Any database, application, or system that stores personal data and serves as an authoritative source for that data.
A system of records is any application, database, file system, or platform that stores personal data and serves as a primary or authoritative source for that data within the organisation. Under DPDPA, each system of records must be inventoried, its security assessed, and its role in the data lifecycle documented. Systems of records include: CRM platforms, HR information systems, payment databases, customer support tools, marketing automation platforms, and any third-party SaaS that stores personal data on your behalf.
Identifying all systems of records is essential for: responding to access requests (you must search all systems), implementing erasure (you must delete from all systems), and conducting breach assessments (you must identify all affected systems). Missing even one system means incomplete compliance.
A Hyderabad startup inventories 12 systems of records: PostgreSQL (core), Redis (sessions), Elasticsearch (search index), Freshdesk (support tickets), HubSpot (CRM), Razorpay (payments), Google Workspace (emails), Slack (internal), GitHub (code reviews mentioning customers), AWS S3 (uploads), Mixpanel (analytics), and Notion (customer notes).
Systems of records are not just databases. Slack channels, Google Drive folders, email inboxes, and even spreadsheets containing personal data are systems of records that must be inventoried and governed.
DPDPA Shield automates Data Inventory & RoPA. See how →