Is Your CCTV UK GDPR Compliant? A Practical Checklist

As experienced suppliers of a vast range of commercial and domestic CCTV installations, the Clearway team often deals with privacy queries. There are laws to be aware of whether you are:

• Installing a new CCTV surveillance system.
• Verifying whether an existing installation is compliant.
• Planning to add new cameras or reposition your current ones.

To help you identify whether your CCTV is compliant with the laws and restrictions that apply, we have created this checklist to work through all the essential factors.

If you have any doubts about the legality of a surveillance installation, it remains strongly advisable to seek advice from our qualified team of professional CCTV installers.

Key Takeaways

• Any business, organisation or public building that uses CCTV needs to adhere to rules and legislation around data privacy – letting people know they are potentially being recorded and ensuring you have the right measures to demonstrate full compliance.
• Action may be needed even if you have used a CCTV system for a long time, if you are revisiting your camera placements, changing your surveillance policy, or upgrading your security system, and cameras.
• While the UK has now left the EU, it has officially retained UK GDPR as a domestic law with regular framework reviews. Similar controls are enforced through the Data Protection Act 2018.

What Laws Does My CCTV Need to Comply With?

Many businesses consult with the Clearway team about GDPR (the General Data Protection Regulation), but this original legislation is an EU law. The UK government has retained the regulation in a UK format alongside the most recently updated version of the Data Protection Act (DPA).

Regardless of whether you installed CCTV before or after Brexit, you must comply with the DPA, which has similar requirements and limitations on how you record people and manage their data.

These mandatory requirements stipulate that you should have written documentation detailing your CCTV policy, how you store and manage videos and photos, and showcasing how you comply with the privacy regulations.

Essentially, any information – including images – that allows an individual to be identified must be compliant. For example, if your workplace CCTV shows employees, visitors, delivery drivers or registration number plates, it is collecting personal data.

Therefore, every CCTV system owner needs to follow the guidelines to ensure compliance and avoid violating data privacy rules.

UK GDPR and the Data Protection Act 2018

The UK retained GDPR as domestic law after leaving the EU, enforced alongside the Data Protection Act 2018. Both require you to have a lawful basis for recording, display signage, implement access controls, and respond to subject access requests.

The Data (Use and Access) Act 2025

The Data (Use and Access) Act became law on June 19, 2025, and directly amends UK GDPR.

The DUAA introduces stronger safeguards around automated decision-making (including AI-powered surveillance like facial recognition) and clarifies data sharing rules.

If your CCTV system uses AI features like facial recognition, automatic number plate recognition (ANPR), or body-worn video (BWV), you must now comply with additional requirements under the DUAA.

The ICO is actively reviewing its guidance on these technologies.

ICO Surveillance Camera Guidance

The ICO publishes specific guidance on surveillance cameras, including the Surveillance Camera Code of Practice.

This code applies to CCTV used by public authorities and private organisations in public spaces. It covers proportionality, transparency, and accountability requirements.

The code recommends conducting a Legitimate Interests Assessment (LIA) when relying on legitimate interests as your lawful basis, which we’ll cover in detail below.

The penalties for non-compliance are severe – the Information Commissioner’s Office (ICO) can levy a fine of 4% of a business’s turnover up to a maximum of £17.5 million for serious breaches of data protection law.

Do You Have CCTV Surveillance Signs in Place?

You cannot record anybody without their knowledge. Signs must accompany every CCTV installation on any premise to ensure that everybody entering the site knows they may be recorded.

However, signage is also necessary to ensure that everybody has the right to exercise control over the data collected about them.

You might receive a request to share footage with the individual or to delete that information, so they need to know that the surveillance has taken place and how you will use it.

For workforces, it is recommended you:

• Erect signs advising that CCTV recording takes place.
• Create a CCTV policy or include it in your privacy policy.

Installing signage is a great way to notify employees or site users about your surveillance and can also deter criminal activity like theft or trespass. The College of Policing states that studies have shown that crime decreases by 13% in areas with live CCTV and by a greater extent when considering only vehicle and property crime.

Have You Explained Why CCTV Recording Is In Place?

