DPO checklist: what to review before implementing a video surveillance system in your organization

Visual data anonymization is a set of organizational and technical measures designed to reduce the identification of individuals and vehicles in visual materials at the surveillance design stage. In practice, this mainly means face blurring and license plate blurring—masking faces and license plates in photos and video footage before the material is shared, published, or transferred further. In a pre-deployment model, this is not a minor technical detail but a design decision that affects data scope, access, retention, system architecture, and risk assessment.

For a DPO, IT manager, compliance officer, or anyone approving a new video surveillance system, the key question is not “can we blur the footage later?” but “has the entire process been designed so that visual data anonymization is genuinely feasible, proportionate, and documented?” This is particularly important when the organization plans to publish photos or videos, share them with the media, partners, or public bodies, or use them in marketing and PR.

What does visual anonymization mean in practice before cameras go live?

At the implementation stage, it is worth adopting clear definitions. In this article, visual data anonymization means setting up a process in which visual materials can be anonymized before being shared. Face blurring means masking faces. License plate blurring means masking license plates. On-premise software means software deployed within the organization’s own infrastructure, which may be important for internal security policies and for limiting transfers of footage outside the controller’s environment.

From a compliance perspective, a typical business approach is to assume that if the organization expects to use recordings or photos beyond the original purpose of securing the premises, the anonymization mechanism should not be added at the end of the project. It should be built in before the cameras go live, together with retention rules, access controls, and the file export workflow.

In such scenarios, some organizations choose Gallio PRO as a tool to support visual data anonymization. From a governance perspective, however, it is important to describe both capabilities and limitations precisely. The software automatically detects and blurs only faces and license plates. It does not automatically detect company logos, tattoos, name badges, documents, or content displayed on monitor screens. Those elements can be blurred manually in the editor. In addition, the software is not intended for real-time anonymization or live video stream anonymization, and it does not blur entire bodies.

DPO checklist before deploying a video surveillance system

The checklist below covers actions that can be reviewed and ticked off before cameras are activated. Each point relates only to photos and video recordings and to scenarios involving their later use.

1. Describe the purpose of the surveillance system in a verifiable way. Record whether the system is intended solely for site security or also for preparing materials for publication, crisis communications, evidentiary purposes, or sharing with partners. If secondary use of images is anticipated, this should be addressed at the design stage.
2. Check whether the planned camera framing is proportionate. Before installing cameras, it is worth walking through the locations and confirming that the field of view does not unnecessarily cover public areas, windows of neighboring buildings, workstations without justification, or areas where surveillance is not necessary for the system’s purpose.
3. Prepare a matrix of scenarios in which footage will require anonymization. Identify specific situations: publishing a photo on the website, sending footage to the media, sharing a clip with a contractor, or using material on social media. This matrix should distinguish faces and license plates from other elements that may require manual image redaction.
4. Verify the legal basis for processing and describe any further use of the images separately. This is not the place for a full analysis of every possible legal basis, but a good practice is to distinguish surveillance itself from the later publication or sharing of the material. In communications and marketing scenarios, compliance risk may differ from standard site security use.
5. Carry out a DPIA if the scale or context of the surveillance requires it. The impact assessment should cover not only image capture itself, but also planned export, clip selection, anonymization before disclosure, and the roles of decision-makers. If the organization expects to publish recordings, this stage may require separate documentation of the risks involved.
6. Prepare the privacy notice and signage for monitored areas. The wording should reflect the system’s actual operating model. If the organization plans to use recordings or photos for further purposes, the notice should not suggest that the images are used solely for day-to-day site protection.
7. Set retention periods for raw footage and separately for versions prepared for disclosure. Define the maximum storage period for the full recording, the storage period for exported clips, and the conditions for deleting working copies. The most common mistake is leaving multiple copies of the material after anonymization has already been performed.
8. Restrict roles and access before the system goes live. It is worth defining who may view raw footage, who may export files, who may perform face blurring and license plate blurring, and who approves publication. Without this responsibility matrix, anonymization remains a discretionary process.
9. Check whether the anonymization tool matches real-life scenarios. If the organization needs to prepare material before publication, it makes sense to choose a solution that supports work on photo and video files, rather than a system promising functions the project does not actually require. In the case of Gallio PRO, it should be noted that automatic detection covers only faces and license plates, while other image elements require manual editing.
10. Test the anonymization workflow on a sample of real-world shots. Before cameras go live, it is worth running a trial on materials with similar framing, lighting, and motion. This makes it possible to assess how much work automatic face and license plate blurring will save and which cases will still need to be handled manually. If your organization wants to validate such a workflow on its own files, you can try the demo.
11. Define a manual redaction procedure for elements not detected automatically. The procedure should specify who is responsible for checking whether the footage contains company logos, tattoos, name identifiers, documents, or content displayed on monitors. This is particularly important because these objects are not covered by automatic detection in Gallio PRO.
12. Set a rule for face anonymization before any material is shared. In business practice, organizations often adopt a default rule of blurring faces before publication or disclosure unless a clearly documented reason for exception applies. The obligation to anonymize faces does not automatically arise in every case directly under the GDPR, civil law, or copyright law, but the publication of a person’s image generally requires a separate legal assessment. Copyright law provides for certain exceptions, including where the image concerns a widely known person photographed in connection with the performance of public functions, or where the image constitutes only a detail of a whole such as a gathering, landscape, or public event. Receiving payment alone does not create a general statutory exception without proper agreement on the scope of consent for image dissemination. Where large volumes of footage are involved, it is worth designing a workflow from the outset using a tool for video anonymization that automatically detects faces and license plates while allowing the rest to be refined manually.
13. Set a rule for license plate anonymization before publication. This point requires caution. There is no general EU-wide rule that always requires license plates to be blurred before publication. In Poland, the situation is also not entirely uniform: the assessment depends on the context, the possibility of identifying an individual, and the intended use of the material, and the issue is treated differently in practice and case law. As a result, a reasonable pre-deployment approach is to adopt a conservative rule of blurring license plates before material is disclosed outside the organization.
14. Verify whether the deployment architecture limits unnecessary transfer of footage. If security policies require it, consider the use of on-premise software. In corporate or sector-specific deployments, it may be important that footage does not leave the organization’s environment unnecessarily.
15. Review the logging policy and system audit trail. From a data minimization perspective, it is important that the tool does not generate additional logs containing detection data or personal data. In the case of Gallio PRO, it has been stated that the software does not collect logs containing face and license plate detection data and does not collect logs containing personal data or special category data.

