UK CCTV Regulations 2026: The Complete SME Compliance Guide

Running CCTV at your UK business means you're processing personal data. That brings a set of legal obligations most SME owners only discover when something goes wrong — an employee requests footage, a customer complains, or the ICO writes a letter.

This guide covers every UK CCTV regulation that applies to businesses in 2026, including changes introduced by the Data (Use and Access) Act 2025. No legal jargon — just what you need to do and how to prove you've done it.

Three Laws That Govern UK CCTV Regulations

Three pieces of legislation set the rules for business CCTV:

Data Protection Act 2018 and UK GDPR — the core data protection framework. CCTV footage counts as personal data whenever it captures identifiable individuals. Every rule that applies to personal data — lawful basis, purpose limitation, storage limitation, security — applies to your cameras.

Surveillance Camera Code of Practice — issued under the Protection of Freedoms Act 2012, this code sets 12 guiding principles for operating surveillance cameras. It applies directly to police and local authorities, but the ICO expects all organisations to follow it as best practice.

Data (Use and Access) Act 2025 — received Royal Assent in June 2025. This amends parts of UK GDPR and DPA 2018. Key changes for CCTV operators include updated subject access request procedures and mandatory complaints handling. The ICO is currently reviewing its CCTV guidance in light of these amendments.

Seven CCTV Compliance Obligations for UK Businesses

1. Maintain a camera register

Document every camera you operate: its location, purpose, field of view, retention period, and who is responsible for it. The ICO expects you to know exactly what surveillance equipment you run and why.

A paper logbook from your installer isn't enough if it hasn't been updated since installation day. Your register needs to reflect what's actually in place — updated when cameras are added, moved, or decommissioned.

Record per camera:

• Physical location (building, floor, specific area)
• Purpose (security, theft prevention, health and safety)
• Areas captured and whether the field of view includes public areas
• Whether audio recording is enabled (almost always disproportionate for SMEs — switch it off unless you have a documented justification)
• Retention period for footage from this camera
• Named data controller

Use our CCTV compliance checker to see where your current setup stands against these requirements.

2. Complete a Data Protection Impact Assessment (DPIA)

Under UK GDPR Article 35, you must carry out a DPIA before processing that is "likely to result in a high risk" to individuals. Systematic monitoring of public or workplace areas via CCTV qualifies.

Your DPIA should address:

• What you're recording and why it's necessary
• Whether the surveillance is proportionate to the stated purpose
• Privacy risks to the people being filmed — employees, customers, visitors, passers-by
• Specific measures to reduce those risks (restricted access, signage, retention limits, encryption)
• Whether you consulted the people affected

The ICO's CCTV guidance includes a self-assessment checklist covering DPIA requirements. If you haven't completed a DPIA for your cameras, you're already non-compliant — it's one of the first things the ICO checks during an investigation.

3. Write a CCTV policy

You need a documented policy explaining:

• Why your business uses surveillance cameras
• The lawful basis you rely on (usually "legitimate interests" for commercial CCTV)
• How footage is stored and secured
• Who can access footage and under what circumstances
• How long footage is retained
• How individuals can exercise their data rights, including making subject access requests
• How complaints about your CCTV use are handled

Your policy should be available to anyone who asks. Many businesses publish it on their website or display a summary alongside CCTV signage.

Generate a compliant CCTV policy tailored to your business in minutes with our free policy generator.

4. Display compliant signage

The Surveillance Camera Code of Practice and UK GDPR require you to inform people they're being recorded before they enter the monitored area. A generic "CCTV in operation" sticker is not sufficient.

Compliant signs must include:

• The identity of the data controller (your business name or trading name)
• The purpose of the surveillance (e.g., "for the prevention and detection of crime")
• Contact details — a phone number, email address, or postal address where people can reach the data controller
• A reference to how they can get more information (e.g., "Our full CCTV policy is available at reception" or a URL)

Place signs at every entry point to a monitored area. They must be clearly visible and legible before someone enters the camera's field of view.

For the full breakdown — including sign placement, sizing, and common mistakes — read our guide to CCTV signage requirements in the UK.

5. Set and enforce retention schedules

There is no fixed legal maximum for how long you can keep CCTV footage. But the storage limitation principle under UK GDPR means you must retain footage only as long as necessary for its stated purpose — and no longer.

The ICO's general position is that 30 days is appropriate for most routine business CCTV. Keeping footage longer requires a documented justification (ongoing investigation, insurance claim, legal proceedings).

Typical retention periods:

• Routine security footage: 30 days
• Incident-related footage: duration of the investigation or claim
• Footage subject to a DSAR: retained until the request is fulfilled, then deleted per normal schedule

Once the retention period expires, footage must be securely deleted. "We forgot to delete it" is not a lawful basis for extended retention.