Data protection rules require you to explain why you have a CCTV system. There are six bases on which you can justifiably use personal data collected through a surveillance installation.

These six categories are the lawful reasons for processing personal data, and each might apply to a different scenario, such as the following:

• Individual contracts, where you supply services or goods to another party and require surveillance capture as part of the service contract.
• Legal compliance when you are obligated to capture data.
• Vital interests, where the information collected is required to protect the subject’s well-being or other parties.
• Public tasks, such as governmental security, school surveillance systems, or police CCTV captures.
• Legitimate interests, which apply to private organisations where they have a viable reason to collect information, including for commercial benefit.

The key factor is that CCTV data collection must have a stated purpose, and the benefit cannot be outweighed by the rights of each person to privacy.

In public spaces, CCTV signage can include a brief explanation of the purpose of the installation to meet this requirement – for example, because it is used for public safety reasons.

Legitimate Interests (Most Common for Business CCTV)

Most businesses rely on legitimate interests as their lawful basis for CCTV.

This applies when you have a genuine commercial reason to collect footage (such as preventing theft, protecting staff safety, or securing premises) and the benefit to your business is proportionate to the privacy impact on individuals.

However, you cannot simply declare legitimate interests and move on. You need to document your reasoning through a Legitimate Interests Assessment (LIA).

When You Need a Legitimate Interests Assessment

An LIA is a three-part test you must document:

1. Purpose test: Do you have a legitimate interest in using CCTV? (e.g., preventing theft, ensuring staff safety)

2. Necessity test: Is CCTV necessary to achieve that purpose, or could you use a less intrusive method?

3. Balancing test: Does your interest outweigh the privacy rights of the people being recorded?

If you pass all three tests, legitimate interests is likely your lawful basis. Keep the LIA documented and available for ICO audits.

Consent is rarely appropriate for business CCTV because it must be freely given. Employees and visitors cannot realistically refuse consent and still enter your premises, so consent fails the “freely given” test.

Do You Have Controls in Place to Restrict Access to CCTV Footage?

Businesses will need to appoint a Data Controller as the person (or named people) responsible for managing the storage and use of personal information captured through CCTV.

You need to ensure that:

• Data is only accessible to appropriate individuals, such as managers or security staff.
• CCTV is secured and only viewed by people with permission.
• The information is stored safely and with adequate security.

Some options include storing footage in locked cupboards, implementing access controls on digital files, or encrypting CCTV footage.

Encryption, RBAC, and Audit Logging

Data protection regulators now expect modern security measures for CCTV systems, not just physical locks. Under Article 32 of UK GDPR (security of processing), you must implement “appropriate technical and organisational measures” to protect personal data.

That means:

Encryption: CCTV footage should be encrypted both in transit (when moving between cameras and storage) and at rest (when stored on hard drives or cloud servers). This protects footage if storage devices are stolen or accessed without authorisation.

Role-Based Access Control (RBAC): Implement digital access controls that restrict who can view footage based on their role. For example, security managers might have full access, while shift supervisors can only view specific camera zones. Every access attempt should require authentication.

Audit Logging: Your system should automatically log who accessed which footage, when, and for what purpose. Audit trails are essential if you need to investigate a suspected data breach or respond to an ICO inquiry.

Simply storing footage in “locked cupboards” no longer meets ICO expectations for organisations processing CCTV at scale. If you’re running a multi-camera system, encryption and RBAC should be standard.

Appointing a Data Controller

Every organisation using CCTV must designate a Data Controller—the person or team responsible for ensuring compliance with data protection law. The Data Controller oversees how footage is collected, stored, accessed, and deleted.

Larger organisations or those processing sensitive data (such as healthcare facilities or schools) may also need to appoint a Data Protection Officer (DPO) under Article 37 of UK GDPR.

Handling CCTV Footage Requests (Subject Access Requests)

People recorded on your CCTV can ask for a copy of footage that contains their personal data. This is usually done through a Subject Access Request (SAR), and you should be ready to handle it in a consistent, documented way.

