that may sit in the vendor’s servers long after the position is filled. Payroll processors handle sensitive financial information. Performance management tools store appraisal records. Background verification agencies process identity documents. Employee health insurance portals hold medical data. The volume of personal data in the average HR function is significant, and the number of third parties involved is usually larger than anyone has formally documented.
Operational and support systems are the blind spot most organizations discover last. Customer support platforms like Zendesk or Freshdesk store full conversation histories including personal details shared in support tickets. Billing and invoicing software stores financial and contact data. Delivery and logistics integrations collect addresses. WhatsApp Business accounts, used casually by sales teams across India, are processing contact data on Meta’s infrastructure with terms that most organizations have never reviewed in a compliance context.
Shadow IT is the category that keeps data protection officers awake. These are the tools employees adopt without formal IT approval because they solve a problem quickly. Free cloud storage accounts where client files are uploaded. Google Forms used for internal surveys that collect employee responses. Browser extensions that sync browsing data. The organization often has no formal relationship with the vendor, no data processing agreement, and no visibility into what data is being collected or where it is stored.
What Data Inventorization Actually Requires
The DPDP Rules, 2025, require organizations to be able to account for what personal data they hold, where it came from, the purpose for which it is being processed, and how long it will be retained. This is not a one-time exercise. It is an ongoing obligation.
A proper data inventory, sometimes called a Record of Processing Activities, maps every application and process in the organization that touches personal data. It identifies the category of data, the source, the legal basis for processing, the third parties who have access, the data flows between systems, and the retention period. For most organizations, building this map for the first time reveals a significantly larger surface area than they expected.
The exercise typically uncovers three categories of problems.
The first is undocumented data collection, where applications are collecting data that the organization did not formally decide to collect and has no stated purpose for processing. The second is unreviewed third-party processors, where vendors are handling personal data under terms that were never evaluated against the organization’s compliance obligations. Under the DPDP Act, a data fiduciary remains accountable for how its data processors handle data, which means a vendor’s non-compliance is also your non-compliance. The third is retention problems, where data is being held long after the purpose for which it was collected has been served. The Act requires data to be erased once the specified purpose is no longer being served.
Why Organizations Consistently Underestimate Their Data Footprint
There are a few structural reasons why the gap between what organizations think they are collecting and what they are actually collecting tends to be large.
Business functions operate in silos. Marketing, HR, finance, operations, and customer support each have their own tool stacks, and nobody has a complete cross-functional view. Procurement processes do not always flag data privacy implications when approving new software. And the speed at which cloud-based tools can be adopted, often with a free tier that requires no formal procurement approval, means new data collection points appear faster than any centralized inventory can track them.
The DPDP Act does not provide a grace period for data you did not know you had. If a data principal exercises their right to access or erasure, the obligation applies to all data the organization holds, regardless of which system it sits in.
IndiSec helps organizations conduct structured data mapping exercises as the foundation of DPDP compliance, identifying every application, third party, and data flow that touches personal data across the business. The inventory is not just a compliance document. It is the only reliable basis for building a consent framework, a breach response plan, and a data retention policy that actually reflects what the organization is doing with personal data in practice.
The organizations that approach May 2027 with a complete and current data inventory will find the rest of their compliance work considerably more manageable. The ones that start from a blank page in 2027 will find out how much they did not know.