CCTV DPIA: Do You Need One? A Step-by-Step Guide for UK Businesses

You've installed CCTV. Someone — an installer, an article, a worried business partner — has mentioned you need a "DPIA." You've looked it up, found a 40-page government template designed for public sector organisations, and closed the tab.

A Data Protection Impact Assessment sounds complicated. For CCTV in a small business, it doesn't have to be. This guide walks you through what a DPIA is, when you're legally required to do one, and how to complete it step by step.

What a DPIA Actually Is

A DPIA is a structured assessment of how your data processing — in this case, your CCTV system — affects people's privacy. It forces you to document three things:

1. Why you're recording (the purpose and lawful basis)
2. Whether recording is necessary and proportionate (could you achieve the same aim with less surveillance?)
3. What risks the recording creates for the people being filmed, and how you're reducing those risks

It's required under UK GDPR Article 35 whenever processing is "likely to result in a high risk" to individuals.

Do You Need a DPIA for Your CCTV?

Almost certainly yes. The ICO's guidance on video surveillance states that a DPIA is required for most surveillance deployments because they are "likely to result in a high risk" to individuals.

A DPIA is mandatory when your CCTV involves any of these:

• Systematic monitoring of publicly accessible areas (shop floors, car parks, building entrances)
• Workplace monitoring of employees
• Recording in areas where people have a higher expectation of privacy
• Use of new technology (facial recognition, ANPR, AI-powered analytics)
• Large-scale processing (multiple cameras across multiple sites)

In practice: If you have cameras pointing at anywhere other than a locked server room that only you enter, you need a DPIA.

When you might not need one: A single camera covering your own private office that only you use, with no employee or public access. This is rare in business settings.

When to Complete the DPIA

Before you switch the cameras on — not after. The legal requirement is to assess impact before processing begins. If your cameras are already running and you haven't done a DPIA, complete one now. A retrospective DPIA is better than none, though technically you've been non-compliant since the cameras started recording.

You also need to review and update your DPIA when:

• You add or move cameras
• You change the purpose of recording (e.g., from security to employee monitoring)
• You upgrade to cameras with new capabilities (audio, analytics, higher resolution)
• Relevant legislation or ICO guidance changes

Step-by-Step: How to Complete a CCTV DPIA

Step 1: Describe the processing

Document what your CCTV system actually does:

• Number of cameras and their locations (building, floor, specific area)
• What each camera covers — external entrances, shop floor, warehouse, office, car park
• Whether audio is recorded (many IP cameras have microphones enabled by default)
• Recording hours — 24/7 or business hours only
• How footage is stored — on-site DVR/NVR, cloud, or both
• Retention period — how long footage is kept before deletion
• Who has access to live and recorded footage
• Whether footage is shared with anyone (police, insurance, landlord)

Be specific. "We have cameras for security" is not a description — it's a vague statement. "We have 6 cameras covering 2 shop entrances, the till area, the stockroom, the rear delivery entrance, and the car park. Footage is recorded 24/7 to an on-site NVR and retained for 30 days" is a description.

Step 2: Assess necessity and proportionality

For each camera, answer:

• What is the specific purpose? Security against break-ins, theft prevention, staff safety, insurance requirement — be precise
• Is CCTV necessary to achieve this purpose? Could you achieve it with better locks, lighting, access controls, or staffing?
• Is the coverage proportionate? A camera covering the entire shop floor to prevent till theft is disproportionate — a camera covering the till area is proportionate

This is where businesses most often fail. The ICO doesn't object to CCTV in principle — it objects to cameras that record more than necessary, for longer than necessary, with access wider than necessary.

The proportionality test in practice:

• Camera in the stockroom to prevent employee theft? Likely proportionate — if documented and employees are informed
• Camera in the staff break room? Almost never proportionate — high privacy expectation, minimal security benefit
• Camera covering the public pavement outside your shop? Only proportionate if you can demonstrate a specific security need and you've minimised the field of view

Step 3: Identify and assess risks

For each group of people your cameras capture, document:

Employees:

• Risk of excessive workplace monitoring
• Impact on behaviour and wellbeing
• Risk of footage being used for performance management beyond the stated purpose

Customers and visitors:

• Risk of capturing sensitive information (e.g., medical conditions visible, religious dress)
• Risk of inappropriate access to footage
• Impact if footage is breached or leaked

Members of the public (if cameras cover any external areas):

• Risk of recording people who have no relationship with your business
• Disproportionate surveillance of public spaces

For each risk, assess both how likely it is and how serious the impact would be if it happened.