Start by logging the request and confirming what the person needs. It helps to ask for details like the date, time window, location on site, and a description of what they were wearing or which entrance they used, so you can find the right clip quickly.

You must respond without undue delay and within one month of receiving the request. If the request is complex, you can extend by up to two more months, but you should tell the person within the first month and explain why.

When you share footage, you still need to protect other people’s privacy. If other individuals appear in the clip, you may need to blur or mask them, or offer a viewing option instead of providing a copy if that works for the requester.

If you’re running monitored surveillance, temporary coverage, or CCTV on higher-risk sites, it helps to have a clear escalation route for SARs so requests do not get lost between security and operations.

Practical checklist for CCTV SARs

• Record the request date and confirm the deadline (one month, unless extended).
• Verify identity if needed, then ask for specifics to narrow the search (time, place, description).
• Locate and export the footage securely, keeping an audit trail of who accessed it.
• Redact third parties where required (blurring, masking, solid fill).
• Provide the footage (or arrange a viewing if agreed), and document what you disclosed and why.
• If you refuse or limit disclosure due to a valid exemption, document the rationale and respond clearly to the individual.

Do You Delete CCTV Footage Regularly?

The next consideration is a retention period, after which the CCTV files and the information they contain are deleted.

Ideally, you should outline how often that takes place in your privacy policy or CCTV policy.

The law states that you should only keep information for ‘as long as necessary’, which is discretionary. The best approach to determine the appropriate retention period is to consider why you collect the data.

Most CCTV surveillance is deleted every 14 or 30 days.

Do You Have a Data Protection Impact Assessment in Place?

A DPIA acts as a risk assessment for data processing and ensures that you have mitigated any risks that could potentially impact the individuals being recorded.

Non-compliance can be serious business, and the fines can be extremely high.

Therefore, it is essential to work through these checkpoints and seek a professional consultation if you have any concerns about whether your CCTV is data protection compliant.

Your CCTV Compliance Action Plan

CCTV compliance comes down to controls you can prove on request: a clear purpose, visible signage, a documented lawful basis, restricted access, a defined retention period, and a DPIA where privacy risk is higher.

Next, do a short walk-through audit and match it to your paperwork. Check each camera view, confirm your policy reflects reality, and make sure you can handle footage requests and workplace monitoring scenarios.

Finally, lock in the two areas that usually trip people up: deletion and upkeep. Align your storage window with how long you should keep CCTV footage, and keep the system reliable.

If you’re changing or adding coverage, Clearway can help you plan it cleanly using the CCTV installation checklist. For site-specific advice, contact our team.

Frequently Asked Questions

Is CCTV footage personal data under UK GDPR?

Yes. Under UK GDPR and the Data Protection Act 2018, CCTV footage counts as personal data if it can identify an individual through their face, clothing, physical features, or vehicle registration plate.

Any organisation processing identifiable CCTV footage must comply with data protection law, including having a lawful basis, displaying signage, and responding to subject access requests.

What should CCTV signs include in the UK?

Signs should clearly say CCTV is in operation, why it’s used, and who to contact for questions or requests. The goal is transparency before someone enters the recorded area.

What lawful basis should a business use for CCTV?

Most businesses rely on legitimate interests, as consent is difficult to make meaningful in public or workplace settings. You should document the purpose and show it is proportionate to privacy impact.

When is a DPIA required for CCTV?

You should complete a DPIA when CCTV is likely to create high risk to people’s rights, such as monitoring staff or recording in sensitive areas. If high risks can’t be reduced, you may need to consult the ICO before using the system.

How long can you legally keep CCTV footage in the UK?

UK GDPR requires you to keep footage only “as long as necessary” for the purpose you collected it. Most businesses delete CCTV footage after 14 to 30 days unless there’s a specific reason to retain it longer (such as an ongoing investigation or legal claim). Document your retention period in your CCTV policy and enforce it consistently.

Do I need to register my CCTV with the ICO?

Yes. If you process personal data as part of your business (including CCTV footage), you must register with the ICO and pay an annual data protection fee. The fee ranges from £40 to £2,900 depending on your organisation’s size. You can register at ico.org.uk. Failure to register is a criminal offence.