Control table: what to check before launch and what to check before publishing footage

When is an implementation consultation needed?

Not every project can be covered by a simple checklist. Consultation is usually needed for distributed deployments, multiple locations, integration with an existing VMS, on-premise software requirements, specific public-sector obligations, or procedures for publishing materials across multiple departments. In such cases, it is worth to reach out to the team and confirm how to design the anonymization process for photos and recordings before the system goes live.

The most common mistake at the design stage

The most common mistake is assuming that video surveillance is only about camera infrastructure and that anonymization can be solved later. In reality, it is precisely before launch that the organization must decide whether it will have a tool for face blurring and license plate blurring, who is responsible for manual redaction, how material approval works, and when working copies are deleted. Without these decisions, even a formally compliant surveillance system can create operational chaos at the first request to publish or share footage.

FAQ - DPO checklist

Does every organization implementing video surveillance need to buy an anonymization tool immediately?

Not always. If the material will never be published or shared beyond a strictly controlled purpose, the need may be lower. However, if it is already clear at the design stage that photos or recordings will be disclosed, it is worth designing the anonymization process before the cameras go live.

Is blurring the entire body standard in such systems?

No. In the context described here, the key elements are faces and license plates. Gallio PRO does not blur entire bodies; it only blurs faces and license plates, while other image elements can be concealed manually in the editor.

Does Gallio PRO perform live video stream anonymization?

No. The software does not perform real-time anonymization or live video stream anonymization. This is an important limitation that should be considered in the system architecture design.

Do license plates always need to be blurred?

It depends on the jurisdiction and the context in which the material is used. There is no single general rule that always determines this obligation. In Poland, the situation is not uniform, which is why many organizations adopt the conservative practice of blurring license plates before publication or disclosure outside the organization.

Does a face always need to be blurred before publication?

Not in every case. In compliance practice, a default rule of concealing faces is often adopted, but each case still requires an assessment of the legal basis for processing and the rules governing the publication of a person’s image. In copyright law, particularly relevant exceptions concern widely known persons and images constituting only a detail of a whole, such as a gathering, landscape, or public event.

Does automatic detection also cover logos, tattoos, and name badges?

No. Automatic detection covers only faces and license plates. Company logos, tattoos, name badges, documents, and monitor screens require review and, where necessary, manual redaction.

Can system logs themselves create additional data protection risks?

Yes, which is why this should be reviewed before implementation. Materials relating to Gallio PRO state that the software does not store logs containing face or license plate detection data or personal data and special category data.