Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Thinking about installing CCTV at your shop, office or warehouse? You’re not alone - cameras can help deter theft, protect staff and customers, and give you peace of mind.
But the moment your system captures identifiable people, you’re handling personal data. That means UK data protection laws kick in, and you’ll need to balance your security goals with people’s right to privacy.
The good news: with a bit of planning, clear notices and the right paperwork, you can run CCTV lawfully and confidently. This guide walks you through the key rules, the documents you’ll likely need, and common pitfalls to avoid.
What Does UK Law Say About The Right To Privacy And CCTV?
In the UK, the “right to privacy” isn’t a single statute for businesses to follow - it’s a combination of laws and guidance you need to comply with when you use cameras that record people.
- UK GDPR and the Data Protection Act 2018: If your CCTV captures identifiable individuals (staff, visitors, customers, contractors), you’re processing personal data. You must have a lawful basis (usually legitimate interests), be transparent, minimise what you capture, secure the footage and respect people’s rights.
- Human Rights considerations: Article 8 of the European Convention on Human Rights (respect for private life) influences how regulators look at intrusive monitoring - especially in sensitive areas (like toilets or changing rooms) or if monitoring is covert.
- Surveillance Camera Code of Practice: Public authorities must follow it, and private businesses are strongly encouraged to. It sets out principles like necessity, proportionality, transparency and accountability. Following it helps demonstrate you’re acting responsibly.
- Employment law and workplace privacy: If you’re monitoring staff, you should have clear policies, consult where appropriate, and ensure monitoring is proportionate. Employment tribunals take a dim view of secret or excessive surveillance.
As a small business, your CCTV will almost always be justified through “legitimate interests” - preventing crime, protecting assets, ensuring safety. But you still need to show your monitoring is necessary and proportionate (for example, covering entrances and tills rather than filming entire rest areas).
Most controllers must also pay the ICO data protection fee (with some exemptions). It’s worth checking whether your business needs to pay the ICO fee at the outset.
Where And How Can Businesses Use CCTV Lawfully?
In simple terms: you can install CCTV on your premises as long as you do it in a way that respects privacy and meets data protection duties. Think of it as a three-part test - necessity, proportionality and transparency.
1) Be Clear On Your Purpose
Write down why you need CCTV (for example, “to deter theft and protect staff at the front-of-house and cash handling areas”). Stick to those purposes and don’t use footage for unrelated reasons.
2) Limit What You Capture
- Position cameras to cover the areas that matter (entrances, tills, stock rooms) and avoid filming more than you need - especially public pavements or neighbouring properties.
- Never place cameras in areas where people reasonably expect a high degree of privacy, like toilets, changing rooms or prayer rooms.
- Use privacy masking if parts of the frame are not necessary (for example, a neighbouring garden or a staff break area).
3) Inform People With Signage And Notices
Transparency is non-negotiable. Put clear, visible signs at entry points and close to cameras. Signs should say that CCTV is in operation, name your business, and give contact details. Your full privacy information can live in your Privacy Policy and be accessible on your website or on request.
4) Consider Workplace Specifics
If cameras will capture staff, be open about what you’re monitoring and why. It’s generally acceptable to monitor operational areas (like tills or stock rooms) for security. It’s not acceptable to use cameras to constantly micromanage employees or capture private conversations without a compelling reason. If you’re weighing up installing cameras at work, an impact assessment and a clear policy are your best friends.
Documents, Policies And DPIAs You’ll Likely Need
Getting your paperwork in order shows you’ve thought about privacy from day one - and it’s often required by law. Here’s what to have ready.
Data Protection Impact Assessment (DPIA)
A DPIA helps you assess risks and design your CCTV setup to minimise them. It’s mandatory if your monitoring is likely to be high risk (for example, large-scale monitoring of publicly accessible areas) and is always best practice. Your DPIA should cover:
- What you’re trying to achieve (your purposes)
- What cameras will capture and why that’s necessary
- How you’ll inform people (signage and notices)
- Retention periods and access controls
- Risks to individuals’ rights and how you’ll reduce them (masking, restricted access, shorter retention)
Privacy Notices
Summarise your CCTV processing in clear language. At a minimum, your signage should alert people that CCTV is in use and who to contact. Your full notice is best included in your website’s Privacy Policy, explaining your legal basis, retention, how to make requests, and who you share data with.
Internal CCTV Policy
Set rules for managers and staff. Cover camera placement, live view use, how and when footage can be reviewed, retention, downloading and sharing, and the process for responding to requests from individuals or law enforcement. Make sure staff know misuse can be a disciplinary matter.
Processor Contracts
If a vendor installs, maintains or hosts your system (for example, cloud storage for footage), you’ll need a compliant Data Processing Agreement. It should set out security standards, confidentiality, assistance with data subject rights, and what happens at the end of the contract (deletion/return of footage).
