DPIAs for CCTV cameras

DPIAs for CCTV cameras: UK public authorities, duties and space

This article outlines the Data Protection Impact Assessment (DPIA) requirements regarding CCTV cameras by drawing on the DPIA template issued by the UK Surveillance Camera Commissioner (SCC) on 22 October 2018. The SCC is responsible for promoting compliance with the surveillance camera code of practice (the Code) and ensuring lawfulness and transparency in the use of CCTV cameras in the UK.

The SCC encourages every organisation that installs CCTV cameras to adhere to its policies. The DPIA template specifies the DPIA requirements regarding CCTV cameras. A DPIA is a process to help you identify and minimise the data protection risks of a project. Under Article 35 GDPR, a DPIA is also a statutory requirement where data processing is likely to result in high risks to individuals, taking into account the nature, scope, context and purposes of the processing.

Necessary preliminary steps for a DPIA

Before undertaking a DPIA, installers must undertake the following steps.

Identify the reasons for installing CCTV cameras and the goal to be achieved

Data controllers should explain why CCTV cameras are necessary and how this technology will support the pursued aim. For example, if crime prevention is the goal, organisations should provide concrete evidence of how CCTV will enable them to achieve that goal.

Check necessity and proportionality regarding the means

The second step is to consider and document why surveillance cameras are strictly necessary in respect of the needs and objectives. Regarding proportionality, data controllers should be able to prove that this is the least intrusive, but still efficient, measure to achieve the desired goal. For example, consider whether it would be necessary and proportionate to operate the system 24/7.

Identify a lawful ground for data processing

CCTV cameras could involve processing of large amounts of personal data, including special categories of data, depending on the monitored space and individuals. Data controllers should establish, record and justify this processing in accordance with the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018. For further guidance, you could also consult the passport to compliance issued by the SCC.

Once these steps have been completed, the organisation is ready to complete the DPIA.

Conducting the DPIA 

The DPIA is a valuable tool to prevent adverse effects, ensure legal compliance, demonstrate accountability, and proactively embed data protection by design into this technology. The DPIA should be undertaken prior to installing the CCTV and should:

  1. Describe the nature, scope and purposes of data processing

Describe the information flow, its purposes and the form of transmission and technology used. This should also refer to the location of cameras, monitored space and subjects, the camera types and capabilities and the person(s) responsible for this system. Data controllers could also share their findings from the consultation with internal and external stakeholders such as subjects’ representatives through online surveys and meetings with local communities to understand the privacy expectations of the public.

  • Assess necessity and proportionality

Describe how the benefits of this data processing activity outweigh the risks to individuals.

  • Identify potential risks to fundamental rights and freedoms

Identify potential risks to the rights and freedoms of data subjects.

  • Identify privacy-by-design measures to mitigate risks

Identify and design preventive measures against the identified risks, such as privacy masking that overlooks residential areas. Keep in mind that some measures may be required by law. For example, you should provide visible and readable signs about CCTV systems and include the details of the organisation operating the system.

  • Keep the DPIA under review

A DPIA is not a one-off procedure. Data controllers should re-examine and update the DPIA if one of the following applies. First, when technical functionalities and features are added on to the existing technology, such as audio recording, and risks change. Second, when the amount of personal data collected increases, sensitive information is processed, and when images are captured from different locations. Third, when CCTV cameras are used to achieve new purposes. Organisations should constantly check whether the applied technology meets the specified purposes and respects data protection requirements. Both the SCC and Information Commissioner’s Office recommend that you revise your DPIA on an annual basis.

DPIAs are a complex mechanism – not a formality- and require in-depth assessment of the data processing operations, planning, implementation and monitoring of compliance with data protection law.

For more information visit Trilateral Data Protection Officer page and contact our team:

Adam Panagiotopoulos, Data Protection Advisor at Trilateral Research

Adam Panagiotopoulos


‘Risk Assessment Report and Methodology’

You can view the Executive Summary and Table of contents of the Project Solebay Risk Assessment Methodology Report.

Please sign up to the Solebay mailing list to download the Full Solebay project report.