Work out the right retention period for each of your cameras with our free retention calculator.

6. Handle subject access requests within one calendar month

Under UK GDPR, anyone captured on your CCTV can request a copy of that footage. This is a Data Subject Access Request (DSAR), and you have one calendar month to respond from the date you receive it.

The Data (Use and Access) Act 2025 introduced a "stop the clock" provision: if you need additional information from the requester to locate the footage (the date, approximate time, which camera or location), the one-month clock pauses until they provide it. Once they respond, the countdown resumes.

When fulfilling a DSAR:

• Provide the footage free of charge unless the request is manifestly unfounded or excessive
• Redact or blur other identifiable individuals in the footage before sharing it
• If the footage has already been deleted under your retention policy, explain this clearly to the requester — you're not required to retain footage in anticipation of possible requests

Failing to respond within the one-month deadline is one of the most common triggers for ICO complaints about CCTV.

7. Register with the ICO and pay the data protection fee

Most UK organisations processing personal data — including via CCTV — must pay the annual ICO data protection fee. The amount depends on your organisation's size:

• Tier 1 (micro organisations): £52/year — up to 10 staff, turnover under £632,000
• Tier 2 (small and medium organisations): £78/year — up to 250 staff, turnover under £36 million
• Tier 3 (large organisations): £3,763/year

Failure to pay the data protection fee can result in enforcement action and penalty notices from the ICO.

Set a calendar reminder for your renewal date. It's a small cost with disproportionately large consequences if you forget.

What Changed in 2025–2026

The Data (Use and Access) Act 2025 doesn't replace UK GDPR or the DPA 2018 — it amends them. For CCTV operators, the practical changes are:

Subject access requests — the new "stop the clock" rule means your one-month response window pauses while you're waiting for information from the requester (e.g., date, time, camera location). This is genuinely helpful for DSARs where the requester's initial description is vague.

Complaints handling — from 19 June 2026, you will be required to have a documented process for handling complaints about your data processing, including CCTV. While this duty is not yet in force, the ICO recommends establishing a complaints process now as good practice.

ICO guidance under review — the ICO has flagged that its video surveillance guidance is being updated in light of the DUAA. Check back for revised requirements as they're published.

The core obligations haven't changed — camera registers, DPIAs, signage, retention, DSARs, and ICO registration are all still required. The DUAA adds procedural refinements, not new obligations.

Where Most SMEs Get It Wrong

Five compliance failures that the ICO sees repeatedly:

1. No DPIA at all. Cameras get installed for security. Nobody assesses the privacy impact. The DPIA is required before you switch the cameras on — not after the ICO asks for it.

2. Non-compliant signage. A "CCTV in operation" sticker without your business name, the purpose of recording, or contact details fails the requirements under both the Code of Practice and UK GDPR.

3. No retention policy. Footage sitting on a DVR or NVR indefinitely with no deletion schedule breaches the storage limitation principle. Define a retention period, document it, and enforce it.

4. Ignoring DSARs. Employees and customers have a legal right to footage containing their image. Not responding within one calendar month is one of the easiest ways to trigger an ICO investigation.

5. Lapsed ICO registration. The annual fee is £52–78 for most SMEs. Forgetting to renew can result in a penalty notice from the ICO.

Your Compliance Checklist

If you're starting from zero or want to confirm where you stand:

1. Audit your cameras — use our CCTV compliance checker to identify gaps in under five minutes
2. Build your camera register — document every camera's location, purpose, and retention period
3. Complete a DPIA — assess whether each camera is necessary and proportionate to its purpose
4. Write your CCTV policy — our policy generator creates one tailored to your setup
5. Check every sign — each entry point needs a sign with your business name, purpose, and contact details. See our signage guide for the full requirements
6. Set retention schedules — define how long footage is kept per camera and set up a deletion process. Our retention calculator helps
7. Prepare a DSAR process — document how you'll find, redact, and deliver footage within one calendar month
8. Verify your ICO registration — confirm you've paid the current year's data protection fee

For a condensed version of these obligations, see our CCTV compliance checklist.

This guide covers CCTV compliance for UK businesses under legislation current as of March 2026. It is not legal advice. For complex situations — covert surveillance, audio recording, body-worn cameras, or cross-border data transfers — consult a qualified data protection professional.

Sources

• ICO — CCTV and video surveillance guidance
• Data Protection Act 2018 — legislation.gov.uk
• Surveillance Camera Code of Practice (amended 2022) — GOV.UK
• Data (Use and Access) Act 2025 — ICO
• Data Protection (Charges and Information) Regulations 2018 — legislation.gov.uk