UK CCTV Laws For Businesses

Thinking about installing CCTV at your premises? It’s a smart move for security, loss prevention and staff safety - but in the UK, CCTV is tightly regulated. If you’re capturing images of people (customers, staff, visitors or contractors), you’re handling personal data. That means UK GDPR and the Data Protection Act 2018 apply, along with sector-specific rules and guidance from the Information Commissioner’s Office (ICO).

Don’t stress - with the right setup, signage and policies, you can use CCTV lawfully and confidently. In this guide, we’ll walk through the key CCTV laws UK businesses need to know, what you can and can’t film, the steps to get compliant, and the documents you should have in place from day one.

What Are The CCTV Laws UK Businesses Must Follow?

If your CCTV can identify individuals, you are a “data controller”. The main laws and standards that apply are:

• UK GDPR and the Data Protection Act 2018 - covering lawful basis, transparency, security, retention and people’s rights.
• ICO guidance on video surveillance - practical expectations for signage, privacy impact assessments, access controls and audits.
• Employment law and privacy expectations - especially if cameras cover staff work areas or you’re monitoring performance or conduct.
• Sector rules - for example, licensing conditions for hospitality venues may reference CCTV requirements.

At a high level, your CCTV must be necessary and proportionate. You need a clear, legitimate reason (like preventing theft or protecting staff), and you must minimise the privacy impact where possible.

Choose Your Lawful Basis

Most UK businesses rely on “legitimate interests” as the lawful basis for CCTV - for instance, preventing crime or ensuring health and safety. To rely on this basis, you should carry out a Legitimate Interests Assessment (LIA) to balance your business needs against people’s privacy rights, and record the outcome.

Complete A DPIA (Privacy Impact Assessment)

A Data Protection Impact Assessment (DPIA) is strongly recommended (and often expected by the ICO) before you switch the cameras on. It documents what you’re recording, why you need it, risks to individuals, and how you’ll mitigate those risks (e.g. signage, masking private areas, restricted access, limited retention). A well-prepared DPIA is one of the best ways to demonstrate compliance if the ICO ever asks.

Register And Pay The ICO Data Protection Fee

Most businesses using CCTV will need to pay the ICO’s data protection fee. Some are exempt, but don’t assume you are - check carefully. If you think you might be exempt, it’s worth reading up on ICO fee exemptions and documenting your reasoning.

Do You Need To Notify People And Get Consent?

You do need to tell people they’re being recorded. You don’t generally need consent for business CCTV - legitimate interests is usually more appropriate - but transparency is non-negotiable.

Use Clear, Prominent Signage

Place signs at the entrances and in visible spots before people enter monitored areas. The signs should be easy to read and include:

• A statement that CCTV recording is in operation.
• Your business name (the data controller).
• The purpose (e.g., “for crime prevention and safety”).
• Contact details or a link to your privacy information.

Back up your signs with an accessible Privacy Policy that explains how footage is used, retained and shared, and how people can exercise their rights.

Be Extra Careful With Audio Recording

Audio is far more intrusive than video and attracts closer scrutiny. Only record audio if it’s strictly necessary and proportionate, and document why in your DPIA. In most retail or office environments, continuous audio recording is hard to justify. For more on this, see our guide to CCTV with audio.

Employee Expectations And Monitoring

Filming staff areas brings additional risks. You should be transparent with employees, explain the purpose, and avoid filming areas where people expect privacy (e.g. toilets or changing rooms). If cameras feed into disciplinary processes or performance management, ensure your staff policies cover monitoring and that your approach is fair and proportionate. It’s also wise to understand what’s permitted regarding workplace monitoring generally.

Where Can You Place Cameras - And Where Is Off-Limits?

Placement is a big part of compliance. Even with a valid purpose, cameras must be sited and configured to minimise impact.

Allowed Locations (With Care)

• Entrances/exits, shop floors, car parks and stockrooms, if you need footage for safety and security.
• Customer service areas where incidents may occur.
• Perimeters and external areas to deter trespass and theft.

High-Risk Or Prohibited Areas

• Toilets, showers, changing rooms - generally prohibited due to extremely high privacy expectations.
• Break rooms and staff-only spaces - avoid unless you can justify necessity and there’s no less intrusive option.
• Public-facing windows or neighbouring premises - angle or mask cameras to avoid capturing areas you don’t need.

