Blog · 8 min read

LGPD compliance checklist for carriers

Tracking people means processing personal data. The law already knows this — your operation needs to know it too.
By · published on

Every carrier thinks it doesn't handle sensitive personal data — until it looks at its own tracking dashboard. Each dot on the map is the real-time location of an individual. Each driver has a driver's license, tax ID, working hours, telemetry biometrics and, quite often, health data from toxicology testing. Each shipper customer hands over contacts, addresses and, in the last mile, the name and phone number of the final recipient. The LGPD made no exception for the sector: it applies end to end across your chain.

This is an actionable checklist — not a summary of the law. It covers the six points an operations director needs to resolve: map where personal data lives, justify each processing activity with a legal basis, assess risk where the risk is high (tracking falls here), define retention, lock down technical security and have a response plan for when something leaks. Privacy by design, not by patch.

Why a carrier is a sensitive LGPD case

The sector concentrates precisely the categories the ANPD watches most closely. It's worth understanding what you already process, even without realizing it:

Add to this the fact that this data doesn't sit still: it moves between the telemetry equipment, the TMS (RODOPAR), the ERP (SAP, TOTVS, Sankhya, Omie) and spreadsheets along the way. Each hop is a point where compliance can break.

1Mapwhere the data lives2Legal basisfor each processing activity3DPIAwhere the risk is high4Securitytechnical and organizational5Rightsof the data subject
The five-step checklist: map the personal data, define the legal basis, assess risk (DPIA), apply security and guarantee the data subject's rights.

1. Map where personal data lives

You can't protect what you can't see. The first item — and the one most companies skip — is the personal data inventory (the ROPA, the record of processing activities). For each flow, answer:

In practice, the blind spot is almost always the integration: the data that leaves SASCAR and lands in RODOPAR through a script nobody documented, or the BI report someone exports to WhatsApp. Mapping is also the moment to eliminate what doesn't need to exist — the spreadsheet along the way is, at once, an operational risk and an LGPD risk.

2. Define the legal basis for each processing activity

Every processing activity needs a legal basis among the ten in Article 7. The common mistake is to rest everything on consent — which is fragile, revocable and, in the context of an employment relationship, legally questionable. For a carrier, the bases that actually sustain the operation are usually:

Sensitive health data (toxicology, occupational health certificate) has its own set of rules and, as a rule, cannot rest on legitimate interest. Mapping the correct basis for each flow is what separates a solid defense from a fine.

3. Run a DPIA where the risk is high

The Data Protection Impact Assessment (DPIA / RIPD) is your written risk assessment. It isn't required for everything — it's required (and strongly recommended) when the processing is high-risk. In a carrier, this lights up for:

A good DPIA describes the processing, assesses necessity and proportionality, lists the risks to the data subject and — most importantly — records the mitigation measures. It's the document the ANPD asks for first in an audit. Having it ready before the incident is worth more than any pretty policy in the website footer.

4. Establish a retention and disposal policy

Personal data is not a dead archive: keeping it beyond its purpose is, in itself, a violation. The principle is necessity — keep it for as long as needed, then delete or anonymize. Define a clear period per category:

Ideally, disposal is automatic, executed by the system itself — from collection to disposal, without depending on someone remembering to delete a spreadsheet. Keeping data "just in case" is exactly the opposite of privacy by design.

5. Lock down technical security

The LGPD requires technical and administrative measures "capable of protecting" the data. Translated to the operation:

This is where security and data governance meet — and where a pentest reveals what a policy on paper can't see.

6. Have an incident response plan

A leak isn't a remote hypothesis; it's a matter of when. The LGPD requires you to notify the ANPD and the data subjects within a reasonable time when the incident may create relevant risk. Without a plan, the company improvises at the worst moment. The minimum:

The six items support each other: mapping feeds the DPIA, security protects what was mapped, and the response plan only works if you know what you have. It's a system, not a loose list of tasks.

How Meta Dados handles this in practice

A carrier's compliance almost always stalls at the same point: the personal data is scattered across the tracker, TMS, ERP and spreadsheets, and no one has the full map. It's exactly the terrain where we combine two fronts — integration engineering and cybersecurity.

Our security method is born of scientific training (USP Doctorate, ITA Engineering) and the Israeli school of offensive cybersecurity (Ben-Gurion): we test the operation the way an attacker would, before they test it for you. On the data front, we do the mapping (ROPA), the legal basis definition, the DPIA for high-risk flows, the retention policy with automated disposal and the technical hardening of the integrations — including the end of spreadsheets along the way. Privacy by design, not by patch.

It starts with a free assessment in 48 hours: we look at your real personal data flows and point out where the concrete risk lies — no vague promises, with evidence that leadership understands.

Frequently asked questions

Does a carrier really need to comply with the LGPD?

Yes, and it's among the most exposed sectors. Tracking is geolocation of individuals, and driver data includes sensitive health information (toxicology test, occupational health certificate). The LGPD applies from the shipper to the final recipient, with no sector exception.

Is driver tracking considered personal data under the LGPD?

Yes. The continuous location of an identified person is personal data, and the movement history reveals patterns of life. Because it's systematic monitoring, it usually requires a legitimate-interest legal basis with a documented balancing test and, in many cases, a DPIA.

Can I use legitimate interest to track my fleet?

Generally yes, for asset security and cargo theft prevention. But legitimate interest isn't automatic: it requires a written balancing test (LIA) showing that the purpose doesn't override the driver's rights, along with transparency about the monitoring.

How long can I keep the tracking history?

Only for as long as necessary for the purpose and any legal obligations. There's no single period in the law — you define it per category and document it. Once the period has passed, the recommendation is to anonymize or aggregate the location history, rather than keeping it identified just in case.

What is a DPIA and is a carrier required to do one?

A DPIA (or RIPD) is the impact report that assesses the risk of a processing activity and records the mitigation measures. It's strongly recommended and frequently required for high-risk processing — such as the continuous monitoring of drivers and the processing of health data. It's the first document the ANPD asks for in an audit.

How long does it take to bring a carrier into LGPD compliance?

It depends on maturity and the number of integrated systems, but the initial assessment is ready in 48 hours and shows where the concrete risks are. Compliance is usually phased — starting with the mapping and the highest-risk flows — without stopping the operation.

Start at no cost

Get your LGPD assessment for carriers in 48h

We map your current systems, point out the biggest bottlenecks and deliver a plan prioritized by risk × effort. You leave with clarity — whether you hire Meta Dados or not.

Get my diagnostic → Chat on WhatsApp No commitment, no credit card.
We reply within 2 business hours.
←  Voltar para Blog