CCTV Commissioning Checklist: What to Verify Before Your System Goes Live

Your CCTV installer has finished. The cameras are mounted, the cables are run, and someone has handed you a remote control and a default password. Before you sign off and start recording, there are 12 things that need to be right — and most installers won't check the compliance ones for you.

This checklist covers both the technical verification (is the system actually working?) and the compliance steps (are you legally allowed to start recording?) that must be completed before your cameras go live.

Why Commissioning Matters

Switching on cameras before your compliance documentation is in place means you're processing personal data without meeting your legal obligations from day one. A retrospective DPIA is better than none, but it means every day of recording before the DPIA was completed was technically non-compliant.

More practically: getting the technical setup right at commissioning prevents the "we've been recording at the wrong resolution for six months" or "the camera that's supposed to cover the entrance actually shows the neighbour's garden" problems that are expensive to fix later.

The 12-Point Commissioning Checklist

Technical Verification

1. Camera coverage matches the specification

Walk the site with the installer and verify each camera on a monitor:

Does each camera cover the area it was intended to cover — and nothing more?
Are any cameras capturing areas outside your property boundary (neighbouring buildings, public pavements beyond what's necessary)?
Is the field of view consistent between day and night? (IR illumination can change the effective coverage area on some cameras.)
If privacy masking was requested (to block windows, neighbouring properties, or internal areas), verify it's applied and effective.

How to check: View each camera's live feed and compare it to the agreed specification or site survey. If the installer provided a camera plan showing intended coverage zones, hold it up against reality.

2. Image quality is adequate for purpose

Each camera should produce footage that serves its stated purpose:

For identification: Can you identify a person's face at the distance the camera is designed to cover? The ICO's video surveillance guidance notes that if your purpose requires identification, your footage must actually enable it.
For detection: Can you see that a person is present and broadly what they're doing?
For monitoring: Is the image clear enough to observe events in real time?

Check during both day and night conditions. A camera that produces clear daytime footage but grainy, washed-out night footage isn't fit for purpose if your security concern is overnight.

3. Recording is working and verified

Don't assume recording works because the live view works:

Confirm each camera is recording to the DVR/NVR (not just displaying a live feed)
Play back footage from at least 30 minutes ago to verify recordings are being stored
Check that the correct camera labels match the correct feeds (a mislabelled "Front Entrance" feed that actually shows the car park causes confusion during incident review and DSAR responses)
Verify audio recording is disabled on all cameras — unless you have specifically justified audio capture in your DPIA (most businesses cannot justify it)

4. Storage and retention configuration

Confirm the NVR/DVR has sufficient storage capacity for your target retention period at the configured resolution and frame rate
Configure automatic overwrite at your target retention period (e.g., 30 days)
Verify the system clock is set to the correct time and timezone (including daylight saving time settings)
If using cloud storage, confirm the data centre location — UK GDPR requires you to know where your data is processed, and transfers outside the UK need additional safeguards

Use our retention calculator to determine the right retention period for each camera group.

5. Network and remote access security

If your system is network-connected:

Change all default passwords — every camera, the NVR/DVR, and any management software. Use strong, unique passwords. Default credentials (admin/admin, admin/12345) are the single most common CCTV security failure.
If remote viewing is enabled, verify it uses encrypted connections (HTTPS, not HTTP). Ideally use a VPN rather than exposing the NVR directly to the internet.
Disable UPnP (Universal Plug and Play) on your router — CCTV systems often use UPnP to open ports automatically, which creates security vulnerabilities.
Update firmware on all cameras and the NVR to the latest available version.

If your system is air-gapped (no internet connection), confirm it genuinely has no network path to the internet — some installers connect systems to the business network for convenience.

6. Access controls configured

Create individual user accounts for each person who will access the system (not a shared login)
Set access levels appropriately — not everyone needs the ability to export footage or change settings
Enable access logging so you can audit who viewed or exported footage and when
Document who has access, at what level, in your CCTV policy and camera register

Compliance Verification

7. DPIA completed and signed

Your DPIA must be completed before cameras are switched on — not after. If you're commissioning a new system, the DPIA should have been done during the planning stage. If it wasn't, complete it now before activating recording.

