Is CCTV Personal Data Under UK GDPR?

Installing CCTV can be a smart move for a small business – it can deter theft, keep people safe and help you manage incidents.

But the moment your cameras capture identifiable people, you’re in data protection territory. That means the UK GDPR and the Data Protection Act 2018 apply, and you’ll need to meet specific obligations around lawful basis, transparency, retention, security and individual rights.

Don’t stress – with a clear plan and the right documents, you can run CCTV lawfully and confidently. This guide breaks down when CCTV is personal data, what you must do as the “controller”, and the practical steps that keep you compliant (and protected) from day one.

Is CCTV Personal Data Under UK GDPR?

In short: yes, CCTV footage is personal data if a person can be identified, directly or indirectly, from the images (or audio) you capture. Faces, clothing, location, timestamps and other contextual details can make someone “identifiable.”

As soon as your system can pick out identifiable people – customers, staff, contractors or passers-by – the UK GDPR applies. This triggers duties such as having a lawful basis, being transparent, securing the footage, limiting retention and honouring data subject rights.

Two clarifications help set the boundaries:

• Business vs domestic: The “household exemption” typically doesn’t apply to businesses. If you’re filming in or around your premises, you should assume the UK GDPR applies.
• Special category data: Standard CCTV images aren’t usually “special category” data. However, the risk increases if you combine CCTV with facial recognition or biometric identification. That type of processing can trigger stricter rules and more rigorous safeguards.

Bottom line: If your cameras can identify people, treat your footage as personal data and build your compliance plan around that assumption.

Who Is Responsible For CCTV Compliance?

Most small businesses using CCTV will be the “data controller” – the organisation that decides why and how the CCTV system is used.

Common roles look like this:

• Controller: You (the business) set the purpose (e.g., security, incident management) and determine placement, coverage, retention and access. You carry primary responsibility for compliance and accountability.
• Processor: Your security vendor or cloud host may process footage on your behalf. They must follow your documented instructions and implement appropriate security measures.

If you engage an external installer, monitoring centre or cloud storage provider, put a robust Data Processing Agreement in place. This sets the rules on confidentiality, security, breach reporting, sub‑processors and deletion/return of footage at the end of the contract.

If your CCTV captures neighbouring properties or shared spaces (for example, a shopping centre’s common areas), it’s wise to clarify roles and responsibilities with other occupiers or landlords. Consider whether a formal data sharing arrangement or clear written instructions are needed to avoid gaps or overlap.

Lawful Basis, Transparency And Signage

You must be clear on why you’re using CCTV and choose a lawful basis for processing. For most SMEs, “legitimate interests” will be the most suitable basis – for example, preventing theft, protecting staff and customers, or investigating incidents. You should document a legitimate interests assessment (LIA) that weighs your aims against the impact on people’s privacy.

Choosing (And Documenting) Your Lawful Basis

• Legitimate interests: Most common for security, crime prevention and safety. Carry out and record your LIA.
• Legal obligation: Possible in niche cases where a specific law requires CCTV (less common).
• Public task/consent: Rare for private businesses. Consent is usually inappropriate for CCTV because people can’t freely opt out in a monitored area.

Tell People You’re Filming: Signage And Policies

Transparency is non‑negotiable. You should provide clear, prominent signs at entry points and within monitored areas stating:

• That CCTV is in operation
• Your business name (the controller)
• The purposes (e.g., security and safety)
• Basic contact details and where to find further information

The detailed information can sit in your Privacy Policy (linked via QR code or URL on the signs). Your policy should explain retention periods, who you share footage with, and how people can exercise their rights.

If you’re filming staff areas, be especially transparent with employees. Provide clear written notices and explain how footage may be used internally (for example, in disciplinary investigations or to manage incidents). Our guidance on cameras in the workplace covers the additional employment‑law considerations.

Do You Need A DPIA?

A Data Protection Impact Assessment (DPIA) is strongly recommended for CCTV, and in some cases mandatory – particularly where monitoring is systematic, on a large scale, in publicly accessible areas or likely to be intrusive. A DPIA helps you map risks (e.g., filming beyond your boundaries, capturing children, or sensitive spaces) and define mitigations (masking, restricted access, shorter retention, better signage, or physical camera adjustments).

If you’re unsure whether a DPIA is needed, a short consultation can save you a lot of rework later. Many SMEs find it useful to bundle CCTV governance into a broader Data Protection Pack so policies and notices are consistent across the business.

Retention, Security And Sharing

Under the UK GDPR you must only keep personal data for as long as it’s necessary for your stated purposes. In practice, most SMEs set a relatively short default retention period (for example, 14–31 days), extending retention only where footage is needed for a specific incident.

