A DPIA (Data Protection Impact Assessment) is a structured analysis of the privacy risks of a processing activity and how they will be mitigated, carried out before deployment. Under GDPR Article 35 it is mandatory where processing is likely to result in a high risk to people's rights — and the regulation explicitly names systematic monitoring of a publicly accessible area on a large scale, which describes a great deal of video surveillance. It is the document that forces "should we, and how safely?" to be answered before cameras go live.
A DPIA for surveillance works through the system methodically: what is recorded and why, the lawful basis, what data (including any biometrics) is processed, who can access it, how long it is kept, the risks to the people captured, and the measures that reduce those risks (minimisation, privacy zones, retention limits, access control, encryption). Where residual risk stays high despite mitigation, Article 36 requires prior consultation with the supervisory authority. The EDPB Guidelines 3/2019 frame how this applies to video specifically.
The pitfall is skipping or back-dating the DPIA. Done after the system is built, it becomes a box-ticking exercise that cannot change the design; its whole value is that it is done early enough to shape camera placement, retention, and whether a high-risk feature like face recognition is justified at all. Treat the DPIA as a design input, not a compliance afterthought, and revisit it when the system materially changes. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
