CCTV & GDPR: A Compliance Toolkit for UK Businesses

Thinking of installing CCTV at your business, or already have cameras in place? You’re not alone – with around 6 million CCTV cameras in the UK, it’s clear that surveillance is a popular choice for protecting property, staff, and customers. But what you might not realise is just how tightly the law regulates CCTV use, especially since the introduction of the General Data Protection Regulation (GDPR).

The bottom line? If your CCTV system records people – whether they’re staff, customers, or passers-by – you’re handling personal data. That means you need to follow strict rules, or you could be facing hefty fines from the Information Commissioner’s Office (ICO).

Don’t stress – with the right approach and a clear set of compliance steps, you can enjoy the benefits of CCTV and keep your business on the right side of the law. In this guide, we’ll break down what you need to do to ensure your CCTV is GDPR-compliant, highlight the biggest risks, and share practical tips for minimising headaches down the track.

What Is the GDPR – And Why Does It Apply to CCTV?

The General Data Protection Regulation (GDPR) is the UK’s main data privacy law, designed to give people more control over their personal data and hold businesses to a higher standard of accountability.

CCTV almost always captures “personal data” within the meaning of the GDPR – that is, information relating to an identifiable living individual. So, the moment your cameras point somewhere that staff, customers, delivery drivers, or even members of the public appear on footage, you’re governed by data protection law.

That means you need to meet a range of legal obligations, from informing people they are being recorded, to handling footage securely, only keeping it as long as necessary, and respecting people’s rights to access or object to surveillance.

Why Do UK Businesses Use CCTV – And What Are the Compliance Risks?

For most businesses, CCTV serves valid and often essential purposes, such as:

• Deterring theft, vandalism, or abuse towards staff
• Protecting property, equipment, or stock
• Providing evidence in the event of incidents
• Helping ensure staff and visitor safety

However, these benefits come with a legal responsibility. Failing to comply with CCTV laws can have real consequences, including:

• Complaints and investigations by the ICO
• Potential fines (which can reach into the millions for serious GDPR breaches)
• Reputational damage with customers and staff
• Possible lawsuits for breach of data protection rights

So, getting CCTV and GDPR compliance right isn’t just about ticking a box – it’s about managing legal risk and building trust.

What Does the ICO Expect from Businesses Using CCTV?

The Information Commissioner’s Office (ICO) is the UK’s independent watchdog for data protection. It takes a firm stance on businesses that ignore CCTV laws, especially if footage is misused, kept too long, or individuals’ rights are ignored.

The ICO expects CCTV-using businesses to:

• Be transparent: Inform everyone who might be captured by cameras, in a clear and accessible way (this includes using clear signage).
• Justify their use: Show that CCTV is necessary, proportionate, and that less intrusive options have been considered.
• Limit retention: Only keep recordings for as long as necessary to achieve the intended purpose.
• Respect individual rights: Properly handle requests from anyone seeking access to footage of themselves, or wishing to object to surveillance.
• Secure data: Protect footage from unauthorised access, leaks, or loss.
• Register and pay the ICO fee: Most businesses using CCTV must register as data controllers with the ICO and pay the annual data protection fee.

Let’s break down these GDPR requirements for CCTV one step at a time.

How Do I Make My CCTV System GDPR Compliant?

Here’s your practical compliance toolkit if you’re running CCTV at your premises.

1. Install Highly Visible CCTV Warning Signs

You are legally required to warn people that CCTV is in use before they are captured on camera.

This means putting up clear, visible signs that include:

• A statement that CCTV operates in the area
• The purpose of the surveillance (such as crime prevention or staff safety)
• Details of the organisation responsible for the system
• How individuals can get more information (such as an email or web address)

Place signs at entrances, near the cameras themselves, and anywhere people could reasonably expect to be informed. The goal is transparency – people should never be surprised to discover they’ve been filmed.

2. Carry Out a Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is an evaluation you carry out before introducing CCTV, and regularly afterwards. It’s your way to assess whether surveillance is necessary and proportionate, to weigh up any risks, and to document the safeguards you’ll put in place.

A good DPIA for CCTV will cover:

• Your reasons for surveillance (and whether less intrusive options exist)
• Who will be affected (e.g. staff, the public, visitors)
• How you’ll inform people about the cameras and their rights
• The technical and organisational security measures you’ll use
• How footage will be accessed, stored, and shared

Regularly updating your DPIA (for example, if you add cameras, change what you record, or update your data processing policies) is essential to stay compliant. For practical tips, see our guide to Data Privacy Impact Assessments.

3. Register With The ICO and Pay the Data Protection Fee

Almost all businesses running CCTV need to register as a “data controller” with the ICO and pay the annual data protection fee. This isn’t optional – skipping this step is a sure way to end up on the wrong side of the law.

Registration only takes a few minutes but keeps you on the right side of CCTV data protection obligations. Failing to pay the registration fee can result in a fine, even if you otherwise have solid GDPR practices. You can find more guidance in our article on business regulatory compliance.

