CCTV surveillance is commonplace across workplaces – from office lobbies to warehouses and retail stores. But did you know that every second of CCTV footage captured is regulated under the UK and EU GDPR General Data Protection Regulation?

That’s because the GDPR applies to any personal data that can identify an individual – and that includes video recordings and images, not just written information. Improper handling of this footage can result in significant legal and financial consequences.

In this 2025 guide, we’ll walk you through:

    • How the GDPR applies to workplace CCTV systems

    • What your legal responsibilities are

    • The critical steps you must take to remain compliant

1. Make it clear that CCTV is in use

Transparency is one of the seven core principles of the GDPR. You must inform individuals when and why they’re being recorded.

What you need to do:

    • Post clear signage at all entrances and monitored zones. Use wording such as:
      “CCTV in operation for safety and security purposes.”

    • Include a link or contact for further privacy details on the sign.

    • In your privacy notice, explain that workplace CCTV is in use, what it monitors, and why.

If you fail to provide this information, individuals cannot exercise their rights (e.g. requesting access to their footage), and your surveillance may be considered unlawful under Articles 5 and 13 of the GDPR.

2. Document a lawful basis for using CCTV

Under Article 6 of the GDPR, every data processing activity – including video recording – must have a lawful basis.

Common lawful bases for CCTV in the workplace:

    • Legitimate interests – e.g. crime prevention, security, or protecting property

    • Compliance with legal obligations – e.g. health and safety monitoring

    • Vital interests – e.g. emergencies affecting employee safety

Best practice in 2025:

Include your lawful basis on all signage and in your documentation. If monitoring employees, legitimate interests may be acceptable, but you must balance it against the individual’s privacy rights using an LIA (Legitimate Interests Assessment).

For example:

“CCTV is used in this area to ensure employee safety and prevent unauthorised access. Our use of CCTV is based on our legitimate interests, balanced against employee rights.”

3. Limit access to CCTV footage

CCTV footage is classified as personal data and access should be strictly controlled.

You must:

    • Store digital recordings on encrypted, access-controlled systems.

    • Restrict access to authorised individuals only (e.g. security staff, HR, management).

    • Log who accesses footage, when, and for what purpose.

    • Secure physical tapes or drives in locked environments.

In 2025, regulators increasingly expect encryption and RBAC (role-based access controls) as part of the appropriate technical and organisational measures required by Article 32 of the GDPR.

4. Establish and enforce a retention policy

You cannot retain CCTV footage indefinitely. The GDPR requires that personal data is only kept for as long as necessary for its original purpose.

What this means in practice:

    • Define retention periods (e.g. 7–14 days for general footage, longer for incident investigations).

    • Automate deletion where possible.

    • Document your policy in a data retention schedule or CCTV policy.

Storing footage “just in case” is not a valid justification under GDPR.

5. Conduct a DPIA before installing CCTV

A DPIA (data protection impact assessment) is mandatory when processing is likely to result in a high risk to individuals’ rights and freedoms – and that includes the systematic monitoring of public or workplace areas.

A DPIA will help you:

    • Evaluate the necessity and proportionality of CCTV

    • Identify risks to employee and visitor privacy

    • Design safeguards (like masking or limited retention)

Without a DPIA, your CCTV programme could be deemed non-compliant under Article 35 of the GDPR.

6. Be ready for DSARs (data subject access requests)

Anyone recorded on CCTV – including employees, contractors, and visitors – can request access to footage that features them.

You must:

    • Respond within one month (extendable to 3 months for complex cases).

    • Provide footage in a secure, accessible format (e.g. MP4).

    • Redact third parties or use video masking tools where others are visible.

In 2025, DSARs involving CCTV footage are on the rise, and failure to comply has led to fines and enforcement notices across the UK and EU.

Enforcement example: CCTV fine for non-disclosure

One of the first GDPR-related CCTV penalties was issued to an Austrian retailer for failing to inform people that surveillance cameras were operating outside its premises. The organisation was fined €4,800 (about £4,000) for breaching transparency obligations.

While the fine was relatively modest, the reputational damage and investigation costs were far more significant. Regulators across Europe and the UK have since stepped up their enforcement around workplace surveillance.

Your CCTV compliance checklist for 2025

    •  Post visible signage with purpose and contact details

    •  Identify and document a lawful basis

    •  Limit access and log all views or exports

    •  Define a clear retention period and automate deletion

    •  Conduct a DPIA before any new camera installation

    •  Prepare for DSARs with redaction capability

    •  Include CCTV information in your privacy policies and internal training

Frequently asked questions (FAQs)

Is CCTV covered by GDPR?

Yes. CCTV footage that can identify individuals is classed as personal data and is therefore covered by GDPR and the Data Protection Act 2018.

How long can you keep CCTV footage under GDPR?

GDPR requires that personal data, including CCTV footage, must not be kept longer than necessary. Most organisations keep footage for 30 days unless there is a specific reason, such as an investigation.

Does GDPR apply to home CCTV?

Yes, but only in certain cases. If CCTV cameras capture images beyond your property boundary (such as public streets or neighbours’ gardens), GDPR applies. If it only covers your private property, GDPR does not apply.

How does GDPR affect CCTV use?

GDPR requires organisations to:

  • Have a lawful basis for recording.
  • Put up clear CCTV signage.
  • Store footage securely.
  • Provide individuals with access to their footage if requested via a DSAR.

Is sharing CCTV footage a breach of GDPR?

Yes, if it is shared unlawfully or without a valid reason. CCTV footage should only be shared with authorised parties (e.g. police) or with the consent of the individuals recorded.

Do I need to register CCTV with the ICO under GDPR?

Yes. Most organisations operating CCTV must pay a data protection fee and register with the ICO, unless exempt.

Is workplace CCTV covered by GDPR?

Yes. Employers must comply with GDPR when using CCTV in the workplace. This includes informing staff, ensuring monitoring is proportionate and protecting stored footage.

A version of this blog was originally published on 3 October 2019.