Reviewed by CamComply
CCTV Risk Assessment: A UK Template and Step-by-Step Guide
A CCTV risk assessment shows you've thought through the privacy impact of your cameras. Here's a free UK template, the difference from a formal DPIA, and how to complete it.
A "CCTV risk assessment" means different things to different people. Some mean a health-and-safety assessment (cabling, ladders, working at height). Others mean a privacy assessment — proving you've weighed the impact of your cameras on the people they record. This guide is about the second kind: the data-protection risk assessment that UK law expects from CCTV operators, and which often needs to become a formal Data Protection Impact Assessment.
Below is a free template you can copy, plus a clear explanation of when a basic risk assessment is enough and when the law requires the full DPIA.
Risk Assessment vs. DPIA — Know Which One You Need
This distinction matters because getting it wrong is a compliance gap.
A data protection risk assessment is the general exercise of thinking through what could go wrong with your processing and how serious it would be. It's good practice for any data processing.
A Data Protection Impact Assessment (DPIA) is a specific, legally-defined process required by Article 35 of the UK GDPR when processing is "likely to result in a high risk to the rights and freedoms" of individuals. It has a prescribed structure and must be documented.
Here's the key point: Article 35(3)(c) of the UK GDPR specifically names "systematic monitoring of a publicly accessible area on a large scale" as processing that requires a DPIA, and the ICO treats CCTV that captures a public area as falling within this. So for most commercial CCTV pointed at areas the public can access, a basic risk assessment is not enough; you should treat a DPIA as required.
The honest answer: If your cameras monitor an area the public can access (a shop floor, a car park, a forecourt, a reception), assume you need a full DPIA, not just a risk assessment. The template below works as the risk-analysis core of that DPIA.
A simple risk assessment may suffice only for genuinely low-risk, limited cases — for example, a single camera covering a private internal stockroom that no member of the public ever enters. Even then, documenting your reasoning is wise.
The CCTV Risk Assessment Template
Copy this into a document and complete each section. Where your processing is high-risk (most public-facing CCTV), expand it into the full DPIA structure linked at the end.
1. Describe the processing
- What cameras do you operate, and where?
- What do they capture (people, vehicles, audio)?
- Who are the people affected (customers, staff, passers-by)?
- How long is footage kept, and who can access it?
2. Identify the purpose and lawful basis
- Why do you operate CCTV? State the specific aim (theft prevention, staff safety, etc.).
- What is your lawful basis under UK GDPR Article 6? For business CCTV this is usually legitimate interests — which itself requires a balancing test (your interest vs. the individual's privacy).
3. Assess necessity and proportionality
- Is CCTV genuinely necessary, or could a less intrusive measure achieve the same aim?
- Are the cameras positioned to capture only what's needed, or do they over-capture (neighbouring property, public pavement, audio)?
- Is the retention period justified, or is it "whatever the recorder defaults to"?
4. Identify and rate the risks
For each risk, note the likelihood and the severity of harm:
| Risk | Likelihood | Severity | Mitigation |
|---|---|---|---|
| Footage accessed by unauthorised staff | Access controls, named viewers, log book | ||
| Camera captures neighbouring property | Reposition, mask, or use privacy zones | ||
| Footage kept longer than needed | Defined retention period + auto-deletion | ||
| People not informed they're recorded | Compliant signage at every entrance | ||
| Footage lost or stolen (insecure storage) | Encryption, secure storage, restricted access | ||
| Unable to handle a subject access request | Documented DSAR process |
5. Record mitigations and residual risk
- What controls reduce each risk?
- What risk remains after mitigation, and is it acceptable?
- If high residual risk can't be reduced, the ICO may need to be consulted before you proceed (Article 36).
6. Sign off and review
- Who approved the assessment, and when?
- When will it be reviewed? (At minimum annually, and whenever you add or move cameras.)
Common Mistakes This Assessment Catches
- Over-capture. The single most frequent issue — cameras pointed at the street or a neighbour's garden. The proportionality section forces you to confront it.
- No lawful basis recorded. Many businesses have never written down why their CCTV is lawful. "Legitimate interests" requires an actual balancing test.
- Default retention. Recorders ship with a retention setting nobody chose. The assessment makes you justify the period.
- Audio recording by default. Many cameras record sound; audio is far more intrusive and rarely justified. If you don't need it, turn it off.
Practical Steps
- Complete the template above for your current setup — be honest about over-capture and retention.
- Decide: risk assessment or full DPIA? If any camera covers a publicly accessible area, treat it as a DPIA.
- Fix what the assessment surfaces — reposition cameras, set retention, add signage, restrict access.
- Review annually and whenever your camera setup changes.
- Check your overall compliance with our free CCTV compliance checker.
For the full Article 35 DPIA process (which most business CCTV needs), read our CCTV DPIA guide and see a worked DPIA template example. For the legal framework overall, see the UK CCTV regulations guide.
This guide explains data protection risk assessments and DPIAs for CCTV under the UK GDPR, current as of June 2026. This is not legal advice.
Sources
Last reviewed: 25 June 2026