CCTV Data Protection: What Every UK Business Must Know in 2026

You operate CCTV. That means you process personal data. That means every data protection rule that applies to customer databases, employee records, and marketing lists also applies to your camera footage — with some additional complications unique to surveillance.

This guide covers how UK data protection law applies specifically to CCTV, what the seven principles mean in practice for your cameras, and where most businesses get it wrong.

Why CCTV Is a Data Protection Issue

CCTV footage is personal data whenever an individual can be identified from it — directly (you can see their face) or indirectly (you can identify them from context: their uniform, their car registration, the time they clocked in).

Under the Data Protection Act 2018 and UK GDPR, any organisation that processes personal data must comply with the data protection principles. There is no CCTV exemption. The fact that you're recording video rather than typing into a spreadsheet is irrelevant — the obligations are the same.

The ICO's CCTV guidance makes this explicit: if your cameras can capture images of identifiable people, you are a data controller and the full weight of data protection law applies.

For a deeper look at when footage crosses the personal data threshold, see our guide on whether CCTV is personal data.

The Seven Data Protection Principles — Applied to CCTV

UK GDPR Article 5 sets out seven principles. Here is what each one means for your cameras.

1. Lawfulness, Fairness, and Transparency

What it requires: You need a lawful basis for recording, you must process data fairly, and people must know they're being recorded.

For CCTV this means:

• Lawful basis: Most businesses rely on "legitimate interests" (UK GDPR Article 6(1)(f)). You have a legitimate interest in protecting your premises, staff, and stock. But you must also complete a balancing test — your interest doesn't automatically override the rights of the people you're filming. Document this in your DPIA.
• Fairness: Recording must be proportionate. Cameras covering staff break rooms, toilets, or changing areas fail the fairness test regardless of your security concerns.
• Transparency: Compliant signage at every entrance, a published CCTV policy, and clear information about how people can exercise their rights.

Where businesses fail: "We have CCTV" written on a sticker is not transparency. Your signs must name the data controller, state the purpose of recording, and provide contact details.

2. Purpose Limitation

What it requires: You can only use footage for the purpose you stated when setting up the system.

For CCTV this means:

If you told employees the cameras exist for security and theft prevention, you cannot then use footage to monitor their break times, track their productivity, or check whether they're on their phones. Each camera needs a documented purpose, and footage can only be used for that purpose.

The exception: If footage captures a crime or health and safety incident, using it for that investigation is generally lawful — even if "investigating crimes" wasn't the primary stated purpose. The ICO recognises that evidence captured incidentally may need to be used. But using security cameras as a systematic performance monitoring tool is a different matter entirely.

Where businesses fail: Installing cameras for "security" then reviewing footage to check whether staff arrived on time. If you want to monitor timekeeping, that must be a stated purpose with its own justification and employee notification.

3. Data Minimisation

What it requires: You should only collect the minimum amount of personal data necessary for your purpose.

For CCTV this means:

• Camera angles: Cover only the areas necessary for your stated purpose. A camera aimed at protecting the till doesn't need to cover the entire shop floor.
• Audio: Unless you can specifically justify audio recording (and it's hard to justify in most business settings), disable microphones. Many IP cameras have audio enabled by default — check yours.
• Resolution: 1080p is standard and generally proportionate. 4K cameras capturing facial features in fine detail may be harder to justify unless you have a specific need.
• Recording hours: If your purpose is break-in detection, 24/7 recording may be proportionate. If your purpose is customer flow monitoring during trading hours, recording overnight is unnecessary data collection.

Where businesses fail: Installing a camera with a wide-angle lens that captures neighbouring properties, the public pavement, and areas inside the building that have nothing to do with the stated purpose. More coverage is not better — it's more data you have to justify.

4. Accuracy

What it requires: Personal data must be accurate and, where necessary, kept up to date.

For CCTV this means:

The accuracy principle applies less directly to footage than to other data types — a camera records what it sees. But it does apply to:

• Your camera register: Must accurately reflect the cameras actually installed, their locations, and their purposes. If you've added cameras since the register was last updated, it's inaccurate.
• Time and date stamps: If your DVR/NVR clock is wrong, footage timestamps are inaccurate. This matters when footage is used as evidence or provided in response to a subject access request. Check your system clock regularly — daylight saving time changes are a common source of errors.
• Metadata and labels: If you label camera feeds by location ("Front Entrance," "Stockroom"), those labels must match reality if cameras have been moved.

5. Storage Limitation

What it requires: Personal data must not be kept longer than necessary for its purpose.

For CCTV this means:

This is the retention principle, and it's where the ICO focuses much of its CCTV enforcement. You need a defined retention period for each camera or camera group, based on the purpose of recording.

