CCTV is a standard fixture across managed estates. For facilities managers and heads of security, it supports crime deterrence, incident investigation and health and safety oversight.
It also creates a set of legal obligations that require active management. Any CCTV system that captures images of identifiable individuals is processing personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and must be operated accordingly.
This article sets out the key compliance requirements and practical steps for getting it right.
What the Law Requires
The Information Commissioner’s Office (ICO) is the UK regulator for data protection, and its guidance on video surveillance is the primary reference point for CCTV compliance.
Under the UK GDPR, any organisation operating CCTV on commercial premises must be able to demonstrate a lawful basis for doing so. In most facilities management contexts, this will be legitimate interests, covering purposes such as security, crime prevention, or health and safety.
The Data (Use and Access) Act 2025, which came into force on 19 June 2025, introduced a category of “recognised legitimate interests” covering specific public interest purposes including crime prevention, safeguarding, national security and emergency response. Where processing falls within one of these recognised categories, organisations are not required to carry out a balancing assessment. For all other uses of legitimate interests as a lawful basis, a Legitimate Interests Assessment must still be completed and documented.
Beyond lawful basis, organisations must comply with the core data protection principles: transparency, data minimisation, purpose limitation, storage limitation and integrity. In practice, this means cameras should only cover areas where surveillance can be justified, footage should not be kept longer than necessary, and access to recordings must be restricted to authorised personnel.
Most organisations operating CCTV on non-domestic premises are also required to register with the ICO and pay a data protection fee. The fee is tiered by organisation size and turnover. Following an increase in February 2025, the current tiers run from £52 for micro organisations to £3,763 for large organisations.
Before You Install: The DPIA Requirement
Where a proposed CCTV installation is likely to create a high risk to individuals’ rights and freedoms, for example, in high-footfall areas, or where AI-based analytics such as facial recognition or crowd behaviour analysis will be used, a Data Protection Impact Assessment (DPIA) is required before the system goes live.
Even where a full DPIA is not mandated, it is considered good practice and helps demonstrate accountability if the ICO ever reviews the installation.
A DPIA should document the purpose of each camera location, the likely impact on individuals’ privacy, the measures taken to mitigate that impact, and why surveillance is considered necessary and proportionate in that area. It should be kept on file and reviewed when the system is changed or extended.
Signage, Transparency and Camera Placement
Individuals must be informed that CCTV is in operation. This is typically achieved through clearly visible signage at entry points and throughout covered areas, stating that recording is taking place, identifying the system operator, and explaining the purpose of the monitoring. Signage that is too small, poorly positioned or absent is one of the most common compliance failures identified by the ICO.
Camera placement should be proportionate to the stated purpose. Areas where individuals have a reasonable expectation of privacy — including toilets, changing rooms, rest areas and prayer rooms — should not be covered. Where cameras are positioned near a boundary, care should be taken to avoid capturing areas beyond the site perimeter, such as public streets or neighbouring premises, unless there is a specific and documented justification for doing so.
CCTV can also serve a legitimate health and safety function. Footage of loading bays, plant rooms, lone working areas or vehicle access points can support incident investigation, procedure review and hazard identification. Where this is part of the stated purpose, it should be recorded in the DPIA and reflected in staff communications.
Retention: How Long to Keep Footage
The UK GDPR requires that personal data is not kept for longer than necessary for the purpose for which it was collected. Most organisations set a standard retention period of 30 days for routine CCTV footage, with provisions to extend this where footage is relevant to an ongoing incident, insurance claim or investigation. Retention periods must be defined in a written CCTV policy, applied consistently, and enforced through automatic deletion or overwrite where the system allows.
Footage should never be kept indefinitely without a documented reason. If an incident is reported or a Subject Access Request is received, relevant footage must be preserved until the matter is resolved — even if the standard retention period would otherwise have passed.
Subject Access Requests and Data Subject Rights
Any individual recorded by a CCTV system has the right to request a copy of footage containing their personal data. This is a Subject Access Request (SAR), and organisations are legally required to respond within one calendar month. The Data (Use and Access) Act 2025 introduced a “stop the clock” provision: if clarification is needed from the requester — for example, to narrow down dates or locations — the response clock can be paused until they reply.
Where footage contains images of third parties, it must be redacted before disclosure. Most modern CCTV platforms include tools for blurring or pixelating third-party faces, but organisations should confirm this capability at procurement stage. Failing to respond to a SAR, or responding outside the statutory timeframe, is a breach that the ICO takes seriously.
From 19 June 2026, organisations must also have a formal data protection complaints process in place. This requires a documented mechanism for individuals to raise data-related concerns, with acknowledgement within one calendar month and a clear path to resolution or escalation.
Cybersecurity for IP-Connected Systems
Most modern CCTV systems operate over IP networks. This introduces cybersecurity risks that must be actively managed. Footage transmitted or stored without encryption can be intercepted; systems with weak or default passwords are a known attack vector. Organisations should ensure that CCTV network infrastructure is secured with strong authentication, that software and firmware are kept up to date, and that access to live and recorded footage is controlled through role-based permissions with audit logging in place.
