Reviewed by CamComply
CCTV and the Data Protection Act 2018: What UK Businesses Need to Know
The Data Protection Act 2018 is the primary UK law governing how you process CCTV footage. Here's what it actually says about surveillance, and what it requires from your business.
You know CCTV involves data protection. You've probably seen "GDPR" mentioned. But the actual UK law that governs how you handle CCTV footage is the Data Protection Act 2018 (DPA 2018), working alongside UK GDPR. If you've been focusing on "GDPR compliance" without reading what the DPA 2018 adds, you're likely missing obligations that apply specifically to UK businesses.
This guide explains how the DPA 2018 applies to CCTV, what it requires beyond UK GDPR, and where the two laws interact.
DPA 2018 vs. UK GDPR — What's the Difference?
UK GDPR (the retained EU regulation, adapted for UK law after Brexit) sets out the core data protection principles: lawful basis, purpose limitation, data minimisation, storage limitation, and individual rights. It applies to all personal data processing, including CCTV.
The DPA 2018 supplements UK GDPR. It fills in the details that UK GDPR leaves to member states (or, post-Brexit, to the UK Parliament). For CCTV operators, the DPA 2018 adds:
- Exemptions and restrictions on individual rights (including subject access requests) that UK GDPR allows member states to define
- The ICO's enforcement powers — fines, enforcement notices, assessment notices
- Criminal offences related to personal data — including unlawful obtaining of personal data, which can apply to CCTV footage
- The framework for the ICO data protection fee that most organisations must pay
- Law enforcement processing provisions (Part 3) — relevant if you share footage with police
You need both. UK GDPR tells you the principles; the DPA 2018 tells you how the UK implements them.
How the DPA 2018 Applies to Your CCTV
The ICO Data Protection Fee
Section 137 of the DPA 2018 (together with the Data Protection (Charges and Information) Regulations 2018) requires most organisations that process personal data to pay an annual fee to the ICO. CCTV that captures identifiable individuals is personal data processing — so if you operate CCTV, you almost certainly need to pay.
The fees are tiered by organisation size:
| Tier | Who Qualifies | Annual Fee |
|---|---|---|
| Tier 1 (micro) | Up to 10 staff, turnover up to £632,000 | £52 |
| Tier 2 (small/medium) | 11–250 staff, or turnover up to £36m | £78 |
| Tier 3 (large) | 250+ staff, or turnover above £36m | £3,763 |
Failure to pay is not just an administrative oversight — the ICO can and does issue penalty notices for non-payment. Check your registration on the ICO register.
Subject Access Request Exemptions
UK GDPR Article 15 gives individuals the right to request copies of their personal data — including CCTV footage of themselves. The DPA 2018 supplements this with specific exemptions that let you restrict or refuse access in certain circumstances.
Exemptions relevant to CCTV:
Third-party data (Schedule 2, Part 3, Paragraph 16). If footage shows the requester alongside other identifiable individuals, you must consider whether disclosing the footage would reveal those individuals' personal data without their consent. In practice: redact or blur other people before releasing the footage, unless they consent or it's reasonable to disclose without consent.
Crime prevention and detection (Schedule 2, Part 1, Paragraph 2). If providing footage would prejudice the prevention or detection of crime — for example, revealing the existence of a covert investigation — you can withhold it. This exemption applies to the specific footage that would cause prejudice, not all footage.
Legal proceedings (Schedule 2, Part 1, Paragraph 5). If footage is relevant to anticipated or ongoing legal proceedings, certain restrictions may apply to its disclosure under a SAR. This doesn't mean you can refuse all SARs because "there might be legal proceedings someday" — the proceedings must be real and identifiable.
For the full DSAR process, see our subject access request guide.
Criminal Offences Under the DPA 2018
The DPA 2018 creates criminal offences that can apply to CCTV misuse:
Section 170 — Unlawful obtaining of personal data. It's a criminal offence to knowingly or recklessly obtain, disclose, or retain personal data without the data controller's consent. An employee who accesses CCTV footage they're not authorised to view, or who shares footage on social media, is potentially committing a criminal offence — not just a policy violation.
Section 171 — Re-identification of de-identified data. If you've redacted footage (blurred faces) and someone deliberately re-identifies the individuals, that's a criminal offence.
Section 173 — Alteration to prevent disclosure. If you alter or destroy CCTV footage to prevent it being disclosed in response to a subject access request, that's a criminal offence. This is why preservation procedures matter — if you receive a SAR and then "happen" to delete the relevant footage, the DPA 2018 treats this seriously.
These offences are prosecuted by the ICO and carry unlimited fines (though no prison sentences under current law).