Retention: Keep Footage Only As Long As You Need It

• Set a clear default retention period and apply it consistently.
• Use “hold” or “case” flags where an incident requires you to keep specific clips longer.
• Document your retention in your policy and signage.

Security: Lock Down Your System

• Restrict access on a “need‑to‑know” basis and keep an access log.
• Use strong passwords, multi‑factor authentication and encrypted storage where available.
• Harden remote access – disable default ports and vendor default credentials.
• Vet your vendor and include robust security obligations in your Data Processing Agreement.
• Train your team on handling requests and exporting footage securely.

It’s also wise to plan for the worst. If your system is compromised or footage is leaked, you’ll need a fast, compliant response. A practical Data Breach Response Plan sets out who does what, when to notify the ICO and affected individuals, and how you’ll contain the issue.

Sharing Footage: Police, Insurers And Third Parties

You can share CCTV footage where it’s lawful and necessary – for example, to the police for crime investigation, or to your insurers in relation to a claim.

• Police: Ask for a written request or crime reference number where possible. Only disclose relevant clips and keep a record of what you shared and why.
• Insurers and legal advisers: Limit disclosure to what’s necessary for the claim or legal advice and use secure transfer methods.
• Other third parties: Avoid ad‑hoc sharing (e.g., with neighbouring businesses or on social media). If you do share, you’ll need a clear legal basis, and you should document your decision.

Subject Access Requests (SARs) For CCTV

Individuals have the right to request copies of their personal data. That includes CCTV footage where they appear. You’ll need to verify identity, locate the relevant footage and provide a copy within the statutory timeframe, usually one month.

Two practical issues often arise:

• Third‑party images: You should avoid disclosing other people’s personal data. Use redaction (masking or blurring) or provide stills rather than full clips if necessary.
• Exemptions and refusals: You can refuse or limit disclosure in narrow cases, for example where disclosure would prejudice the prevention or detection of crime. Document your reasoning if you rely on an exemption.

Having a consistent process and wording prepared will save time. Many SMEs adopt a standard subject access request workflow to triage requests, check deadlines and apply redactions properly.

Employees, Audio And High‑Risk Monitoring

Employee monitoring is particularly sensitive. You should be able to justify why you need CCTV in staff areas, and you must tell employees clearly how and when it’s used.

Workplace Monitoring: Be Proportionate

• Avoid placing cameras where people reasonably expect privacy (toilets, changing rooms, prayer rooms). These areas are almost always off‑limits.
• Use the least intrusive option that achieves your purpose. A camera at the till might be justified to prevent theft; one in a break room is harder to justify.
• Keep the employment law angle in mind – our guide on cameras in the workplace covers fairness, consultation and policy issues.

Audio Recording: A Higher Bar

Adding microphones changes the risk profile. Audio can be more intrusive, capture sensitive conversations, and increase the likelihood you’ll record special category data. If you’re considering it, read our dedicated guidance on CCTV with audio and think carefully about whether it’s truly necessary.

Covert Monitoring: Exceptional, Short And Justified

Covert CCTV (without telling people) should be a last resort, used only for a specific, time‑limited investigation where telling people would make it ineffective – and only after considering less intrusive options. Document your justification and switch back to overt monitoring as soon as possible.

Common Pitfalls To Avoid

• Filming beyond your property boundary when you don’t need to (tilt/zoom or mask to avoid overspill).
• Default “record everything” setups with no retention limits.
• Leaving exports on unencrypted USB sticks or sharing via personal email.
• No signage, no policy and no process to handle rights requests.

Key Takeaways

• CCTV footage is personal data if people can be identified, so the UK GDPR and Data Protection Act 2018 will apply to most business systems.
• As the controller, you set the purposes and must get the basics right: a documented lawful basis (often legitimate interests), clear signage and a comprehensive Privacy Policy.
• Map risks and mitigations through a DPIA, especially for large‑scale, public‑facing or staff monitoring, and be extra cautious with audio or any biometric features.
• Set short, justified retention periods, control access tightly and be ready to respond to a SAR with redaction where needed. A standard subject access request process helps.
• Lock down security (MFA, encryption, access logs) and contractually bind your vendors with a strong Data Processing Agreement. Keep a Data Breach Response Plan ready.
• If you’re using cameras around staff, be proportionate, avoid private areas and ensure your workplace notices and policies are crystal clear. See our guidance on cameras in the workplace and, if relevant, CCTV with audio.

If you’d like tailored help setting up compliant CCTV – from signage and policies to DPIAs and vendor contracts – our team can help. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.