CCTV surveillance is commonplace, from office lobbies to warehouses and retail stores. It helps support staff and public safety, and secure premises, stock and equipment, providing valuable evidence for investigations.
In most cases, it is also a form of personal data processing, because it records identifiable people.
That means businesses using CCTV must comply with the UK GDPR (General Data Protection Regulation) and the Data Protection Act 2018.
If they don’t, they may face complaints, regulatory scrutiny and enforcement action.
This blog post considers what organisations need to do to avoid falling foul of the law.
CCTV for business purposes: when is it lawful?
Under Article 6 of the GDPR, every data processing activity – including video recording – must have a valid lawful basis.
For many businesses, that lawful basis will be legitimate interests.
These may include preventing crime, protecting staff, securing property or investigating incidents.
In some cases, compliance with a legal obligation may be relevant, depending on the purpose of the monitoring.
Either way, you also need to show that CCTV monitoring is necessary and proportionate. That means considering whether your aims could be achieved in a different way.
If the proposed monitoring is likely to create a high risk to people’s rights and freedoms, you may also need to carry out a DPIA (data protection impact assessment) before installing a CCTV system.
What are the laws on CCTV cameras in the workplace?
Employers must be clear about why they are using CCTV, must tell people that monitoring is taking place and must use the footage fairly.
If cameras are introduced for site security, it won’t usually be reasonable to use the footage to monitor staff behaviour or as evidence in disciplinary action unless that possibility has been clearly explained.
Employers must also respect reasonable expectations of privacy. For instance, cameras should not be installed in toilets, changing areas or similar spaces where people would clearly expect privacy.
Covert monitoring is even more sensitive. It should only be considered in exceptional circumstances, such as a time-limited investigation into suspected serious misconduct, and only where a less intrusive option would not work.
Does a CCTV camera in a workplace require a privacy notice?
Yes.
If your business uses CCTV, you must inform people that monitoring is taking place, why it is taking place and who controls the system. In practice, this usually means a combination of visible signage and fuller privacy information.
Your signs should be clear, easy to see and easy to understand.
They should tell people that CCTV is in operation and explain where they can find further information – for instance in an online privacy notice.
Your privacy notice should explain the purpose of the monitoring, your lawful basis for processing, who footage may be shared with, how long it is kept and how individuals can exercise their rights.
A simple CCTV privacy notice example might say:
“CCTV operates at these premises for security, safety and incident investigation purposes. GRC Solutions is the controller of this footage. For more information about how we use CCTV, how long footage is retained and how to exercise your rights, please contact [insert details] or see our privacy notice at [URL]”
That will not suit every organisation, but it shows the kind of information people should be given.
Can business CCTV cover the street?
Sometimes it can, but only where it is justified and limited.
If a camera unavoidably captures a small part of a public road or pavement while monitoring an entrance or delivery area, for example, that may be acceptable.
What matters is whether that view is necessary for the stated purpose.
You should not capture more than you need.
If a camera can be repositioned to avoid neighbouring property or unnecessary public space, it should be.
If privacy masking, filters or narrower camera angles can reduce unnecessary capture, those steps should be considered.
This is one of the clearest areas where poor setup can create risk.
A system installed for legitimate security reasons can quickly become disproportionate if it records large areas of public space without a good reason.
How long does a company have to keep CCTV footage?
There is no single fixed legal retention period.
Under the GDPR, personal data must not be kept for longer than necessary for the purpose for which it was collected.
That means retention should be based on actual need, not habit or convenience.
A business should define and document its own CCTV retention policy, which it should be able to justify.
For some organisations, a short retention period may be enough for routine monitoring.
In other cases, footage may need to be kept longer where it is relevant to an incident, an investigation or legal proceedings.
What matters is that the retention period is documented, justified and applied consistently.
Automatic deletion is usually sensible, because it reduces the risk of footage being kept indefinitely without a valid reason.
Who can legally view CCTV footage?
Only people with a genuine and authorised reason should have access.
That may include nominated security staff, certain managers, HR personnel or investigators, depending on the circumstances. Access should not be informal or unrestricted.
Businesses should know who can view footage, why they can view it and what controls apply.
This is where role-based permissions, secure storage and access logging become important.
Individuals who appear in footage may also have rights to access their personal data through a DSAR (data subject access request).
If the footage includes other people, the organisation may need to blur or otherwise redact third parties before disclosure.
Businesses may also share footage with the police or other authorities where there is a lawful basis for doing so.
A disclosure log is good practice and helps demonstrate accountability.
Benefits of CCTV cameras for business
There are clear benefits of CCTV cameras for business when they are used properly:
- Helping deter opportunistic crime.
- Supporting employee safety.
- Providing evidence after incidents.
- Supporting health and safety investigations, insurance claims and broader risk management.
However, these benefits do not remove legal obligations. After all, a useful system is not automatically a GDPR-compliant one.
Businesses still need to apply the right safeguards and make sure the system is proportionate to the risks it is meant to address.
CCTV compliance checklist for businesses
Before relying on CCTV, ask whether you can answer yes to the following:
- Have you identified and documented a lawful basis for CCTV?
- Have you confirmed that the monitoring is necessary and proportionate?
- Have you carried out a DPIA where the risks justify one?
- Is signage clear, visible and easy to understand?
- Is CCTV covered in your privacy notice and wider policy documents?
- Have you limited the camera view to what is actually needed?
- Is footage stored securely, with restricted access?
- Do you have a documented CCTV retention policy that you can apply consistently?
- Can you respond properly to DSARs involving video footage?
- Do you record disclosures and other access to footage where appropriate?
If you are unsure how to answer those questions, the Information Commissioner’s Office’s CCTV guidance is a good starting point, but many organisations also benefit from independent advice where CCTV forms part of a wider data protection framework.
CCTV is a compliance issue, not just a security issue
CCTV can be useful and entirely lawful, but it needs to be designed and managed as a data protection activity, not simply installed as a security tool.
Poor governance around surveillance can create privacy risks, employee relations issues and unwanted ICO attention.
If you are unsure whether your CCTV arrangements meet current data protection requirements, our independent privacy specialists can help you assess the risks, review your documentation and strengthen your governance approach.
CCTV FAQs (frequently asked questions)
Is CCTV covered by the GDPR?
Yes. CCTV footage that can identify individuals is classed as personal data and is therefore covered by the GDPR and the Data Protection Act 2018.
How long can you keep CCTV footage under the GDPR?
Business CCTV laws require that footage must not be kept longer than necessary. Most organisations keep footage for 30 days unless there is a specific reason, such as an investigation.
Does the GDPR apply to home CCTV?
Yes, but only in certain cases. If CCTV cameras capture images beyond your property boundary (such as public streets or neighbours’ gardens), the GDPR applies. If it only covers your private property, the GDPR does not apply.
What are the business CCTV rules?
The GDPR requires organisations to:
- Have a lawful basis for recording.
- Put up clear CCTV signage.
- Store footage securely.
- Provide individuals with access to their footage if requested via a DSAR.
Is sharing CCTV footage a GDPR breach?
Yes, if it is shared unlawfully or without a valid reason. CCTV footage should only be shared with authorised parties (e.g. police) or with the consent of the individuals recorded.
Do I need to register CCTV with the ICO under the GDPR?
Yes. Most organisations operating CCTV must pay a data protection fee and register with the ICO, unless exempt.
Is workplace CCTV covered by GDPR?
Yes. Employers must comply with GDPR when using CCTV in the workplace. This includes informing staff, ensuring monitoring is proportionate and protecting stored footage.