Law Enforcement Processing (Part 3)
If you share CCTV footage with the police, you should know that Part 3 of the DPA 2018 applies a separate regime to how law enforcement bodies process that data once they receive it. This doesn't change your obligations as the data controller who collected the footage — but it does mean:
- You can share footage with police for the purposes of crime prevention, detection, or investigation without the data subject's consent, relying on the crime prevention exemption
- Once the police have the footage, their processing of it is governed by Part 3 of the DPA 2018, not UK GDPR
- You should document any footage shared with police: what was shared, when, with whom, and under what authority
ICO Enforcement Powers
The DPA 2018 gives the ICO several enforcement tools relevant to CCTV non-compliance:
Information notices (Section 142). The ICO can require you to provide information about your data processing — including your CCTV setup, policies, retention practices, and DPIA.
Assessment notices (Section 146). The ICO can conduct an assessment of whether your processing complies with data protection law. For CCTV, this means they can inspect your cameras, review your footage, examine your access controls, and check your documentation.
Enforcement notices (Section 149). If the ICO finds non-compliance, they can require you to take specific steps to fix it — or to stop processing entirely. An enforcement notice requiring you to switch off cameras until compliance is achieved is within the ICO's powers.
Penalty notices (Section 155). For serious or persistent non-compliance, the ICO can impose fines. The maximum under UK GDPR (which the DPA 2018 implements) is £17.5 million or 4% of annual worldwide turnover — though CCTV enforcement actions against SMEs typically involve much smaller sums. The ICO's approach is generally to seek compliance rather than maximum penalties for small businesses.
The Domestic CCTV Exemption — and Its Limits
The DPA 2018, through UK GDPR's household exemption (Recital 18), provides that processing carried out by an individual "purely for personal or household purposes" is exempt from data protection law. This means residential CCTV used purely for home security is exempt — provided the cameras only cover your own property.
Where the exemption breaks down:
- Cameras covering public areas. If your home CCTV captures the pavement, road, or neighbouring properties beyond what's necessary, you may be acting as a data controller for that footage. The ICO has investigated domestic CCTV complaints where cameras recorded neighbours' gardens or driveways.
- Audio recording. Domestic cameras that record neighbours' conversations may engage not just data protection law but also other privacy rights.
- Shared premises. If you live above your business, cameras that serve both domestic and business purposes don't benefit from the household exemption.
This exemption is mentioned because it's a common source of confusion — business owners ask "my home camera doesn't need to comply, so why does my shop camera?" The answer: the household exemption is narrow and applies only to purely personal use on your own property.
How the DPA 2018 Connects to Your CCTV Compliance
The DPA 2018 doesn't exist in isolation from the rest of your CCTV compliance framework:
| Obligation | Primary Legal Source | DPA 2018 Role |
|---|---|---|
| Lawful basis for recording | UK GDPR Article 6 | DPA 2018 supplements with additional conditions in Schedules 1 and 2 |
| DPIA | UK GDPR Article 35 | DPA 2018 provides the enforcement mechanism for non-compliance |
| Subject access requests | UK GDPR Article 15 | DPA 2018 defines the exemptions you can rely on |
| Data protection fee | DPA 2018 Section 137 | DPA 2018 is the primary source for this obligation |
| Criminal offences (data misuse) | DPA 2018 Sections 170–173 | DPA 2018 is the primary source |
| ICO enforcement | DPA 2018 Part 6 | DPA 2018 grants the ICO its investigation and penalty powers |
| Signage and transparency | UK GDPR Articles 13–14 | DPA 2018 provides the enforcement backstop |
Practical Steps
If you've been focused on "GDPR compliance" for your CCTV and haven't considered the DPA 2018 specifically:
- Check your ICO registration. The data protection fee is a DPA 2018 requirement. If you're not registered, fix this today — the ICO register search takes 30 seconds.
- Review your DSAR process. Ensure you understand the DPA 2018 exemptions (third-party data, crime prevention) so you apply them correctly when handling requests. Our DSAR guide covers this.
- Brief your staff on criminal offences. Employees with access to CCTV need to understand that unauthorised access and sharing carry criminal, not just disciplinary, consequences.
- Document your law enforcement sharing. If you've shared footage with police, keep a record of what, when, and why. This is an accountability requirement.
- Run a compliance check. Our free compliance checker covers the obligations from both UK GDPR and the DPA 2018.
For a broader view of all CCTV regulations (not just the DPA 2018), read our UK CCTV regulations guide. For the full picture of how data protection principles apply to your cameras, see our CCTV data protection guide.
This guide covers CCTV-related provisions of the Data Protection Act 2018, current as of March 2026. The DPA 2018 has been amended by the Data (Use and Access) Act 2025 — see our data protection guide for the combined picture. This is not legal advice.
Sources
Last reviewed: 11 March 2026