4. Handle CCTV Footage Lawfully and Securely

Good data handling is at the heart of GDPR and CCTV compliance. Here’s what you should have in place:

• Limit who can access footage: Only permit access to trained staff who genuinely need footage for their work.
• Store data securely: Use strong password protection, encryption, and restrict copying or transferring footage unless absolutely necessary.
• Log and document access: Keep a record of when footage is accessed, by whom, and for what purpose.

For more details on protecting personal data, check our article on customer data protection or the broader topic of cyber security legal issues.

5. Share Footage with Police or Authorities Responsibly

Police may occasionally request CCTV footage from your business – for example, if it might assist with a criminal investigation.

You can (and should) share relevant footage with law enforcement, but always keep a record of:

• Who requested the footage and why
• Which footage was provided
• When and to whom it was given

Never share footage more widely than necessary. If anyone other than the police or official investigators requests footage, you’ll need to check if it’s lawful to release it. If in doubt, seek legal advice.

6. Respond to Subject Access Requests (SARs)

Under the GDPR, individuals have the right to access CCTV footage that features them. If someone submits a Subject Access Request, you have one calendar month to:

• Confirm if you hold footage of them
• Provide a copy of the relevant footage, or explain why it can’t be shared (for example, if it would reveal the identity of other people, you may need to blur faces or redact sections)

Failing to respond to SARs correctly is one of the most common CCTV GDPR compliance mistakes businesses make. For more information on managing these requests, see our article right to be forgotten and individual data rights in the UK.

7. Set and Follow Strict Retention Periods for CCTV Footage

Don’t keep CCTV recordings forever. The law only lets you retain footage for as long as it’s genuinely needed for your stated purpose – usually for a fixed period (e.g., 30 days), unless an incident means you need to keep it longer (such as for a police investigation or internal review).

Create a retention policy outlining:

• How long footage is kept in standard circumstances
• When footage will be deleted or overwritten
• Who is responsible for managing retention and deletion

Regularly reviewing and deleting old footage is not only good practice but also a legal requirement. This is one of the key differences between compliant CCTV operation and riskier “set-and-forget” approaches.

8. Draft and Maintain the Right Policies

Written policies make your CCTV use clear to staff, customers, and regulators. At a minimum, you should have:

• A CCTV policy explaining why and how surveillance is used
• A Privacy Policy covering any personal data your business processes
• Staff training and awareness procedures
• Procedures for handling incidents, breaches, or complaints

For help with privacy documentation or bespoke policies, explore our Data Protection Pack.

Practical Tips to Minimise CCTV & GDPR Risks

Want to keep your CCTV system compliant (and avoid trouble with regulators)? Here are some practical steps:

• Install cameras only where needed. Avoid recording private or sensitive spaces (like toilets, changing rooms, or break areas).
• Review your system regularly. Make sure your setup still meets your original purposes and isn’t recording more than is necessary.
• Limit audio recording. Recording sound is usually more intrusive than video alone and is rarely justifiable in most UK businesses.
• Train staff on their responsibilities. Make sure managers and everyone accessing CCTV know the rules, including SARs and data handling.
• Document everything. Compliance is easier to prove if you have records of decisions, assessments, policies, and security measures.

Remember, the best businesses treat privacy – including CCTV and GDPR – as part of their broader risk management. It’s about respecting people’s rights and protecting your business from costly mistakes.

When Should You Get Legal Help for CCTV & GDPR?

CCTV and GDPR can be surprisingly complex – especially if your business is open to the public, runs multiple locations, or records high volumes of footage. You might need specific advice if:

• You’re unsure about the legal basis or necessity of surveillance
• You’ve received a complaint or a subject access request
• You want to integrate facial recognition or other advanced monitoring tech
• The police or regulators have been in touch
• You need privacy policies or contracts that are tailored to your operations

Avoiding DIY shortcuts – especially for legal documents or privacy notices – is key to keeping your business protected from day one. It’s wise to chat with a data privacy lawyer or seek advice on what legal documents your business genuinely needs.

Key Takeaways: CCTV & GDPR Checklist for UK Businesses

• Installing CCTV means you are processing personal data – so the UK GDPR applies.
• Use clear signage at all points of camera coverage to inform individuals of surveillance.
• Conduct and regularly update Data Protection Impact Assessments (DPIAs) for your CCTV use.
• Register with the ICO as a data controller and pay the data protection fee.
• Respond promptly to Subject Access Requests for CCTV footage.
• Set and strictly follow a CCTV retention period and deletion policy.
• Keep your system secure, control access, and maintain decision and access records.
• Draft and display a clear privacy notice and ensure staff are trained in CCTV data protection.
• Seek expert advice for advanced systems or complex compliance scenarios.

If you’d like help with CCTV & GDPR compliance – or just want to make sure your privacy policies are up to scratch – we’re here to help. Reach out for a free, no-obligations chat at team@sprintlaw.co.uk or call us on 08081347754.