Jun 05 2023
50
35
If your business operates CCTV cameras — whether in a retail unit, office, car park, or hotel — you are processing personal data. Under UK GDPR and the Data Protection Act 2018, that means you have legal obligations before, during, and after the installation. Getting them wrong does not just risk an ICO fine; it can make your footage inadmissible as evidence when you actually need it.
This guide covers the key compliance requirements for business CCTV in the UK, explains where businesses most commonly fall short, and sets out what a properly compliant installation looks like. It is written for business owners and facilities managers, not lawyers — with practical steps rather than legal theory.
CCTV cameras capture images of identifiable people. Under UK GDPR, an image of an identifiable person is personal data. That means the moment your camera captures a face, a vehicle registration plate, or any other identifier, the data protection rules apply.
This is not a technicality. The Information Commissioner's Office (ICO) is the UK's data protection regulator, and it takes business CCTV seriously. The ICO has issued guidance specifically for organisations using surveillance cameras, and it inspects premises, investigates complaints, and issues enforcement notices where businesses fall short.
The good news is that compliant CCTV is not complicated. The requirements are clear and, in most cases, straightforward to meet — especially when compliance is built into the system from the start.
The first step before operating any CCTV system is establishing a lawful basis for processing the personal data it captures. For most businesses, the appropriate basis is legitimate interests: you have a genuine, reasonable purpose for the surveillance (crime prevention, safety, protection of assets) that is proportionate and does not override the privacy rights of the individuals being filmed.
To rely on legitimate interests, you should carry out a Legitimate Interests Assessment (LIA) — a short documented exercise that asks three questions: What is the purpose? Is it necessary? Does the legitimate interest override individuals' rights?
For most commercial CCTV — cameras in a retail unit, office reception, or car park — this assessment will clearly support the use of CCTV. But the assessment needs to be done and documented, not simply assumed.
One of the most common compliance failures for business CCTV in the UK is inadequate signage. UK GDPR requires that people are informed when they are being recorded. The practical way to meet this requirement is to display clear signs at every point where a person would enter the area covered by cameras.
Compliant CCTV signage should include:
Signs do not need to be large or disruptive. A clearly legible notice at eye level at the entrance to a monitored area is sufficient. What is not sufficient is a small generic sticker that says "CCTV in operation" with no further information.
UK GDPR's data minimisation principle means you should not keep personal data for longer than necessary. For CCTV footage, this means defining a retention period and sticking to it.
There is no single legal requirement for how long to keep business CCTV footage in the UK. The appropriate period depends on the purpose and the nature of the business. Common guidance is:
Most modern IP recording systems can be configured to overwrite footage automatically after the defined retention period. This configuration should be documented and should form part of your system's data protection records.
Under UK GDPR, any individual whose image is captured on your CCTV system has the right to request a copy of that footage — this is a Subject Access Request (SAR). You have one month to respond. You must provide the footage in a format the individual can access, and you must redact any other individuals who appear in the same footage to protect their privacy.
SARs for CCTV footage are more common than many businesses expect, particularly following workplace incidents, personal injury claims, and road traffic incidents in car parks. Having a process in place before a request arrives — knowing who is responsible for handling it, how to export footage from your recording system, and how to redact other individuals — makes a significant difference to how smoothly these requests are handled.
For higher-risk CCTV deployments, a Data Protection Impact Assessment (DPIA) is required under UK GDPR. The ICO's guidance says a DPIA is likely needed when:
For a standard office or retail CCTV installation, a full DPIA may not be required — though documenting your decision not to conduct one is good practice. For hotel or hospitality CCTV, particularly where cameras cover corridors, communal areas, and guest-facing spaces, the question is worth considering carefully.
When an incident is reported to the police, sharing relevant CCTV footage is generally lawful under UK GDPR's law enforcement exemption — you do not need the data subject's consent to provide footage to police investigating a crime. However, you should document any disclosure: what footage was shared, with whom, for what purpose, and on what date. Requests should ideally be made in writing by police.
Do not share footage indiscriminately or beyond what is necessary for the investigation. Sharing footage for purposes beyond crime prevention — for example, posting clips on social media — creates separate legal exposure.
In our experience installing and maintaining CCTV systems for London businesses, the most common compliance failures are:
No signage at all. This is the single most frequent issue and the easiest to fix.
Retention set to maximum and never reviewed. Many systems are installed with the maximum available storage and footage is retained indefinitely because no one ever configured the overwrite settings. This creates unnecessary data retention risk.
No privacy notice or data protection policy covering CCTV. Your organisation's privacy notice should reference CCTV use, what it is used for, and how long footage is retained.
Cameras pointing beyond your boundary. Cameras that capture public streets or neighbouring properties are permissible in limited circumstances but require specific justification. Cameras should be positioned to capture your premises and no more than is necessary.
No process for handling SARs. Without a defined process, SAR responses become chaotic, time-consuming, and prone to errors — including failing to redact third parties.
The easiest way to ensure your CCTV installation is compliant is to build compliance into the specification and installation from the start, rather than retrofitting it later.
At Slam Systems, we include a compliance briefing as part of every CCTV installation — covering signage requirements, recommended retention settings, how to handle SARs, and what documentation you should maintain. We position cameras to minimise unnecessary capture of individuals outside your premises, configure retention periods to a sensible default, and make sure your system is set up to export footage in a format that works for SAR responses and police disclosures.
A CCTV system that is compliant from day one is also a CCTV system that works properly for you when you actually need it — as evidence, in a claim, or in an investigation. Non-compliant footage can be challenged in legal proceedings, and a system with inadequate retention settings may simply not have the footage you need when an incident is reported.
We install CCTV systems for offices, hotels, retail units, and commercial properties across London, Surrey, Kent, Buckinghamshire, and Middlesex. Book a free site survey and we will assess your requirements, including the compliance considerations specific to your premises.
