Reviewed by CamComply
CCTV DPIA Template: A Plain-English Example for UK Small Businesses
A worked DPIA example for a UK SME with 4 cameras — written in plain English, not compliance jargon. Copy the structure, fill in your details, and you have a defensible DPIA.
You know you need a DPIA for your CCTV. You've read our step-by-step DPIA guide. Now you need an actual template to fill in — ideally one that doesn't read like it was written by a government department for a government department.
This is a complete, worked DPIA example based on a fictional UK retail business with 4 cameras. Copy the structure, replace the details with your own, and you have a DPIA that meets ICO expectations without the 40-page overhead.
Who This Template Is For
This template suits UK SMEs operating a straightforward CCTV system: between 1 and 10 cameras, standard HD recording, no facial recognition or AI analytics, no cross-border data transfers. That covers most independent shops, offices, warehouses, and small hospitality venues.
If your setup involves biometrics, automated decision-making, or cameras across multiple countries, you need a more detailed assessment — and likely professional advice.
The Template Structure
A defensible CCTV DPIA has 8 sections. The ICO doesn't prescribe a format, but their DPIA guidance specifies what it must cover. This template hits every required element.
Worked Example: GreenLeaf Garden Supplies Ltd
This is a fictional business. Replace every detail with your own.
Section 1: Document Control
| Field | Detail |
|---|---|
| Organisation | GreenLeaf Garden Supplies Ltd |
| DPIA author | Sarah Chen, Director |
| Date completed | 15 January 2026 |
| Review date | 15 January 2027 (or sooner if system changes) |
| Version | 1.0 |
Why this matters: The ICO expects a named author, a date, and a review schedule. An undated, unsigned DPIA demonstrates that nobody took responsibility for the assessment.
Section 2: System Description
What we're assessing: A CCTV system installed at our retail premises at 14 Market Street, Bristol.
Camera inventory:
| Camera ID | Location | Area Covered | Purpose | Audio |
|---|---|---|---|---|
| CAM-01 | Front entrance (exterior) | Shop entrance and 2m of public pavement | Break-in deterrence and detection | Off |
| CAM-02 | Shop floor | Retail display area, till counter | Theft prevention | Off |
| CAM-03 | Stockroom | Internal stockroom, access corridor | Stock security, staff safety | Off |
| CAM-04 | Rear entrance (exterior) | Delivery bay and rear door | Delivery verification, security | Off |
Recording details:
- Recording hours: 24/7
- Resolution: 1080p
- Storage: On-site NVR (network video recorder), not cloud-based
- Retention period: 30 days for all cameras (automatic overwrite)
- Access: Two people — Sarah Chen (Director) and James Okafor (Shop Manager). Both have individual login credentials. No shared passwords.
Data sharing: Footage may be shared with police if an incident is reported. Otherwise, footage is not routinely shared with any third party, including the landlord.
Section 3: Lawful Basis
Lawful basis: Legitimate interests — UK GDPR Article 6(1)(f).
Legitimate interests assessment (summary):
- Our legitimate interest: Protecting staff, customers, and stock from theft and criminal damage. Deterring and detecting break-ins. Verifying deliveries.
- Is processing necessary to achieve this interest? Yes. Our premises were burgled in September 2024 and October 2024. Improved locks and lighting were installed but proved insufficient. CCTV is necessary as an additional deterrent and to provide evidence if incidents recur.
- Does it override the rights of individuals being filmed? No. Recording is limited to business premises and the minimum necessary external area. Cameras do not cover areas where people have a high expectation of privacy (toilets, break room). Signage is displayed at all entrances. Retention is limited to 30 days. The intrusion is proportionate to the security risk.
Section 4: Necessity and Proportionality
Could we achieve the same purpose without CCTV?
| Alternative Considered | Assessment |
|---|---|
| Better locks and alarms | Already installed after first burglary. Second burglary occurred despite these measures. Insufficient alone. |
| Security guard | Disproportionate cost for a small retail business (approximately £15–20/hour). Not viable for 24/7 coverage. |
| Improved lighting | Already installed. Effective as a complement to CCTV but not sufficient alone — lighting deters but does not provide evidence. |
| Restricted access controls | Implemented for stockroom. Does not address shop floor theft or external break-ins. |
Conclusion: CCTV is necessary. Alternative measures have been implemented alongside it, not instead of it.
Proportionality checks per camera:
- CAM-01 (front entrance): Covers the entrance and approximately 2 metres of public pavement. The pavement coverage is the minimum necessary to capture anyone approaching the door. The camera angle has been adjusted to exclude the neighbouring property and as much of the pavement as possible.
- CAM-02 (shop floor): Covers the retail area where theft occurs. Does not cover the customer toilet or any area where customers would have a heightened privacy expectation.
- CAM-03 (stockroom): Employee-access area. Staff have been informed about this camera and its purpose. It does not cover the break room (located in a separate room with no camera).
- CAM-04 (rear entrance): Covers the delivery bay. External coverage is limited to our own property boundary.
