Is CCTV Footage Personal Data Under UK GDPR?

If you run a shop, café, warehouse, office, gym, or any customer-facing business, CCTV can feel like a no-brainer. It helps deter theft, protect staff, and provide evidence if something goes wrong.

But as soon as your cameras capture identifiable people, you’ll probably find yourself asking whether CCTV footage counts as personal data under UK GDPR.

In most cases, yes - and that means you’ll need to treat CCTV footage as something you collect, store, and use under the rules of UK GDPR and the Data Protection Act 2018.

Below, we’ll break down what that means in practical terms for small businesses, what you need to have in place, and the common traps that can create headaches (or complaints) later.

Is CCTV Footage Personal Data?

Let’s deal with the core question upfront: is CCTV footage personal data?

Under UK GDPR, personal data is broadly any information relating to an identified or identifiable living individual.

So, is CCTV footage personal data in the UK?

• Usually, yes - if someone can be identified from the footage (face, clothing, tattoos, where they work, car registration plates, etc.).
• Sometimes, no - if people are not identifiable (for example, the image is too blurred, or it only shows anonymous movement with no way to link it to an individual).

In real-world business CCTV setups, most footage will be personal data because it’s specifically intended to capture identifiable people.

What About “Just Staff” Or “Just Customers”?

It doesn’t matter whether the individuals are customers, employees, contractors, or delivery drivers. If they’re identifiable, it can be personal data.

This is why workplace CCTV can overlap with employment compliance, policies, and fair processes - the legal risk isn’t only “data protection”, it can also become an employee relations issue if monitoring feels excessive or secretive.

If you’re thinking about installing or reviewing workplace cameras, it’s worth checking your broader approach to workplace cameras at the same time, so your CCTV use matches your employment practices.

Why It Matters: Your CCTV Becomes A UK GDPR Compliance Issue

Once you accept that CCTV footage can be personal data, the next question is: what does your business actually need to do differently?

UK GDPR doesn’t ban CCTV. It just says that if you’re collecting personal data (including footage), you must do it lawfully, fairly, and transparently - and handle the data responsibly.

In practice, that usually means you need to think about:

• Why you’re recording (your purpose and lawful basis).
• How you tell people (signage and privacy information).
• How long you keep footage (retention rules).
• Who can access it (access controls and confidentiality).
• How you respond to requests (e.g. subject access requests).
• Whether the setup is proportionate (especially for staff areas).
• Whether you need a DPIA (a Data Protection Impact Assessment), particularly if the monitoring is likely to be high risk (for example, large-scale monitoring, audio recording, or monitoring that could significantly affect staff).

Done properly, CCTV is a strong risk-management tool.

Done casually - with no signage, no documentation, and a “we’ll keep everything forever” approach - it’s the kind of thing that can attract complaints to the ICO, escalate workplace grievances, or cause problems during disputes.

What Lawful Basis Can You Rely On For CCTV?

For most small businesses, CCTV is used for common-sense reasons like security and safety. But UK GDPR still expects you to identify a lawful basis for processing personal data.

Common lawful bases for business CCTV include:

• Legitimate interests (the most common) - for example, preventing theft, keeping staff safe, protecting property, and investigating incidents.
• Legal obligation - sometimes relevant if you need recording to comply with a specific legal duty (less common for general CCTV).
• Vital interests - rare, typically emergency situations.

In many cases, consent is not the right lawful basis for CCTV in a business environment. That’s because consent needs to be freely given, and in workplaces especially, there’s often an imbalance of power (so “consent” may not be valid in the GDPR sense).

You Still Need To Balance Privacy

If you’re relying on legitimate interests, you generally need to be able to justify that:

• your CCTV use is genuinely necessary for your purpose (not just “nice to have”);
• you’re using it in a proportionate way (e.g. not filming areas where people expect more privacy); and
• your interests don’t override people’s rights and freedoms.

As a quick sense-check: if you’re filming a stockroom entrance to prevent theft, that’s usually easier to justify than filming a staff break room “just in case”.

What Do You Need To Put In Place To Use CCTV Lawfully?

This is where most small businesses want a simple checklist. While your setup should be tailored to your premises, there are some consistent “must-haves”.

1) Clear Signage And Transparency

If someone walks into your premises, they should be able to tell they’re being recorded. In most cases, that means CCTV signs at entrances and key areas.

You’ll also want to tell people, in plain language:

• who is operating the CCTV (your business name);
• why you’re recording (e.g. crime prevention, safety);
• how they can get more information (often a privacy notice link or contact email).

Many businesses cover the “more information” piece through a Privacy Policy (or a CCTV-specific privacy notice). The key is that the information is actually accessible and accurate for what you’re doing.

2) Keep The Coverage Proportionate

Ask yourself:

• Do we really need cameras in this location?
• Are we recording more than we need (for example, capturing neighbouring premises or public footpaths)?
• Are we recording audio (which can raise the privacy impact significantly)?

If you’re considering sound recording, be extra careful. Audio can be much more intrusive than video alone and often creates higher compliance risk. In practice, audio recording is harder to justify and you may need stronger safeguards, clearer notices, and a DPIA.