The DPIA should reflect the actual system as installed — camera locations, coverage areas, retention periods, access controls. If the installation differs from what was planned (cameras moved, additional cameras added), update the DPIA to match reality.

Our DPIA template provides a worked example you can adapt.

8. Signage installed

Compliant CCTV signage must be displayed at every entrance to a surveilled area before cameras start recording:

Signs must be visible before the camera's field of view — people need to see the sign before the camera sees them
Each sign must include: the data controller's name, the purpose of recording, and contact details
Signs should reference where to find the full CCTV policy (website URL or "available on request")
Check that signs are legible from a reasonable distance and not obscured by doors, plants, or other signage

9. CCTV policy written and accessible

Your CCTV data protection policy must be finalised before recording begins:

Published on your website (or available on request, as stated on your signage)
Retention periods in the policy match the DVR/NVR configuration
Access controls described in the policy match the user accounts actually configured
DSAR process documented and a named person responsible for handling requests

Use our free policy generator to create a policy tailored to your setup.

10. Employee notification completed

If cameras cover any area where employees work or pass through:

Inform all employees about the cameras: locations, purposes, and their rights
Document the notification (date, method, attendees if in a meeting)
Give employees the opportunity to raise concerns — and document the responses
Reference CCTV monitoring in employment contracts or staff handbooks if not already included

This isn't optional courtesy — your DPIA requires evidence of consultation with affected individuals, and employment law expects employees to be informed about monitoring before it begins.

11. ICO registration confirmed

Most UK organisations processing personal data — including via CCTV — must pay the annual data protection fee to the ICO:

Tier 1 (micro organisations, up to 10 staff, turnover up to £632,000): £52/year
Tier 2 (small/medium organisations): £78/year
Tier 3 (large organisations, 250+ staff or turnover above £36m): £3,763/year

Check the ICO register to confirm your organisation is registered. If you're already registered for other data processing activities, CCTV is covered — you don't need a separate registration.

12. Camera register created

Create a document listing every camera with:

Field	Detail to Record
Camera ID	Unique identifier (e.g., CAM-01)
Location	Building, floor, specific area
Area covered	What the camera can see
Purpose	Why this specific camera exists
Audio	On or off (should be off unless specifically justified)
Resolution	e.g., 1080p
Retention period	e.g., 30 days
Privacy masking	Yes/no — and what is masked

This register must match your DPIA and your CCTV policy. If any of these three documents contradict each other, you have a compliance gap.

Post-Commissioning: The First-Week Check

Within the first week of operation, verify:

Retention is working: Check the oldest available footage. If your retention is set to 30 days and the system has been running for 3 days, the oldest footage should be approximately 3 days old — not weeks or months of test recordings from the installation period.
Image quality holds up: Review footage from different times of day and different cameras. Night-time quality, in particular, may differ significantly from what you saw during the daytime commissioning walkthrough.
No complaints received: If employees or neighbours raise concerns in the first few days, address them promptly and document your response. An early concern that's addressed is manageable — an ignored concern that becomes an ICO complaint is not.

What Installers Typically Handle vs. What They Don't

Most professional CCTV installers handle items 1–5 (technical verification) as part of their standard commissioning process. Items 6–12 (compliance verification) are almost always the customer's responsibility.

Some installers will offer to help with signage and may provide generic signs. These generic signs rarely meet the full legal requirements — they often say "CCTV in operation" without naming the data controller or providing contact details. Check what your installer provides against the full signage requirements.

No installer is responsible for your DPIA, your CCTV policy, your employee notification, or your ICO registration. These are the data controller's obligations — and the data controller is you.

Run through our free CCTV compliance checker after commissioning to verify you've covered every obligation. For the full regulatory picture, read the UK CCTV regulations guide.

This checklist covers CCTV commissioning requirements under UK GDPR, the Data Protection Act 2018, and ICO guidance current as of March 2026. Technical standards may vary by installer and system. This is not legal advice.