A Project by Meridian Bridge Strategy
Book Consultation
Compliance Guide

DPDP Compliance for Freight Forwarders

Freight forwarders handle massive amounts of personal data, from KYC documents to consignee details. Learn how to comply with India's DPDP Act 2023.

DPDP Compliance for Freight Forwarders

If you run a freight forwarding business, you’re used to dealing with complex paperwork: bills of lading, packing lists, and customs declarations. But there is a new piece of “cargo” you need to handle with extreme care—Personal Data.

Under India’s new Digital Personal Data Protection (DPDP) Act, 2023, your business is likely a Data Fiduciary. This is a legal term that simply means you are the “boss” of the data you collect. You decide why you need a customer’s Aadhaar card and how it’s going to be used. Because you hold this power, the law holds you responsible if that data is leaked or misused.

And the stakes are high. If you fail to protect this data, the government can slap you with a penalty of up to ₹250 Crore. That’s enough to sink even the largest logistics giants.

In this guide, we’ll break down exactly what you need to do to keep your freight business on the right side of the law.

What Data Are You Actually Holding?

Before we dive into the rules, let’s look at the “cargo” in your digital warehouse. As a freight forwarder, you collect data from individual shippers, consignees (the people receiving the goods), and even your own employees.

Data TypeExamplesDPDP Risk Level
KYC DocumentsAadhaar, PAN, Passports of individual shippersVery High
Consignee DetailsName, home address, phone number, emailHigh
Financial InfoBank account details for refunds or paymentsHigh
Employee DataSalary info, home address, emergency contactsMedium
Tracking DataGeolocation of a driver or a specific deliveryLow/Medium
CCTV FootageRecordings from your warehouse or officeMedium

In the old days, we just took a copy of a customer’s ID and filed it away. Under DPDP, you can’t do that anymore without a “Notice” and “Consent.”

Consent is essentially the individual (the Data Principal) saying, “Yes, you can use my info for this specific reason.”

The Practical Shift: Imagine you are handling a household relocation for an NRI moving from Dubai to Mumbai. You need their passport copy for customs clearance.

  • You must provide a Notice (even a simple one on WhatsApp or email) explaining that you are collecting their passport purely for customs filing.
  • You must give them the option to withdraw this consent later (though they should know that might stop the shipment!).
  • You cannot use that same phone number to start sending them marketing SMS about your new “Express Courier” service unless they specifically agreed to marketing too.

For a deeper look at how to structure these notices, check out our guide on DPDP consent forms.

2. Data Access Controls: Who Has the Keys?

In a busy shipping office, it’s common to have a shared folder where everyone drops KYC documents. This is a massive DPDP risk.

Data Access Control means ensuring that only the people who need to see the data can actually see it.

The Practical Shift:

  • The “Need to Know” Rule: Your warehouse loading crew needs to know the consignee’s address to stick a label on a box. They do not need to see the shipper’s PAN card or bank details.
  • Digital Locks: Move away from “Shared Folders” with no passwords. Use software where you can set permissions.
  • Physical Security: If you still keep paper files of customs documents, they must be in a locked cabinet. You’d be surprised how many DPDP issues start with a cleaning crew finding a stack of Aadhaar copies in a bin.

3. Third-Party Sharing: The Logistics Ecosystem

Freight forwarding never happens in a vacuum. You share data with a dozen different parties: Customs House Agents (CHAs), shipping lines, airlines, transporters, and overseas agents.

Under the law, these people are often Data Processors. They handle the data on your behalf. If they leak it, you could still be held responsible if you didn’t have a proper contract in place.

The Practical Shift:

  • Update Your Vendor Agreements: You need a simple “Data Processing Agreement” (DPA) with your CHAs and local delivery partners. It should say: “I am giving you this customer data only for this shipment. You must protect it and delete it when the job is done.”
  • International Transfers: If you are sending data to an agent in Europe or the US, ensure they have basic security measures. The Indian government will eventually release a “restricted list” of countries where you can’t send data, but for now, focus on your contracts.

See how other logistics companies are handling these vendor shifts on our DPDP industry analysis.

4. Data Retention: Stop Hoarding Files

Logistics people love records. We keep files “just in case” a dispute arises five years later. However, DPDP says you must delete personal data once the “purpose is fulfilled.”

The Practical Shift: This is tricky because the Customs Act might require you to keep records for several years.

