A lawful basis is the legal justification a system must have to process personal data at all — under GDPR Article 6, processing is unlawful unless at least one of six bases applies. For video surveillance the realistic bases are legitimate interest (a private operator protecting property and people), legal obligation, public task (for a public authority), or consent (workable only in controlled, opt-in settings). Choosing and documenting the basis is the first compliance step, before any technical design.
The basis is not a formality — it constrains what the system may do. Each basis carries conditions: legitimate interest requires a documented balancing test (a legitimate interest assessment) weighing the operator's need against the privacy intrusion, and gives the people captured the right to object; consent must be freely given and withdrawable. And ordinary CCTV's basis does not stretch to cover biometrics: face recognition processes special-category data, which needs a separate Article 9 condition on top of the Article 6 basis. The lawful basis defines the lawful scope.
The pitfall is recording first and justifying later, or assuming "security" is automatically a lawful basis. It is not — "security" describes a purpose, but you still have to identify the specific Article 6 basis, do the balancing test if you rely on legitimate interest, and clear Article 9 separately for any biometric feature. A system whose lawful basis was never analysed cannot demonstrate compliance when asked. Decide and document the basis per purpose before deployment, redo it when a new analytic changes the picture, and treat biometrics as a distinct, higher requirement. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