The ICO doesn't prescribe a specific number of days — the right period depends on your purpose. For most SME CCTV, 30 days is the defensible baseline. Keeping footage for months or years "just in case" violates this principle.

For detailed guidance on setting retention periods, see our retention rules guide. To calculate appropriate periods for your setup, use our retention calculator.

6. Integrity and Confidentiality (Security)

What it requires: Personal data must be protected against unauthorised access, accidental loss, destruction, or damage.

For CCTV this means:

• Access controls: Who can view live feeds? Who can review recordings? Who can download or export footage? Each should be limited to named individuals with individual credentials — not a shared "admin" password on the DVR.
• Physical security: Where is the NVR/DVR located? If it's under the shop counter, anyone behind the counter can access it. A locked room with restricted access is the standard.
• Network security: If your NVR is connected to the internet for remote viewing, it needs the same security as any other internet-connected system — strong passwords, firmware updates, ideally VPN access rather than port forwarding. CCTV systems are one of the most commonly targeted devices by botnets.
• Export and sharing: When footage is exported (for police, insurance, or a DSAR response), how is it transferred? Unencrypted USB drives and plain email attachments are not secure methods for personal data.

Where businesses fail: Using the default password on the DVR (often "admin/admin" or "admin/12345"). Never updating DVR firmware. Leaving the DVR accessible via the internet with no firewall rules.

7. Accountability

What it requires: You must be able to demonstrate compliance — not just claim it.

For CCTV this means:

Documentation. The accountability principle is what ties everything together:

• A completed DPIA (with a worked example if you need a starting point)
• A written CCTV data protection policy
• A camera register that matches your actual installation
• A defined retention schedule
• A documented DSAR process
• Evidence of signage at all entrances
• ICO registration (data protection fee paid)

If the ICO investigates a complaint about your CCTV, they will ask for these documents. "We comply but we haven't written it down" is not accountability — it's a gap.

Check your documentation against all seven obligations with our free compliance checker.

The Data (Use and Access) Act 2025 — What Changed

The Data (Use and Access) Act 2025 amended parts of UK GDPR and the DPA 2018. For CCTV operators, the key changes are:

• Subject access requests: A new "stop the clock" provision lets you pause the one-month response deadline if you need additional information from the requester to locate the footage. Previously the clock ran regardless.
• Complaints duty: From 19 June 2026, organisations must have a complaints-handling process for data protection complaints and must respond to complaints before the individual can escalate to the ICO.
• Recognised legitimate interests: The Act introduces a list of processing activities that are automatically treated as having a lawful basis under legitimate interests — though the CCTV-specific implications are still being clarified in ICO guidance.

The core obligations haven't changed — you still need a lawful basis, a DPIA, signage, a policy, retention limits, and a DSAR process. The DUAA refines the procedural requirements around some of these.

Where Most Businesses Get It Wrong

Treating CCTV as separate from data protection. The installer sets up the cameras, the IT team manages the network, and nobody thinks about data protection until someone complains. CCTV is a data processing activity — it belongs in your data protection framework alongside everything else.

No documentation. The cameras work. The footage records. Nobody has complained. So nobody has written a policy, completed a DPIA, or set up a DSAR process. This is the most common gap, and it's the first thing the ICO checks when investigating a complaint.

Over-collecting. More cameras than necessary, covering more areas than necessary, retaining footage longer than necessary, at higher resolution than necessary. Every "more" is additional personal data you need to justify under the data minimisation principle.

Ignoring subject access requests. When someone asks for footage of themselves, many businesses either ignore the request, don't know how to respond, or panic. You have one calendar month. Our DSAR guide covers the full process.

A Practical Action Plan

If you're starting from scratch, tackle these in order:

1. Complete a DPIA — this forces you to document your system, assess proportionality, and identify risks. Use our DPIA guide and template.
2. Write a CCTV policy — use our policy guide or free policy generator.
3. Install compliant signage — see our signage requirements guide.
4. Set retention periods — use our retention calculator and configure your DVR/NVR.
5. Document your DSAR process — our DSAR guide covers every step.
6. Pay the ICO data protection fee — check the ICO register to confirm your registration.
7. Run a compliance check — use our free compliance checker to identify remaining gaps.

For the full regulatory landscape, read our UK CCTV regulations guide.

This guide covers CCTV data protection obligations under UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025, current as of March 2026. It is not legal advice.

Sources

• ICO — CCTV for your organisation: things you need to do
• ICO — Video surveillance guidance (including CCTV)
• Data (Use and Access) Act 2025 — ICO
• Data Protection Act 2018 — legislation.gov.uk