A data breach involving CCTV footage — for example, unauthorised access to a live feed or theft of stored recordings — must be reported to the ICO within 72 hours if it is likely to result in a risk to individuals’ rights and freedoms. Where the breach is likely to result in a high risk to those individuals, they must also be informed directly and without undue delay. The threshold for notifying individuals is higher than the threshold for notifying the ICO.
Maintaining a Written CCTV Policy
A written CCTV policy is not a legal requirement in itself, but it is the most practical way to demonstrate compliance and give staff a clear framework for how the system is managed. A policy should cover the purpose of the system, the areas monitored, retention periods, access controls, how SARs are handled, and the process for reporting concerns or breaches. It should be reviewed at least annually, and updated whenever the system is changed or expanded.
Frequently Asked Questions
Does CCTV footage count as personal data under UK GDPR?
Yes. Any footage that can identify an individual is personal data under the UK GDPR and Data Protection Act 2018. This means CCTV systems capturing images of people on commercial premises are subject to data protection law in the same way as customer records or employee data.
Do I need to register my CCTV system with the ICO?
Most organisations operating CCTV on non-domestic premises are required to register with the ICO and pay a data protection fee. Following an increase in February 2025, fees run from £52 for micro organisations (under 10 staff or turnover under £632,000) to £3,763 for large organisations. Exemptions apply in limited circumstances, and the ICO website includes a self-assessment tool to confirm whether registration is needed.
What is a DPIA and when is one required for CCTV?
A Data Protection Impact Assessment is a documented evaluation of the privacy impact of a proposed processing activity. For CCTV, one is required where the system is likely to create a high risk to individuals — for example, where AI-based analytics are used, or where large numbers of people are recorded in sensitive contexts. It is considered good practice in all cases and should be kept on file and reviewed when the system changes.
What is the standard retention period for CCTV footage?
Most organisations set a standard retention period of 30 days for routine footage, with provision to extend this where footage is relevant to an incident or investigation. The ICO requires that retention periods are documented, justified, and applied consistently. Footage should not be kept longer than necessary, and automatic deletion or overwrite should be used where the system supports it.
What is a Subject Access Request and how must it be handled?
A Subject Access Request (SAR) is a request from an individual to access footage or data relating to them. Organisations must respond within one calendar month. Where footage contains images of third parties, those individuals must be redacted before the footage is disclosed. Under the Data (Use and Access) Act 2025, organisations can pause the one-month deadline if they need clarification from the requester about the scope of the request.
Are there restrictions on where CCTV cameras can be placed?
Yes. Cameras must not be positioned in areas where individuals have a reasonable expectation of privacy, including toilets, changing rooms, rest areas and prayer rooms. Placement should be proportionate to the stated purpose, and cameras should be positioned to minimise capture of areas beyond the site boundary unless there is a specific documented justification.
What happens if CCTV footage is accessed without authorisation or suffers a data breach?
A breach must be reported to the ICO within 72 hours if it is likely to result in a risk to individuals’ rights and freedoms. Where the breach poses a high risk to those individuals, they must also be notified directly without undue delay — the threshold for informing individuals is higher than for notifying the ICO. Access controls, audit logging and encryption are the primary safeguards against a breach occurring. ICO fines for data protection breaches vary by severity: the most serious violations carry a maximum of £17.5 million or 4% of global annual turnover, whichever is higher.
Can CCTV be used for health and safety purposes as well as security?
Yes, provided the health and safety purpose is clearly documented and communicated to staff. Common applications include monitoring lone worker areas, vehicle access points and plant rooms, and reviewing footage after a workplace incident. The purpose should be reflected in the DPIA and the organisation’s written CCTV policy.
What is the Data (Use and Access) Act 2025 and how does it affect CCTV?
The Data (Use and Access) Act 2025 came into force on 19 June 2025 and introduced several amendments to UK data protection law. Key changes relevant to CCTV include a new “recognised legitimate interests” ground covering specific public interest purposes including crime prevention, safeguarding, national security and emergency response — removing the need for a balancing assessment where processing falls within those categories — a “stop the clock” provision for SAR responses, and a requirement for organisations to have a formal data protection complaints process in place by 19 June 2026. The ICO is updating its video surveillance guidance to reflect the Act.
Do covert CCTV cameras require a different legal basis?
Covert surveillance — cameras that are not disclosed to staff or visitors — is only lawful in exceptional circumstances, typically where there is a specific, documented suspicion of serious criminal activity. It should be authorised at a senior level, time-limited to the investigation period, and stopped once the investigation concludes. Routine covert monitoring is unlikely to be justifiable and carries significant legal and employment relations risk.
Talk to 2CL About CCTV for Your Estate
Whether you are installing a new system, upgrading an existing one, or reviewing compliance across a multi-site estate, 2CL Communications can design and support a CCTV solution that meets your operational needs and data protection obligations.