How to build a data inventory and mapping for an Ed-tech?

A Data Inventory is a clear record of the personal data an organisation collects and stores. Data Mapping explains how this data moves, where it is collected, where it is shared, and who can access or use it. Under the DPDP Act, a Data Fiduciary should be able to show this information to the Data Protection Board whenever required.

In the EdTech sector, this becomes more complex because data is collected from three connected groups: students (many of whom may be minors), parents, and teachers, through different platforms and systems at the same time.

Step 1 — Identify What Types of Data an EdTech Company Collects

Before tracking how data moves, an organisation must first understand what personal data it has. In an EdTech company, personal data is usually collected in the following categories:

Student Data

• Name, age, date of birth, class or grade
• Contact details such as email or phone number (often of the parent)
• Learning records, test results, and progress reports
• Activity data, such as time spent on the platform, videos watched, and usage patterns
• Device information like IP address, device ID, and browser type
• Payment details (if the student pays directly)
• Audio or video recordings from online classes

Parent/Guardian Data

• Name, phone number, and email address
• Payment and billing details
• Communication records, such as chats or support requests

Teacher/Tutor Data

• Name, contact information, and qualifications
• Bank account details for salary or payments
• Performance records and ratings
• Employment-related documents

Special Category — Children’s Data
Under the DPDP Act, students under 18 years of age are considered minors. This means EdTech companies have additional responsibilities and must obtain verifiable parental consent before collecting or using the child’s personal data.

Step 2 — Map Every Data Collection Point

An EdTech company should identify every place where personal data enters the organisation. A simple data collection map is shown below: 

Step 3 — Build the Data Inventory Register

A Data Inventory Register is a structured document (usually a spreadsheet or compliance tool) that records what personal data an organisation holds and how it is managed. A simple format is shown below:

 This register helps an organisation clearly understand what data it holds, why it is collected, who can access it, and how it is protected under the DPDP Act.

Step 4 — Map Third-Party Data Flows

EdTech companies often share personal data with many third-party service providers. Under the DPDP Act, these service providers act as Data Processors, but the Data Fiduciary (EdTech company) remains responsible for protecting the data.

A simple third-party data flow table is given below:

 For every third-party vendor, an organisation should check the following:

• Is there a Data Processing Agreement (DPA) in place?
  This ensures the vendor clearly understands its responsibilities for handling personal data.
• Where is the data stored?
  Check the location of the vendor’s servers, as storing data outside India may involve cross-border data transfer requirements.
• How secure is the vendor?
  Review the vendor’s privacy and security practices to ensure personal data is properly protected.
• Can the vendor delete data if consent is withdrawn?
  Make sure the vendor can remove a student’s data when a parent or student asks to withdraw consent.

Step 5 — Create a Data Flow Diagram

After completing the data inventory, the next step is to draw a data flow diagram. This diagram helps you understand how personal data moves through the organisation, from the time it is collected until it is stored, used, or shared. It makes data handling easier to understand for management, auditors, and regulators.

        For an EdTech company, the data flow may look like this:

In simple words: Personal data starts with the parent or student, gets collected through a registration form or app, is stored in the EdTech database, used by internal systems like LMS, CRM, and analytics tools, and may also be shared with external service providers. If data is transferred outside India, the organisation should check whether it complies with DPDP cross-border transfer requirements.

 Step 6 — Apply DPDP Requirements to the Data Map

After creating the data map, the next step is to check whether the organisation is following the requirements of the DPDP Act for each type of personal data collected.

1. Consent Management - Check whether proper consent practices are in place:

·        Is clear and valid consent taken before collecting or using personal data?

·        For students below 18 years, is parental consent being obtained?

·        Can users withdraw consent easily, just like they gave it?

·        Are consent records stored properly, including the date and time of consent?

 2. Purpose Limitation - Make sure personal data is used only for the reason it was collected.

·        Is the organisation using data only for the stated purpose?

·        Identify cases where data is used for a different purpose. For example, using student learning data for marketing analysis.

 3. Data Minimisation - Collect only the data that is actually needed.

·        Is unnecessary personal data being collected?

·        Common examples:

o   Asking for date of birth when only an age group is needed.

o   Asking for a full address when only the city is enough.

 4. Retention and Deletion - Decide how long personal data should be kept and when it should be deleted.

·        Set a retention period for every type of data.

·        Create a process to delete data when it is no longer needed, especially for minors who stop using the platform.

 5. Security - Protect personal data from misuse or unauthorised access.

·        Is sensitive information (such as payment details or children's data) encrypted during storage and transfer?

·        Who can access the data?

·        Is access properly recorded and monitored?

 Step 7 — Updating the data inventory regularly

A data inventory is not a one-time activity. It should be updated regularly to keep it accurate and compliant.

It needs to be updated when a new feature or service is introduced, new data is collected, a new third-party vendor is added or after a data breach or security incident.

Updating is required at least once every year as part of a privacy or compliance review.

In simple words: A data inventory should be treated as a living document that changes whenever the organisation changes how it collects, uses, or shares personal data.

In my view, for an EdTech platform, this is especially important because it handles data of students, parents, and teachers, including children’s data, which requires extra care under the DPDP Act. Without knowing how personal data moves through the organisation, it becomes difficult to manage consent, protect information, respond to deletion requests, or meet legal requirements.

An organisation cannot protect or comply with privacy laws for data it does not fully understand or track. A proper data inventory and mapping process helps build accountability, transparency, and better data protection practices.