  • The Rule of Thumb: If a law (like Customs or Tax law) tells you to keep it, keep it. But if you are keeping a customer’s home address and phone number for 10 years “just for marketing,” that is a violation.
  • Data Scrubbing: Once a shipment is closed and the legal retention period ends, delete the digital files. If you use a CRM, set an auto-delete or auto-archive rule for sensitive attachments like IDs.

A Real-World Scenario: The WhatsApp Leak

Imagine you run a medium-sized freight firm. Your operations executive sends a PDF containing the KYC documents of 50 different clients to a transporter via WhatsApp. The transporter’s phone is stolen, and those IDs end up on the dark web.

Under DPDP, those 50 clients could complain to the Data Protection Board. Because you didn’t have a policy forbidding the sharing of unencrypted sensitive data over personal WhatsApp, your company could face those heavy fines.

It’s not just about hackers in hoodies; it’s about how your staff handles data every day. You might want to read our industry guide for logistics to see specific training tips for your team.

5. Managing Data Principals’ Rights

The law gives your customers new “superpowers.” They can ask you:

  1. “What data do you have about me?”
  2. “Please correct my wrong address in your system.”
  3. “Please delete my data now that my cargo is delivered.”

You need a way to answer these questions within a reasonable timeframe. If you ignore a customer’s request to see their data, they can report you.

Quick Actions to Start This Week

You don’t need to fix everything today, but you do need to start. Here are 6 things you can do right now:

  1. Map Your Data: Spend one hour writing down everywhere you store personal data (Excel sheets, WhatsApp, physical files, Gmail).
  2. Clean Your “Front Door”: Update your website’s contact form and your offline booking forms to include a small “Privacy Notice” checkbox.
  3. Audit Your CHAs: Send a simple email to your Customs House Agents asking them what security measures they have in place for the KYC docs you send them.
  4. Create a “No-ID-on-WhatsApp” Policy: Tell your staff to use official company portals or encrypted email for sensitive documents instead of personal messaging apps.
  5. Appoint a Privacy Point Person: Even if it’s your HR manager or a senior ops person, someone needs to “own” the DPDP checklist.
  6. Set a Deletion Date: Look at your digital archives. If you have KYC documents from 2018 that you no longer legally need, hit the delete button.

Compliance isn’t about being perfect; it’s about being “reasonably” secure and showing the government that you’ve made an honest effort to protect your customers’ privacy. Start small, but start now.

Real-World Examples Companies struggling with this issue

Healthcare

1mg

60

Tata 1mg's privacy policy demonstrates a robust approach to data security and provides mechanisms for data principals to exercise certain rights, such as withdrawing consent. However, the policy currently lacks explicit alignment with several critical provisions of India's Digital Personal Data Protection Act 2023. Key areas requiring enhancement include the granularity of consent, clear definition of data retention periods, explicit mention of DPDP Act-mandated rights like nomination, and the escalation process to the Data Protection Board. Given the sensitive nature of health-related personal data processed by 1mg, precise DPDP compliance is essential to build and maintain user trust while navigating India's evolving data protection landscape.

⚠️ Consent mechanism bundled with service terms — not explicitly 'freely given' and granular per Section 6, and no mention of Consent Manager integration.
⚠️ Data retention period undefined — uses 'as long as necessary' language, lacking specific timelines or automated erasure triggers per Section 9.
+4 more gaps detected
Mar 2026 View Report
Government

Aadhaar (UIDAI)

55

Aadhaar is unique — it's governed by its own Act and DPDP's Section 17 government exemptions. At 55/100, the system processes 1.3B Indians' biometric data with dedicated legal protections, but the exemptions from DPDP create legitimate questions about citizen data rights, purpose limitation, and the permanence of biometric data.

⚠️ DPDP Section 17 exempts government from some provisions but not all
⚠️ Biometric data (fingerprints, iris scans) security adequacy questions remain
+4 more gaps detected
Feb 2026 View Report
Healthcare

Apollo 24/7

35

Apollo 24/7's privacy policy is detailed about data collection but remains largely anchored to the IT Act 2000 and SPDI Rules. Given it handles highly sensitive medical data, the lack of explicit DPDP Act 2023 alignment, especially concerning granular consent, specific data retention, and DPB redressal, poses significant compliance risks.

⚠️ No explicit DPDP Act 2023 reference — still relies on IT Act 2000 framework
⚠️ Consent mechanism bundled, not 'freely given' per Section 6
+5 more gaps detected
Feb 2026 View Report
📞 Free Consultation