Reviewed by CamComply
CCTV Log Book and Camera Register: What to Record and Why (UK)
A CCTV log book and camera register are how you prove your surveillance is compliant. Here's exactly what to record, why UK GDPR requires it even for small businesses, and how to keep it.
Search for a "CCTV log book" and you'll mostly find paper notebooks sold on Amazon — ruled pages for writing down who watched footage and when. They're not wrong, but they're only half the story. The reason to keep a CCTV log is not tidiness; it's that UK data protection law requires you to demonstrate your CCTV is compliant, and a log book plus a camera register is how you do that.
This guide explains the difference between the two records, exactly what to put in each, and why even a small business operating a handful of cameras needs them.
Log Book vs. Camera Register — Two Different Records
People use "log book" and "register" interchangeably, but they capture different things and serve different purposes.
A camera register describes your system. It's a static-but-maintained record of every camera you operate: where it is, what it points at, why it exists, who controls it, and how long its footage is kept. Think of it as the inventory and justification for your surveillance.
A CCTV log book records events. It's a running diary of things that happen to your footage: who accessed it, when, why, what was exported, what was shared with police, and what was deleted. Think of it as the audit trail.
You need both. The register answers "what do you record and why?" The log book answers "and can you prove you've handled it responsibly?"
Why UK GDPR Requires This — Even for Small Businesses
There's a widespread belief that record-keeping under the UK GDPR only applies to organisations with 250+ employees. That's a misreading of Article 30 (records of processing activities).
The headline is that organisations with 250 or more employees must document all processing. But the exemption for smaller organisations is limited. Per the ICO, if you employ fewer than 250 people you still must document processing that:
- is not occasional (i.e. ongoing or regular, not a one-off), or
- is likely to result in a risk to people's rights and freedoms, or
- involves special category or criminal offence data.
CCTV is continuous, systematic monitoring of identifiable individuals. It is by definition "not occasional," and the ICO treats it as high-risk processing (which is why it usually triggers a DPIA). So the SME exemption does not get you off the hook for CCTV — you need a documented record of your camera processing regardless of headcount.
On top of Article 30, the accountability principle (UK GDPR Article 5(2)) requires you to be able to demonstrate compliance. A camera register and access log are the most direct evidence you can produce if the ICO ever asks.
What to Put in Your Camera Register
Your camera register should have one row per camera. For each, record:
| Field | What to record | Why |
|---|---|---|
| Camera ID / location | Physical location and a unique reference | Identifies the camera |
| Field of view | What it actually captures (entrance, till, car park) | Proves you're not over-capturing |
| Purpose | The specific reason this camera exists | UK GDPR purpose limitation (Art 5(1)(b)) |
| Lawful basis | Usually legitimate interests for business CCTV | UK GDPR Article 6 |
| Data controller | Who is legally responsible | Accountability |
| Retention period | How long footage from this camera is kept | Storage limitation (Art 5(1)(e)) |
| Audio? | Whether the camera records sound | Audio is more intrusive and rarely justified |
| Covers public space? | Whether the view extends beyond your property | Triggers extra obligations |
| Date added / last reviewed | When the camera went live and was last checked | Demonstrates ongoing review |
The discipline of filling this in catches over-capture before it becomes a complaint. If you can't write a clear purpose for a camera, that camera is a liability.
What to Put in Your CCTV Log Book
Your log book records events against your footage. Each entry should capture:
- Date and time of the event
- Type of event — viewing, export, disclosure to a third party, deletion, system fault
- Who carried it out (named individual)
- Why — the reason for accessing or sharing
- What footage was involved (which camera, which time window)
- Authorisation — who approved it, where approval was needed
The two highest-value entries to capture diligently:
- Disclosures to police. Record what was shared, when, with which officer/force, and under what basis. If you ever need to show you handled a police request properly, this is the evidence.
- Deletions and footage preserved for a request. If you receive a subject access request and then delete the relevant footage, that can be a criminal offence under section 173 of the Data Protection Act 2018. Logging when footage is preserved (and when routine deletion is paused) protects you.
Paper, Spreadsheet, or Tool?
A paper log book works, but it has two weaknesses: it's easy to forget to fill in, and it can't remind you when footage is due for deletion. A spreadsheet is better — searchable, backed up, and you can build retention dates into it. The natural next step is a dashboard that prompts you: when a retention deadline approaches, when a register entry hasn't been reviewed in a year, when a DSAR pauses routine deletion.
Whatever the format, the test is the same: could you produce, in five minutes, a complete account of every camera you run and every time someone touched the footage? If not, your record-keeping has a gap.
Practical Steps
- Build your camera register first. One row per camera, using the fields above. This is the foundation for everything else.
- Start a log book today. Even a simple shared spreadsheet is fine — the point is that it exists and gets used.
- Log every disclosure and deletion. These are the entries that matter most if anything is ever questioned.
- Review the register annually. Cameras get added, repositioned, and forgotten. An annual review keeps it honest.
- Check your wider compliance. Our free CCTV compliance checker flags whether you're missing the records the ICO expects.
For how retention periods feed your register, see our CCTV footage retention guide and the retention calculator. For the broader documentation picture, see our CCTV data protection guide, and for the legal framework overall, the UK CCTV regulations guide.
This guide explains CCTV record-keeping obligations under the UK GDPR and Data Protection Act 2018, current as of June 2026. This is not legal advice.
Sources
Last reviewed: 4 June 2026