Registers And Logs
Keep simple records: where cameras are, retention settings, who has access, any downloads or disclosures, and when you review whether CCTV is still necessary. A structured toolkit like a Data Protection Pack can help you keep these documents tidy and up to date.
Handling Footage: Retention, Access Requests And Sharing
Once your system is running, day-to-day compliance comes down to how you store, access and share footage.
Retention Periods
Set and document a fixed retention period that fits your purpose. Many businesses choose around 30 days, but shorter is better if you can justify it. Only keep footage longer if it’s needed for a specific incident or legal claim - document your reason and set a review date.
Access Controls And Security
- Restrict access to trained staff with a business need.
- Use strong passwords and role-based permissions; avoid shared logins.
- Encrypt storage where possible, and lock down physical DVR/NVR units.
- Keep an access log (who viewed, downloaded or shared footage and why).
Responding To Data Subject Requests
People have rights over their personal data. If someone asks for copies of footage they appear in, that’s a subject access request. You should:
- Verify their identity before releasing anything.
- Locate the footage using time, date and location they provide.
- Redact or blur other people if reasonably possible, or provide still images.
- Respond without undue delay and within one month (extensions are possible in complex cases).
There are limited exemptions (for example, if disclosure would prejudice crime prevention), but you’ll need a clear reason and a written record of your decision either way.
Sharing With Police, Insurers Or Other Third Parties
It’s lawful to share relevant footage with police for crime investigations - ask for a written request or reference to a crime number where possible, and log what you shared and why. For insurers or other third parties, ensure the sharing aligns with your original purpose or another lawful basis, and only disclose the minimum necessary.
International Transfers
If your footage is stored in the cloud, check where the servers are. Transfers outside the UK require appropriate safeguards (for example, standard contractual clauses). Your processor contract should make this clear.
Special Cases: Audio, Biometrics And Covert Monitoring
Some surveillance features create higher privacy risks. Treat these carefully and assume the legal bar is higher.
Audio Recording
Audio can be more intrusive than video. In most retail or office settings it won’t be necessary, and you should disable it. If you believe it’s essential (for example, in a high-risk cash handling booth), carry out a DPIA and be absolutely transparent. Our guide on CCTV with audio explains the added risks and how to manage them.
Recording Conversations
Capturing private conversations raises legal and ethical issues. Avoid using CCTV to record speech. If your business has a specific need to record calls or conversations (for instance, in a contact centre), different rules apply and you’ll need tailored notices, policies and technical safeguards. See our overview on whether you can record conversations for the key considerations.
Biometric Systems
Facial recognition and fingerprint clocking-in systems process special category data and are highly regulated. You’ll need a strong lawful basis, strict necessity, and additional safeguards - often these systems won’t be justifiable in small business settings. If you are exploring biometrics, carry out a robust DPIA and consider alternatives with less impact.
Covert Monitoring
Secretly filming staff or customers is only justifiable in exceptional circumstances - for example, where there’s a reasonable suspicion of serious criminal activity and overt monitoring would prejudice the investigation. Even then, it should be tightly targeted, time-limited, and never in private areas. Get legal advice first and document your decision-making.
Workplace Monitoring Beyond CCTV
CCTV often sits alongside other monitoring (like internet logs or device management). Each tool brings its own privacy risks. Make sure your staff policies explain what you monitor and why, and that any monitoring is proportionate and authorised. If you also provide work phones or operate a BYOD program, align your approach with UK GDPR and employment best practice.
Key Takeaways
- Using CCTV on your premises is lawful if you meet UK GDPR and Data Protection Act duties - be clear on your purposes, minimise what you capture, and be transparent with signage and notices.
- “Legitimate interests” is usually the lawful basis for small business CCTV, but you must assess necessity and proportionality and record your decision (a DPIA is best practice and sometimes mandatory).
- Post clear signs, set sensible retention periods (often around 30 days), restrict access, and keep simple logs of viewing, downloads and disclosures.
- Include your CCTV information in your public-facing Privacy Policy, and have an internal CCTV policy setting out who can access footage and how to handle requests.
- Put proper contracts in place with vendors who install or host your system - a compliant Data Processing Agreement is essential.
- Be ready to handle access requests: verify identity, locate footage, and redact third parties where reasonable. Keep to the one‑month timeline.
- Avoid audio recording unless you can justify it with a strong DPIA and clear notices; treat biometrics and any covert monitoring as high‑risk and get advice first.
- Don’t forget your controller obligations - many businesses must pay the ICO data protection fee, maintain records and keep documents up to date, which a Data Protection Pack can help organise.
If you’d like tailored help setting up CCTV in a way that protects your business and respects privacy, our team can help with impact assessments, signage, policies and contracts. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.