If you operate in a workplace setting, it’s worth reviewing the practicalities and limits set out in our overview of cameras in the workplace so you’re striking the right balance.

Covert CCTV

Covert filming is rarely justified and should only be used for short periods to investigate serious misconduct or criminal activity where informing people would prejudice the investigation. This needs a very careful DPIA, strict access controls and senior sign-off - and you should seek legal advice before proceeding.

How Long Can You Keep Footage And Who Can See It?

Under UK GDPR, you mustn’t keep personal data longer than necessary. That applies to CCTV footage too.

Set A Clear Retention Period

Many businesses set 14–31 days as a default retention period, extending only if footage is needed for a live investigation or insurance claim. Whatever you choose, record it in your DPIA and privacy documentation, implement automatic deletion where possible, and stick to it.

Secure Access And Storage

• Restrict access to a small number of trained staff on a genuine need-to-know basis.
• Password-protect systems, enable multi-factor authentication where available, and keep software/firmware updated.
• Encrypt storage, and secure any cloud accounts used by your CCTV provider.
• Maintain an audit trail for viewing, copying and exporting footage.

Third Parties And Processors

If a provider hosts your system, stores footage, or maintains cameras with access to data, they’re a “processor”. You must put a compliant Data Processing Agreement in place, setting out security standards, breach notification and sub-processor controls. For a broader privacy toolkit - including DPIA templates and policy drafting - many small businesses opt for a Data Protection Pack so they’re covered from day one.

Responding To Requests For Footage (SARs)

Individuals have the right to access personal data that relates to them, which can include CCTV footage where they are identifiable. You’ll need a process to locate footage, verify identity and respond on time - usually within one month. There are limited exemptions, for example where disclosure would reveal other people’s identities (you may need to blur third parties). If SARs concern you, it’s smart to get familiar with SAR deadlines and to have a consistent playbook for handling requests.

What Policies, Signs And Documents Do You Need?

Having your paperwork in order is just as important as the cameras themselves. It proves you’ve thought through the risks and are meeting your obligations.

Essential Documentation Checklist

• DPIA (and Legitimate Interests Assessment) covering purpose, necessity, risks and mitigations.
• CCTV signage, designed to ICO expectations and displayed at entry points.
• Privacy information - typically your public-facing Privacy Policy plus internal procedures.
• Internal CCTV policy - who can access the system, how to handle exports, retention and deletion rules.
• Processor contracts - a robust Data Processing Agreement with your CCTV/install/hosting provider if they can access footage.
• Incident response steps - who to notify if there’s a security incident or personal data breach.
• Staff training - short, practical training on handling footage, access control and SARs.

Employment Contracts And Staff Policies

If cameras monitor staff areas, align your approach with your employment documentation and disciplinary processes. This can sit inside your staff handbook along with related policies (e.g., acceptable use, conduct and privacy). Clear documentation avoids surprises and builds trust.

Special Cases: Body-Worn, Vehicle And Audio

• Body-worn cameras: used in some sectors for frontline safety. Switch them on only when necessary, with clear pre-recording alerts and signage, and keep footage tightly controlled.
• Vehicle dashcams: legitimate for fleet safety, but avoid recording staff continuously without strong justification. Update your privacy information accordingly.
• Audio: only where necessary and proportionate - continuous audio in shops or offices is hard to justify. Revisit our note on audio risks.

Common Pitfalls And How To Avoid Them

Even well-intentioned setups can fall short. Here are the traps we see most often - and how to fix them early.

No Clear Purpose Or Lawful Basis

“Everyone else has CCTV” isn’t a lawful basis. Define your purpose clearly (e.g., deter theft at tills, protect staff during late shifts) and document your legitimate interests analysis in your DPIA.

Inadequate Signage And Privacy Information

Buried notices or tiny signs won’t do. Make signage prominent and simple, and make sure your Privacy Policy actually covers CCTV: legal basis, retention, who you share footage with, and how people can make requests.

Overly Intrusive Placement Or Settings

Zoomed-in views of tills might capture card details; ceiling cameras might cover private areas by accident. Use privacy masking, adjust angles, and keep the field of view to what’s strictly necessary. If in doubt, revisit your DPIA and consider alternatives.

