« Back to Glossary Index
A DPIA is a structured review that organisations must complete before deploying any system that is likely to result in high risk to individuals’ privacy. In fleet management, fitting cameras that record drivers counts as such a system. The DPIA documents what data is collected, why it is needed, and how risks to drivers are managed.
Under UK GDPR and the Data (Use and Access) Act 2025, operators using in-vehicle cameras to record drivers are required to complete a DPIA before deployment. A DPIA for fleet cameras typically covers:
- What data is collected – video footage, GPS position, driver identity, timestamps
- Lawful basis – usually legitimate interests (road safety, asset protection) balanced against driver privacy rights
- Data retention – how long footage is kept before automatic deletion (typically 28-60 days)
- Access controls – who can view footage and under what circumstances
- Driver notification – visible signage in the vehicle and written policy shared with drivers
- Subject access requests – process for a driver to request footage involving them