Step 4: Document your mitigation measures

For every risk identified in step 3, describe what you've done to reduce it:

• Access controls: Who can view footage? Is it password-protected? Are access logs maintained?
• Retention limits: Footage deleted automatically after the retention period? Our retention calculator helps define appropriate periods
• Signage: Compliant signs at every entrance to the surveilled area — see our signage guide
• Policy: A written CCTV policy available to anyone who asks — generate one with our policy generator
• Field of view: Cameras adjusted to capture only necessary areas, not adjacent properties or public spaces beyond what's needed
• Audio disabled: Microphones switched off unless specifically justified
• Employee notification: Staff informed about cameras, their purpose, and their rights before cameras were installed
• DSAR process: A documented process for handling footage requests — see our subject access request guide

Step 5: Record the outcome

Your DPIA should conclude with one of three outcomes:

1. Risks are acceptable — your mitigation measures reduce risks to a level that's proportionate to the purpose. Proceed with recording.
2. Risks need further mitigation — additional measures are needed before recording is justified. Document what changes are required and implement them.
3. Residual high risk remains — even after mitigation, the processing presents a high risk you cannot reduce. In this case, UK GDPR Article 36 requires you to consult the ICO before proceeding.

For most SME CCTV setups with standard cameras, proportionate coverage, and reasonable retention periods, the outcome will be option 1 — risks acceptable with standard mitigation measures in place.

Quick Example: One-Camera vs Six-Camera DPIA

Scenario A — single camera, front entrance: One HD camera covering the shop entrance for break-in detection. Records 24/7, 30-day retention, overwritten automatically. Access limited to the business owner. No audio. Signage displayed at the entrance. DPIA outcome: low risk — standard mitigation measures (signage, retention limit, restricted access) are sufficient. One-page DPIA is adequate.

Scenario B — six cameras, mixed areas: Two cameras covering the shop floor (theft prevention), one at the till (cash handling), one in the stockroom (employee-access area), one at the rear entrance, one covering the car park. Different retention periods per purpose (14–30 days). Three staff members have DVR access. DPIA outcome: moderate risk — the stockroom camera requires specific justification (employee monitoring), the car park camera may capture public pavement (proportionality review needed), and access controls must be documented per user. Three-to-five page DPIA with per-camera assessments.

The difference isn't the number of pages — it's the depth of your proportionality and risk analysis for each camera.

What Your DPIA Document Should Include

You don't need a 40-page report. A clear document covering these sections is sufficient:

1. Date and author — who completed the DPIA and when
2. System description — step 1 above
3. Lawful basis — typically legitimate interests under UK GDPR Article 6(1)(f), with a supporting legitimate interests assessment
4. Necessity and proportionality — step 2 above
5. Risks identified — step 3 above
6. Mitigation measures — step 4 above
7. Consultation — who was consulted (employees, data protection officer if you have one, any other stakeholders)
8. Outcome and sign-off — step 5, signed by a decision-maker

Consultation matters. The ICO expects you to seek the views of people who will be filmed, or their representatives. For employees, this means informing them about the planned CCTV, explaining why, and giving them an opportunity to raise concerns before cameras go live. You don't need unanimous consent — but you need evidence that you asked.

Common DPIA Mistakes

Writing it after the cameras are installed. The legal requirement is to assess impact before processing begins. Retrospective DPIAs are better than nothing but demonstrate non-compliance from the start.

Treating it as a one-off. A DPIA is a living document. Review it annually and update it when anything changes — cameras added, purposes changed, technology upgraded.

Copying a template without customising it. Generic DPIAs that don't reflect your specific cameras, locations, and purposes are worthless. The ICO looks for evidence that you assessed your actual system, not that you ticked boxes on a downloaded form.

Skipping consultation. "We didn't ask employees because we knew they'd object" is not a valid reason. Document the consultation even if the outcome is that concerns were noted but you proceeded with modified plans.

Ignoring audio recording. If your cameras have microphones (many IP cameras do by default), your DPIA must address audio recording separately. Recording conversations is significantly more intrusive than video alone and harder to justify.

How a DPIA Connects to Your Other Compliance Obligations

Your DPIA doesn't exist in isolation. It connects directly to:

• Your CCTV policy — the policy should reference the DPIA, and the DPIA should reference the policy
• Your camera register — the system description in the DPIA should match your camera register
• Your retention schedule — retention periods in the DPIA should match what's actually configured on your DVR/NVR
• Your signage — signs should reference the purposes documented in the DPIA

If these documents contradict each other — your DPIA says 30-day retention but your NVR is set to 90 days, for example — that inconsistency is a compliance failure in itself.

Check your overall compliance position with our free compliance checker, and read the full CCTV regulations guide for the complete picture of UK CCTV obligations.

This guide covers DPIA requirements for CCTV under UK GDPR Article 35 as of March 2026. It is not legal advice. If your DPIA identifies high residual risk or involves complex processing (facial recognition, AI analytics, cross-border transfers), consult a qualified data protection professional.

Sources

• ICO — How can we comply with the data protection principles when using surveillance systems?
• ICO — CCTV for your organisation: things you need to do
• Data Protection Act 2018 — legislation.gov.uk