Excessive Retention

Keeping footage “just in case” for months will be hard to defend. Set a realistic retention period aligned to your purpose (e.g., typical complaint cycles or investigation windows) and implement automatic deletion.

Weak Security And Supplier Contracts

Default passwords, outdated firmware and weak supplier agreements are a recipe for breaches. Lock down access, mandate updates, and ensure a proper processor agreement with any vendor that can access your system or footage.

Using CCTV For Disciplinary Issues Without A Fair Process

If you plan to rely on footage in staff matters, make sure your approach is fair, transparent and consistent with employment policies. Consider how your disciplinary procedures interact with surveillance, and avoid surprises that could undermine trust or create legal risk.

Confusing CCTV With Other Monitoring

CCTV is only one part of the picture - you might also use access logs, vehicle telematics, or IT monitoring. The legal tests are similar (necessity, transparency, proportionality), and it’s wise to address them together in your privacy framework. If you’re exploring broader monitoring, revisit our guidance on IT monitoring and ensure your policies are aligned.

Step-By-Step: How To Roll Out CCTV Legally

If you’re just getting started, here’s a practical sequence to follow.

1. Define Your Purpose: Be specific (e.g., deter shoplifting at exits, secure warehouse perimeters). Avoid vague, catch-all justifications.
2. Map The System: Draw camera locations, fields of view, data flows (local NVR or cloud), and who will access footage.
3. Carry Out A DPIA: Assess necessity, alternatives, risks and mitigations. Record your lawful basis (likely legitimate interests) and complete an LIA.
4. Design Signage And Privacy Info: Prepare clear signs and update your Privacy Policy to cover CCTV. Include contact details for rights requests.
5. Choose A Trusted Supplier: Vet security practices, hosting locations, support, and updates. Put a Data Processing Agreement in place if they can access footage.
6. Configure For Privacy: Use masking, sensible frame rates and resolutions, and restrict angles to what’s needed. Turn off audio unless truly necessary.
7. Set Retention And Access Controls: Configure automatic deletion, role-based access, logs for exports, and encryption.
8. Train Your Team: Brief relevant staff on access rules, exports, incident handling and responding to data rights requests. Keep a simple SOP.
9. Pay The ICO Fee: Confirm whether you need to pay, and if you think you’re exempt, document why (and review annually).
10. Review Annually: Revisit your DPIA, signage, vendor updates and retention policy. Adjust as your risks change.

CCTV And Complaints, Investigations Or Insurance Claims

When something goes wrong, footage can be crucial - but don’t cut corners to “save” it. If an incident occurs:

• Export the relevant clip securely and store it in a controlled folder, noting who accessed it and why.
• Share with insurers or the police on a need-to-know basis only, and record who you shared it with.
• Don’t extend retention for all cameras - just isolate the clips you genuinely need for the case.

If you often need to share footage with outsourced security or facilities providers, think about whether that relationship needs a formal service level agreement alongside your processor terms so responsibilities are crystal clear.

Key Takeaways

• UK businesses using CCTV are handling personal data - UK GDPR and the Data Protection Act 2018 apply, and you should complete a DPIA and choose a clear lawful basis (often legitimate interests).
• Be transparent: use clear signage at entry points, update your public-facing Privacy Policy to explain CCTV, and avoid audio recording unless it’s truly necessary and proportionate.
• Place cameras carefully: avoid private areas, minimise what you capture, and configure masking and retention so you’re only keeping what you need for as long as you need it.
• Lock down access and suppliers: restrict internal access, keep systems patched, and put a robust Data Processing Agreement in place with any provider that can access footage.
• Prepare for rights requests: have a process for SARs, with timelines and verification steps, and know when you may need to blur third parties.
• Align with employment documentation: if staff areas are in scope, ensure your policies are transparent and fair, and understand the extra risks around workplace monitoring.
• Document everything: your DPIA, LIA, signage, retention, access controls and training are your evidence that your CCTV is necessary, proportionate and compliant.

If you’d like tailored help setting up CCTV the right way - from drafting your DPIA and Privacy Policy to putting processor contracts in place - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.