If your system includes audio (or you’re considering it), you’ll want to think through the specific risks outlined in CCTV with audio.

3) Set A Sensible Retention Period

One of the easiest mistakes to make is keeping CCTV footage forever “because storage is cheap”. Under UK GDPR, you should generally keep personal data only for as long as you need it for the purpose you collected it.

For many small businesses, a retention period might be something like 14–31 days, unless footage is needed for an active investigation (e.g. theft, incident, insurance claim).

A simple approach is:

• standard retention (e.g. 21 or 30 days);
• incident retention (longer storage for specific clips tied to a known issue);
• secure deletion after retention expires.

4) Restrict Access And Keep Footage Secure

Even if you’re a small team, you should be clear about:

• who can access CCTV footage (ideally a limited number of authorised people);
• how access is controlled (passwords, role-based access, logs where possible);
• how footage is shared externally (e.g. police requests, insurers, solicitors).

If staff have access to CCTV systems, your internal rules should line up with your overall IT and data security approach. For many businesses, that includes an Acceptable Use Policy so it’s clear what staff can and can’t do with business systems and sensitive data.

5) Use A Supplier Contract If A Third Party Manages Your CCTV

If a third-party provider supplies cloud storage, remote monitoring, or maintenance with access to footage, that provider may be acting as a “processor” under UK GDPR.

That’s where you’ll usually want a written agreement that covers the UK GDPR “processor” requirements (including confidentiality, appropriate security measures, clear instructions, limits on subcontracting, breach support, and what happens to the footage at the end of the service).

This is one of those areas where it’s risky to rely on informal emails or generic terms - the agreement should match how the CCTV is actually operated.

What About The Right To Privacy And CCTV Cameras In A Business?

Business owners often worry that privacy laws mean they can’t use CCTV. In reality, the “right to privacy and CCTV cameras” question is more about reasonableness and transparency than a blanket ban.

People do have privacy rights, but those rights are balanced against legitimate business needs like safety and security.

Some practical “privacy-friendly” practices include:

• avoid cameras in private areas (toilets, changing rooms, and similar spaces should not be filmed);
• be careful in staff-only areas (break rooms, kitchens, back offices - consider whether you can justify filming);
• don’t use CCTV for “hidden” monitoring unless you have a strong, specific reason, consider ICO guidance, and take advice (covert monitoring is generally high-risk and should be time-limited and targeted);
• don’t repurpose footage casually (e.g. using clips for social media, training, or marketing without checking lawful basis and permissions).

If you’re using CCTV in a workplace context, your approach should also fit within how you manage staff fairly. For example, if footage could be used in disciplinary processes, you’ll want consistency and clear rules.

It’s also worth checking how your business handles wider monitoring practices - CCTV often sits alongside other monitoring like device tracking or internet usage monitoring. If that’s relevant to your business, make sure your policies and notices stay aligned with employee computer monitoring.

Handling Subject Access Requests (SARs) For CCTV Footage

If your CCTV footage is personal data, individuals can request access to it. This is often done through a Subject Access Request (SAR).

For small businesses, SARs can feel intimidating - but they’re manageable if you plan for them.

What Might Someone Ask For?

Someone might ask for:

• a copy of footage that shows them;
• confirmation of whether you hold footage of them;
• information about how and why you process CCTV footage.

Do You Have To Hand Over All The Footage?

Not necessarily. You usually need to provide the personal data relating to the requester. That often means providing relevant clips, not “everything from the whole day”.

You also need to consider other people captured in the footage. If providing the clip would unfairly disclose personal data about others, you may need to:

• blur or redact third parties where possible; or
• provide an alternative (for example, still images); or
• withhold parts where an exemption applies (this can be technical, so get advice if unsure).

Timeframes And Practical Steps

UK GDPR timeframes can apply (often one month, subject to extensions in some situations). To keep things simple, it helps to have internal steps such as:

• log the request and the date received;
• confirm identity where appropriate;
• identify relevant cameras and time windows;
• export footage securely;
• redact/blur third parties if needed;
• keep a record of what you provided and why.

This is one reason to avoid overly long retention periods. If you keep months of footage, your search-and-review burden grows fast.

Can You Refuse A Request?

Sometimes you can refuse or limit a request - for example, if it’s manifestly unfounded or excessive - but this is a nuanced area and not something to treat casually. If you’re considering refusing a SAR, it’s worth getting tailored advice first.

Key Takeaways

• In most business settings, CCTV footage will be personal data if people can be identified, which means UK GDPR applies.
• CCTV isn’t “illegal”, but you need a lawful basis (often legitimate interests) and you should be transparent with signage and privacy information.
• Keep CCTV proportionate: avoid private areas, minimise over-coverage, and think carefully before recording audio (a DPIA may be needed).
• Set a sensible retention period and restrict access so footage doesn’t become an internal privacy risk.
• If you use third-party CCTV providers (cloud storage, monitoring, maintenance), make sure you have the right data processing terms in place.
• Plan for subject access requests by having a process for finding, exporting, and redacting CCTV footage where necessary.

If you’d like help setting up your CCTV practices properly - including privacy notices, policies, DPIAs, and contracts with CCTV providers - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.