CCTV Compliance Checklist: 7 Obligations Every UK Business Must Meet

You operate CCTV. You know there are rules. You're not sure if you're following all of them. This checklist covers the 7 obligations that apply to every UK business running surveillance cameras — based on UK GDPR, the Data Protection Act 2018, and the Surveillance Camera Code of Practice.

Run through each point. If you can't tick it off, you have a gap that needs fixing.

The 7-Point CCTV Compliance Checklist

1. Camera register — documented and current

You need a written record of every camera you operate. Not a mental note. Not a folder from the installer that hasn't been opened since installation day.

Your register must include for each camera:

• Location (building, floor, specific area)
• Purpose (security, theft prevention, health and safety)
• Areas captured and whether the field of view includes any public areas
• Whether audio recording is enabled
• Retention period
• Named data controller

How to check: Open your register right now. Does the number of entries match the number of cameras actually installed? If you've added, moved, or removed cameras since the register was last updated, it's out of date.

2. DPIA — completed before cameras were switched on

A Data Protection Impact Assessment is required under UK GDPR Article 35 for any processing likely to result in a high risk to individuals. Systematic CCTV monitoring of workplaces or public areas qualifies.

Your DPIA should document why each camera is necessary, whether the surveillance is proportionate, what risks exist for the people being filmed, and what measures you've put in place to reduce those risks.

How to check: Do you have a written DPIA document? If the answer is "no" or "I'm not sure what that is," this is your highest-priority gap. The ICO's CCTV guidance for small organisations walks you through the basics.

3. CCTV policy — written and accessible

A documented policy explains why you use CCTV, your lawful basis, how footage is stored and secured, who can access it, retention periods, and how people can exercise their rights.

Your policy needs to be available to anyone who asks — employees, customers, visitors. Many businesses publish it on their website or reference it on their CCTV signage.

How to check: Can you produce your CCTV policy within 30 seconds? If it takes longer than that, it's either buried or it doesn't exist. Our free policy generator creates one tailored to your business setup.

4. Signage — compliant and visible at every entrance

Generic "CCTV in operation" stickers don't meet the legal requirements. Your signs must include:

• Your business name (the data controller)
• The purpose of recording
• Contact details (phone, email, or postal address)
• Where to find your full CCTV policy

Signs must be placed before the camera's field of view — people need to see the sign before the camera sees them.

How to check: Walk the route a visitor or employee would take to enter your premises. Can you read the sign before you're in view of the first camera? Does it name your business and state why you're recording? For the full requirements, read our signage guide.

5. Retention schedule — defined, documented, and enforced

UK GDPR's storage limitation principle means you must keep footage only as long as necessary for its stated purpose. The ICO's general recommendation is 30 days for routine business CCTV.

You need a defined retention period for each camera (or group of cameras serving the same purpose), and a process for securely deleting footage when the period expires.

How to check: Log into your DVR/NVR. How far back does the oldest footage go? If it's months or years old with no documented justification, you're in breach. Use our retention calculator to work out appropriate periods.

6. DSAR process — documented and ready to use

Anyone filmed on your CCTV can request a copy of that footage under UK GDPR. You have one calendar month to respond. The Data (Use and Access) Act 2025 added a "stop the clock" provision — the deadline pauses if you need more information from the requester.

You need:

• A named person responsible for handling DSARs
• A documented process for locating, reviewing, and redacting footage
• A method for securely delivering footage to the requester
• Knowledge of when you can and can't refuse a request

How to check: If an employee emailed you right now requesting footage of themselves from last Tuesday, could you fulfil that request within one calendar month? If you're not sure where to start, you don't have a process.

7. ICO registration — paid and current

Most UK organisations processing personal data must pay the annual ICO data protection fee:

• Tier 1 (micro): £52/year
• Tier 2 (small/medium): £78/year
• Tier 3 (large): £3,763/year

Failure to pay can result in enforcement action and penalty notices from the ICO.

How to check: Search the ICO register for your organisation. If you can't find yourself, you're either not registered or your registration has lapsed.

What to Do With Your Results

All 7 ticked: You're covering the core obligations. Review annually, especially after adding or moving cameras, changing staff access, or when the ICO updates guidance.

4–6 ticked: You have gaps, but you're not starting from zero. Prioritise: DPIA and ICO registration are the highest-risk items if missing (one's a regulatory failure, the other can result in ICO penalties).

0–3 ticked: Significant exposure. Start with the DPIA and camera register — everything else builds on those foundations.

For a more detailed assessment with specific recommendations for each gap, use our CCTV compliance checker. For the full breakdown of each obligation, read our complete UK CCTV regulations guide.

This checklist covers CCTV compliance obligations under UK legislation current as of March 2026. It is not legal advice.

Sources

• ICO — CCTV for your organisation: things you need to do
• Data Protection Act 2018 — legislation.gov.uk
• Data Protection (Charges and Information) Regulations 2018 — legislation.gov.uk