Reviewed by CamComply
How Long Can You Keep CCTV Footage? UK Retention Rules Explained
There's no fixed legal limit for CCTV retention in the UK — but keeping footage longer than necessary is a compliance failure. Here's how to set the right periods.
There is no single legal answer to "how long can I keep CCTV footage?" UK law doesn't set a fixed number. Instead, the Data Protection Act 2018 and UK GDPR require you to keep footage only as long as necessary for its stated purpose — and delete it when that purpose expires.
That flexibility is both the good news and the problem. Without a prescribed limit, most businesses either keep footage forever (non-compliant) or pick a number at random (probably non-compliant). Here's how to set retention periods that actually hold up.
The Legal Principle: No Longer Than Necessary
UK GDPR's fifth data protection principle — storage limitation — states that personal data must be kept "for no longer than is necessary for the purposes for which it is processed."
The ICO's CCTV guidance for small organisations translates this directly: don't keep footage longer than you need it.
What "necessary" means in practice: If your camera exists to deter and detect break-ins, you need to keep footage long enough to discover that a break-in happened and report it. If your shop is checked every morning, 30 days covers any reasonable discovery period plus time to report to police and preserve evidence.
If your camera monitors a loading bay for health and safety, you need footage long enough to investigate any incident. Most workplace incidents are reported within days, so 14–30 days is typically sufficient.
What it doesn't mean: "We might need it someday" is not a valid justification. Keeping footage for months or years "just in case" violates the storage limitation principle.
Recommended Retention Periods by Purpose
The ICO doesn't mandate specific numbers, but industry practice and ICO enforcement patterns point to clear ranges:
| Camera Purpose | Recommended Retention | Rationale |
|---|---|---|
| General security (entrances, corridors) | 30 days | Standard discovery period for break-ins and incidents |
| Retail theft prevention (shop floor, tills) | 30 days | Stock checks and loss discovery typically happen within this window |
| Car park security | 14–30 days | Vehicle damage is usually noticed quickly |
| Workplace health and safety | 30 days | Incident reporting and investigation window |
| Loading bay / deliveries | 14 days | Delivery disputes are raised within days |
| Construction site security | 30 days | Matches typical site inspection cycles |
| High-risk areas (cash handling, controlled substances) | 30–90 days | Longer periods may be justified where the nature of the risk and typical investigation timelines support it — document the reasoning in your DPIA |
| Specific incident preservation | Duration of investigation + legal hold | Retained footage must be documented with the reason for extended retention |
The 30-day default. For most SME CCTV purposes, 30 days is the defensible baseline. It's long enough to catch incidents and short enough to comply with storage limitation. If you're unsure, start at 30 days and adjust per camera based on purpose.
Our retention calculator walks you through this for each camera in your setup.
When You Can Keep Footage Longer
Longer retention is lawful when you can document a specific reason:
Active incident investigation. If footage captures a crime, workplace accident, or insurance claim, you can preserve it for the duration of the investigation and any subsequent legal proceedings. Document the date preserved, the reason, and which specific footage is being held.
Legal hold. If you're notified of potential legal proceedings (an employment tribunal, a personal injury claim), preserve all relevant footage until the matter is resolved. Deleting footage after receiving notice of a claim can be treated as destruction of evidence.
Regulatory requirement. Some sectors have specific retention requirements — licensed premises under certain council conditions, financial services under FCA rules, or healthcare settings under CQC expectations. If a regulator imposes a specific retention period, that overrides the general principle.
Contractual obligation. Your landlord's lease, an insurance policy, or a security contract may specify minimum retention. Check these before setting your periods — but note that a contract cannot require you to retain footage longer than is lawful under UK GDPR. If there's a conflict, data protection law takes precedence.
When You Must Delete Footage
When the retention period expires. If your policy says 30 days and no incident has flagged the footage for preservation, it must be deleted or overwritten at day 30. "Deleted" means unrecoverable — not moved to an archive folder.
When someone exercises their right to erasure. An individual can request deletion of footage containing their personal data. You can refuse if the footage is needed for legal claims, regulatory compliance, or the exercise of your legitimate interests — but you must respond to the request within one calendar month, even if the answer is "no."
When the purpose no longer applies. If you remove a camera and stop using it, any stored footage from that camera should be deleted once the retention period for its final recording expires. Keeping archived footage from decommissioned cameras indefinitely is a compliance failure.
How to Set Up Automatic Deletion
Most modern DVR and NVR systems support automatic overwrite — footage is automatically deleted when storage fills up, starting with the oldest recordings. This provides a natural retention limit, but it's imprecise: the actual retention period depends on how many cameras are recording, the resolution, and the storage capacity.
The better approach:
- Calculate your target retention in days for each camera or group of cameras
- Configure your DVR/NVR to overwrite at the target number of days (most systems support per-channel settings)
- Verify by checking the oldest available footage matches your target period
- Document the configured retention period in your CCTV policy and DPIA
If your system doesn't support time-based automatic deletion — some older DVRs only overwrite when storage is full — you need a manual process: a regular check (monthly at minimum) to verify that footage beyond your retention period has been deleted.
Common Retention Mistakes
Keeping everything for a year. Unless you can document a specific, legitimate reason for 12-month retention, this is disproportionate and non-compliant. "Our installer set it up that way" is not a justification.
No documented retention period at all. If your CCTV policy doesn't state how long footage is kept, or if you don't have a policy, you're in breach of the accountability principle. The ICO expects a defined, documented period.
Different periods on paper vs. in practice. Your policy says 30 days. Your DVR is configured for 90 days. This inconsistency will be found during any ICO investigation triggered by a complaint. Audit your actual configuration against your documented policy.
Not preserving footage when required. The flip side: if an employee submits a subject access request for footage from last Wednesday, and you've already deleted it because your retention period is 7 days, you've done nothing wrong — as long as the 7-day period was documented, justified, and consistently applied. But if you delete footage after receiving a request, that's a serious breach. See our DSAR guide for the full process.
Applying one period to all cameras. A camera covering a high-value stock room and a camera covering the staff car park serve different purposes with different risk profiles. A blanket 30-day retention for both may over-retain for the car park and under-retain for the stock room. Set periods per purpose, not per system.
What Your Retention Schedule Should Include
Document for each camera or camera group:
| Field | Example |
|---|---|
| Camera ID / location | CAM-01 / Main entrance |
| Purpose | Security — break-in detection and deterrence |
| Retention period | 30 days |
| Deletion method | Automatic overwrite (NVR configured) |
| Exception process | If incident flagged, footage preserved with written reason and review date |
| Last verified | 2026-03-01 |
This schedule should be referenced in your CCTV policy and consistent with your DPIA.
Retention and Your Broader Compliance
Retention isn't an isolated obligation. It connects to everything:
- Your DPIA should document retention periods as a mitigation measure (shorter retention = lower risk)
- Your CCTV policy must state your retention periods and make them available to anyone who asks
- Your signage should reference where to find retention information (usually your full CCTV policy)
- Your DSAR process needs to account for whether requested footage still exists within the retention window
Check your full compliance position — including retention — with our free compliance checker. For the complete obligation set, read the UK CCTV regulations guide.
This guide covers CCTV footage retention under UK GDPR and the Data Protection Act 2018 as of March 2026. Specific sectors (healthcare, financial services, licensed premises) may have additional retention requirements from their regulators. This is not legal advice.
Sources
Last reviewed: 11 March 2026