Skip to content

Reviewed by CamComply

CCTV Audit Checklist: How to Review Your System for UK Compliance

A practical CCTV audit checklist for UK businesses. Work through each item to find compliance gaps before the ICO, an employee DSAR, or a complaint does it for you.

Most CCTV systems are installed once and never reviewed. The cameras keep recording, the recorder keeps overwriting, and nobody checks whether any of it is still compliant — until an employee asks for footage, a customer complains, or the ICO comes calling. A periodic CCTV audit is how you find the gaps on your own terms.

This is a practical, work-through checklist. Each item maps to a real UK obligation. If you can't tick it, you've found something to fix.

When to Run a CCTV Audit

Run a full audit:

  • Annually, as a matter of routine
  • Whenever you add, move, or remove cameras
  • After a near-miss — a DSAR you struggled to handle, a complaint, a footage request from police
  • When the law changes — for example, the Data (Use and Access) Act 2025 introduced new subject-access and complaints-handling provisions

The audit should take an afternoon. Compare that to the cost of an ICO enforcement notice or a tribunal claim citing covert surveillance.

Section 1: Justification and Purpose

  • Every camera has a documented purpose (theft prevention, staff safety, etc.) — not "just in case"
  • You've recorded a lawful basis under UK GDPR Article 6 (usually legitimate interests, with a balancing test)
  • You've considered whether a less intrusive measure would achieve the same aim
  • You have a DPIA where required (most public-facing CCTV needs one under Article 35)

Section 2: What the Cameras Capture

  • No camera over-captures — pointed at a neighbour's property, the public pavement, or beyond what's needed
  • Privacy zones / masking applied where a camera unavoidably catches areas it shouldn't
  • Audio is off unless you have a specific, documented justification (audio is far more intrusive)
  • Cameras are positioned to serve the stated purpose, not to maximise coverage for its own sake

Section 3: Transparency and Signage

  • Compliant signs at every entrance to a monitored area
  • Signs state who operates the cameras, why, and a contact for questions
  • Signs are visible before people enter the monitored area, not after
  • A "CCTV in operation" sticker alone is not treated as sufficient

For the detail, see our CCTV signage requirements guide and check yours with the signage compliance checker.

Section 4: Retention and Deletion

  • You have a defined retention period (not the recorder's default)
  • The period is justified by the purpose (the ICO indicates ~30 days suits most routine business CCTV, with documented reasons for longer)
  • Footage is actually deleted at the end of the period — automatically where possible
  • You can pause routine deletion when footage is needed for a request or investigation

See our footage retention guide and retention calculator.

Section 5: Access and Security

  • Only named, authorised people can view footage
  • Access is logged — who viewed what, when, and why (a CCTV log book)
  • Footage storage is secure — encrypted or access-controlled, not an open NVR on the network
  • Staff understand that unauthorised access or sharing can be a criminal offence under section 170 of the DPA 2018

Section 6: Individual Rights

  • You have a documented DSAR process for footage requests (one calendar month to respond)
  • You know how to redact third parties before releasing footage
  • You understand the DUAA 2025 "stop the clock" rule for when you need more information from the requester
  • From 19 June 2026, you have a documented complaints-handling process for data-processing complaints (a DUAA 2025 requirement)

See our subject access request guide.

Section 7: Documentation and Accountability

  • A camera register describing every camera and its justification
  • A CCTV policy that's been communicated to anyone who operates the system
  • Your ICO data protection fee is paid and your registration is current (check the ICO register)
  • You have a maintenance log showing regular checks of image quality, retention settings, and access — see our CCTV maintenance and compliance records guide for a template
  • You could produce all of the above in minutes if the ICO asked — the test of the accountability principle (Article 5(2))

Turning the Audit Into Action

Work through the seven sections and mark each item green, amber, or red. The reds are your priority list. The most common reds in SME audits are: no documented purpose, default retention, over-capture, missing or non-compliant signage, and no access log.

Don't try to fix everything at once. Address the items that carry the most enforcement risk first — purpose, signage, retention, and DSAR readiness — then work through the rest at your own pace.

Practical Steps

  1. Schedule the audit — put an annual date in the calendar now.
  2. Walk the site — physically check what each camera actually sees.
  3. Pull your documents — register, policy, DPIA, retention schedule, access log. Missing ones are reds.
  4. Fix the reds in risk order — purpose, signage, retention, DSAR readiness first.
  5. Run a structured check with our free CCTV compliance checker, which scores you against these obligations.

For a structured step-by-step version of this review built around the accountability principle, see our annual CCTV compliance review checklist. For the full legal background behind each item, see the UK CCTV regulations guide and the CCTV compliance checklist.

This guide provides a CCTV compliance audit checklist under the UK GDPR, Data Protection Act 2018, and Data (Use and Access) Act 2025, current as of June 2026. This is not legal advice.

Sources

Last reviewed: 2 July 2026

Stop Managing CCTV Compliance in Spreadsheets

CamComply will put every obligation — camera register, DPIA, signage, retention, DSARs — in one dashboard. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy

Related Articles