Is CCTV Covered by GDPR? What UK Law Actually Says

Short answer: yes. If your CCTV captures images where individuals can be identified — by their face, clothing, vehicle, or context — that footage is personal data under UK GDPR and the Data Protection Act 2018. Every data protection obligation that applies to personal data applies to your cameras.

Here's the detail behind that answer, the one exception, and what it means for your business.

Why CCTV Footage Counts as Personal Data

UK GDPR defines personal data as "any information relating to an identified or identifiable natural person." CCTV footage meets this definition whenever a person in the footage could be identified — directly or indirectly.

You don't need to see someone's face clearly. A person can be identifiable from their clothing, build, location context (e.g., footage of a specific desk or workstation), or vehicle registration plate. If any of these make it possible to work out who the person is, the footage is personal data.

The ICO's CCTV guidance is unambiguous: CCTV footage containing identifiable individuals is personal data, and processing it is subject to UK GDPR.

The One Exception: Purely Domestic Use

Data protection rules do not apply to CCTV used by individuals for purely personal or household purposes. As GOV.UK guidance confirms, a camera on your own home to protect against burglary — covering only your own property — falls outside data protection law.

The moment a camera captures areas beyond your property (a public pavement, a neighbour's driveway, a shared car park), or is operated by a business rather than an individual, GDPR applies.

For businesses, there is no exception. Any CCTV operated by a business, charity, or other organisation is covered by data protection law — regardless of the number of cameras, whether footage is recorded, or whether anyone reviews it.

Which Laws Apply and How They Overlap

Three pieces of legislation work together:

Data Protection Act 2018 and UK GDPR set the core rules: you need a lawful basis for processing, you must be transparent about what you're doing, footage must be stored securely, and individuals have rights over their data.

Surveillance Camera Code of Practice adds 12 guiding principles specific to surveillance cameras. It applies directly to police and local authorities, but the ICO expects all organisations to follow it as good practice.

Data (Use and Access) Act 2025 amended UK GDPR and DPA 2018 with updated DSAR procedures and a mandatory complaints-handling duty (effective 19 June 2026). The core CCTV obligations haven't changed, but procedural requirements have been refined.

Seven Obligations GDPR Creates for CCTV Operators

Because CCTV footage is personal data, your business must:

1. Have a lawful basis for recording. Most businesses rely on "legitimate interests" under UK GDPR Article 6(1)(f). This requires a documented legitimate interests assessment demonstrating your interest in recording (e.g., preventing theft) outweighs the privacy rights of the people being filmed.

2. Maintain a camera register. Document every camera's location, purpose, and retention period.

3. Complete a DPIA. A Data Protection Impact Assessment is required when processing is likely to result in high risk — CCTV monitoring of workplaces and public areas qualifies.

4. Display compliant signage. Signs must include your business name, the purpose of recording, and contact details — placed before the camera's field of view. See our full signage guide.

5. Set retention limits. Keep footage only as long as necessary. The ICO recommends 30 days for routine business CCTV. Our retention calculator can help you define appropriate periods.

6. Handle subject access requests. Anyone filmed can request a copy of their footage. You have one calendar month to respond.

7. Register with the ICO. Pay the annual data protection fee (£52–78 for most SMEs). Failure to pay can result in enforcement action from the ICO.

For a detailed walkthrough of each obligation, read our complete CCTV regulations guide. Or check your current position with our free compliance checker.

What About Audio Recording?

Audio recording on CCTV is a separate and more sensitive issue. The ICO considers recording conversations "particularly intrusive" and harder to justify than video alone. Unless you have a specific, documented reason for recording audio — and have assessed it in your DPIA — keep microphones switched off.

Most SME CCTV setups have no legitimate reason to record audio. If your cameras have microphones enabled by default (many modern IP cameras do), disable them unless you've assessed and documented the justification.

What Happens If You Ignore It

ICO enforcement powers include:

• Information notices requiring you to provide information about your processing
• Assessment notices allowing the ICO to audit your CCTV compliance on-site
• Enforcement notices requiring you to change how you operate your cameras
• Penalty notices of up to £17.5 million (or 4% of annual global turnover)

In practice, most SMEs encounter the ICO through complaints — an employee files a DSAR, a customer complains about signage, or a neighbour reports cameras pointing at their property. The ICO investigates the complaint and often finds broader compliance failures.

The simplest way to avoid this: treat your CCTV footage as the personal data it is, and follow the obligations that come with it. Our 7-point compliance checklist shows you exactly where to start.

This article covers CCTV and UK GDPR as of March 2026. It is not legal advice. For specific situations, consult a qualified data protection professional.

Sources

• ICO — CCTV and video surveillance guidance
• GOV.UK — Data protection and your business: Using CCTV
• Data Protection Act 2018 — legislation.gov.uk
• Data (Use and Access) Act 2025 — ICO