We recognise there is a fundamental need to secure your business critical assets, from vacant land, development sites and compounds, to plant, materials and fuel. As a leading provider of sustainable security, we are perfectly positioned to secure, monitor and protect your valuable assets.

Assets Link

CCTV and GDPR / Data Privacy Regulations: Are You Compliant?

CCTV and GDPR / Data Privacy Regulations: Are You Compliant?
CCTV and GDPR / Data Privacy Regulations: Are You Compliant?

As experienced suppliers of a vast range of commercial and domestic CCTV installations, the Clearway team often deals with privacy queries. There are laws to be aware of whether you are:

  • Installing a new CCTV surveillance system.
  • Verifying whether an existing installation is compliant.
  • Planning to add new cameras or reposition your current ones.

To help you identify whether your CCTV is compliant with the laws and restrictions that apply, we have created this checklist to work through all the essential factors.

If you have any doubts about the legality of a surveillance installation, it remains strongly advisable to seek advice from our qualified team of professional CCTV installers.


dome vs bullet cameras

Key Takeaways

  • Any business, organisation or public building that uses CCTV needs to adhere to rules and legislation around data privacy – letting people know they are potentially being recorded and ensuring you have the right measures to demonstrate full compliance.
  • Action may be needed even if you have used a CCTV system for a long time, if you are revisiting your camera placements, changing your surveillance policy, or upgrading your security system, and cameras.
  • While the UK has now left the EU, it has officially retained UK GDPR as a domestic law with regular framework reviews. Similar controls are enforced through the Data Protection Act 2018.

What Laws Does My CCTV Need to Comply With?

Many businesses consult with the Clearway team about GDPR (the General Data Protection Regulation), but this original legislation is an EU law. The UK government has retained the regulation in a UK format alongside the most recently updated version of the Data Protection Act (DPA).

Regardless of whether you installed CCTV before or after Brexit, you must comply with the DPA, which has similar requirements and limitations on how you record people and manage their data.

These mandatory requirements stipulate that you should have written documentation detailing your CCTV policy, how you store and manage videos and photos, and showcasing how you comply with the privacy regulations.

Essentially, any information – including images – that allows an individual to be identified must be compliant. For example, if your workplace CCTV shows employees, visitors, delivery drivers or registration number plates, it is collecting personal data.

Therefore, every CCTV system owner needs to follow the guidelines to ensure compliance and avoid violating data privacy rules.

The penalties for non-compliance are severe – the Information Commissioner’s Office (ICO) can levy a fine of 4% of a business’s turnover up to a maximum of £17.5 million for serious breaches of data protection law.

Do You Have CCTV Surveillance Signs in Place?

examples of cctv sign

You cannot record anybody without their knowledge. Signs must accompany every CCTV installation on any premise to ensure that everybody entering the site knows they may be recorded.

However, signage is also necessary to ensure that everybody has the right to exercise control over the data collected about them.

You might receive a request to share footage with the individual or to delete that information, so they need to know that the surveillance has taken place and how you will use it.

For workforces, it is recommended you:

  • Erect signs advising that CCTV recording takes place.
  • Create a CCTV policy or include it in your privacy policy.

Installing signage is a great way to notify employees or site users about your surveillance and can also deter criminal activity like theft or trespass. The College of Policing states that studies have shown that crime decreases by 13% in areas with live CCTV and by a greater extent when considering only vehicle and property crime.

Have You Explained Why CCTV Recording Is In Place?

does cctv record all the time?

Data protection rules require you to explain why you have a CCTV system. There are six bases on which you can justifiably use personal data collected through a surveillance installation.

These six categories are the lawful reasons for processing personal data, and each might apply to a different scenario, such as the following:

  • Individual contracts, where you supply services or goods to another party and require surveillance capture as part of the service contract.
  • Legal compliance when you are obligated to capture data.
  • Vital interests, where the information collected is required to protect the subject’s well-being or other parties.
  • Public tasks, such as governmental security, school surveillance systems, or police CCTV captures.
  • Legitimate interests, which apply to private organisations where they have a viable reason to collect information, including for commercial benefit.

The key factor is that CCTV data collection must have a stated purpose, and the benefit cannot be outweighed by the rights of each person to privacy.

In public spaces, CCTV signage can include a brief explanation of the purpose of the installation to meet this requirement – for example, because it is used for public safety reasons.

Do You Have Controls in Place to Restrict Access to CCTV Footage?

Businesses will need to appoint a Data Controller as the person (or named people) responsible for managing the storage and use of personal information captured through CCTV.

You need to ensure that:

  • Data is only accessible to appropriate individuals, such as managers or security staff.
  • CCTV is secured and only viewed by people with permission.
  • The information is stored safely and with adequate security.

Some options include storing footage in locked cupboards, implementing access controls on digital files, or encrypting CCTV footage.

Do You Delete CCTV Footage Regularly?

The next consideration is a retention period, after which the CCTV files and the information they contain are deleted.

Ideally, you should outline how often that takes place in your privacy policy or CCTV policy.

The law states that you should only keep information for ‘as long as necessary’, which is discretionary. The best approach to determine the appropriate retention period is to consider why you collect the data.

Most CCTV surveillance is deleted every 14 or 30 days.

Do You Have a Data Protection Impact Assessment in Place?

A DPIA acts as a risk assessment for data processing and ensures that you have mitigated any risks that could potentially impact the individuals being recorded.

Non-compliance can be serious business, and the fines can be extremely high. Therefore, it is essential to work through these checkpoints and seek a professional consultation if you have any concerns about whether your CCTV is data protection compliant.

The Clearway Team

The Clearway Team

Clearway is one of the UK’s most successful, innovative and rapidly expanding integrated security services and intelligent protection organisations – designed to protect people, property and assets.

Back to top

What are you looking for?