Section 5: Risk Assessment
| Risk | Who is Affected | Likelihood | Severity | Overall Rating |
|---|---|---|---|---|
| Footage accessed by unauthorised person | Employees, customers | Low (access limited to 2 named people with individual credentials) | Medium | Low |
| Footage kept longer than necessary | Employees, customers | Low (NVR configured for 30-day auto-overwrite, verified quarterly) | Low | Low |
| Camera captures areas beyond what's necessary (pavement, neighbouring property) | Members of public | Medium (CAM-01 captures some pavement) | Low | Low |
| Footage used for purpose other than stated (e.g., employee performance monitoring) | Employees | Low (policy prohibits this, staff informed) | High | Medium |
| Data breach — footage stolen or leaked | All recorded individuals | Low (NVR is not internet-connected, physical access restricted) | High | Medium |
| Subject access request not handled properly | Requesting individual | Medium (no formal SAR process before this DPIA) | Medium | Medium |
Section 6: Mitigation Measures
| Risk | Mitigation |
|---|---|
| Unauthorised access | Individual login credentials for each authorised person. Access log enabled on NVR. NVR located in locked office. No remote access configured. |
| Excessive retention | 30-day auto-overwrite configured. Verified quarterly by checking oldest available footage date. |
| Excessive coverage (CAM-01 pavement) | Camera angle adjusted to minimum viable pavement coverage. Privacy masking applied to neighbouring property window visible in the frame. |
| Misuse of footage | Written CCTV policy prohibits use for purposes other than those stated. Employees informed of this restriction. |
| Data breach | NVR is air-gapped (no internet connection). Located in locked office. Only 2 keyholders. No cloud backup. |
| DSAR handling | DSAR process documented (see company DSAR procedure). Named responsible person: Sarah Chen. Response deadline: one calendar month from valid request. |
Section 7: Consultation
Employees: All 3 employees were informed about the planned CCTV installation on 5 December 2025 in a team meeting. The camera locations, purposes, and their rights were explained. Minutes of the meeting were recorded. One employee asked whether the stockroom camera was necessary — we explained the stock loss history and confirmed the break room would not be covered. No objections were raised.
Customers and visitors: Signage at all entrances informs people before they enter the surveilled area. The full CCTV policy is available on request and on our website.
Data Protection Officer: Not applicable — we are not required to appoint a DPO under UK GDPR Article 37 (we are not a public authority, and surveillance is not our core activity at the scale that would require one).
Section 8: Outcome and Sign-off
Assessment outcome: Risks are acceptable. Standard mitigation measures are in place and proportionate to the identified risks. No residual high risks require ICO consultation under UK GDPR Article 36.
Conditions for proceeding:
- All signage installed before cameras are activated
- Employee notification completed (done 5 December 2025)
- CCTV policy finalised and published on website
- DSAR process document created and accessible to authorised staff
- Quarterly review of camera angles and retention configuration
Signed: Sarah Chen, Director, GreenLeaf Garden Supplies Ltd Date: 15 January 2026 Next review: 15 January 2027
How to Adapt This Template
Step 1: Replace every detail — company name, camera locations, purposes, staff names. Do not leave the fictional details in place.
Step 2: Add or remove cameras from the inventory table. If you have 8 cameras, add 4 more rows. If you have 1, remove 3.
Step 3: Write your own necessity assessment. The alternatives table is the most important part — the ICO wants to see that you considered options other than CCTV. If you didn't consider alternatives, do so now and document why CCTV was necessary.
Step 4: Complete the risk assessment honestly. If your NVR is connected to the internet for remote viewing, the data breach risk is higher than in this example — document that and describe your security measures (VPN, encryption, access controls).
Step 5: Record your consultation. If you didn't consult employees before installing cameras, note that and plan a consultation now. The DPIA should reflect reality, not aspiration.
Common Mistakes When Using DPIA Templates
Copying without customising. The ICO looks for evidence of genuine assessment. A DPIA that uses identical wording to a template — including camera locations and purposes that don't match your actual setup — demonstrates that you ticked a box rather than assessed your risks.
Listing risks without mitigations. Every risk in your assessment needs a corresponding mitigation. "Risk: unauthorised access" with no description of access controls is incomplete.
Forgetting audio. If any of your cameras have microphones — and many modern IP cameras do, enabled by default — your DPIA must address audio recording separately. Audio is significantly more intrusive than video and requires stronger justification.
No review date. A DPIA without a review date suggests it's a one-off document. Set an annual review date and bring it forward if you add cameras, change purposes, or upgrade technology.
Not cross-referencing your policy. Your DPIA and your CCTV data protection policy must be consistent. If the DPIA says 30-day retention but your policy says 60 days, that inconsistency is a compliance failure. Check both documents together.
What Happens After You Complete the DPIA
Your DPIA is a living document, not a filing exercise. After completion:
- Store it accessibly — you need to be able to produce it if the ICO asks
- Review annually — or sooner if cameras, purposes, or technology change
- Reference it in your CCTV policy — your policy should state that a DPIA has been completed and is available on request
- Update your camera register — the system description in your DPIA should match your register exactly
For a broader picture of your compliance position, run through our free compliance checker. For the step-by-step process behind each section of this DPIA, read our CCTV DPIA guide. For the full regulatory context, see the UK CCTV regulations guide.
This template covers DPIA requirements under UK GDPR Article 35 as of March 2026. The example is fictional and intended as a structural guide — your DPIA must reflect your actual system, risks, and circumstances. This is not legal advice.
Sources
Last reviewed: 11 March 2026