A Data Protection Impact Assessment sounds complicated. For CCTV in a small business, it doesn't have to be. This guide walks you through what a DPIA is, when you're legally required to do one, and how to complete it step by step.

What a DPIA Actually Is

A DPIA is a structured assessment of how your data processing — in this case, your CCTV system — affects people's privacy. It forces you to document three things:

1. Why you're recording (the purpose and lawful basis)
2. Whether recording is necessary and proportionate (could you achieve the same aim with less surveillance?)
3. What risks the recording creates for the people being filmed, and how you're reducing those risks

It's required under UK GDPR Article 35 whenever processing is "likely to result in a high risk" to individuals.

Do You Need a DPIA for Your CCTV?

Almost certainly yes. The ICO's guidance on video surveillance states that a DPIA is required for most surveillance deployments because they are "likely to result in a high risk" to individuals.

A DPIA is mandatory when your CCTV involves any of these:

• Systematic monitoring of publicly accessible areas (shop floors, car parks, building entrances)
• Workplace monitoring of employees
• Recording in areas where people have a higher expectation of privacy
• Use of new technology (facial recognition, ANPR, AI-powered analytics)
• Large-scale processing (multiple cameras across multiple sites)

In practice: If you have cameras pointing at anywhere other than a locked server room that only you enter, you need a DPIA.

When you might not need one: A single camera covering your own private office that only you use, with no employee or public access. This is rare in business settings.

When to Complete the DPIA

Before you switch the cameras on — not after. The legal requirement is to assess impact before processing begins. If your cameras are already running and you haven't done a DPIA, complete one now. A retrospective DPIA is better than none, though technically you've been non-compliant since the cameras started recording.

You also need to review and update your DPIA when:

• You add or move cameras
• You change the purpose of recording (e.g., from security to employee monitoring)
• You upgrade to cameras with new capabilities (audio, analytics, higher resolution)
• Relevant legislation or ICO guidance changes

Step-by-Step: How to Complete a CCTV DPIA

Step 1: Describe the processing

Document what your CCTV system actually does:

• Number of cameras and their locations (building, floor, specific area)
• What each camera covers — external entrances, shop floor, warehouse, office, car park
• Whether audio is recorded (many IP cameras have microphones enabled by default)
• Recording hours — 24/7 or business hours only
• How footage is stored — on-site DVR/NVR, cloud, or both
• Retention period — how long footage is kept before deletion
• Who has access to live and recorded footage
• Whether footage is shared with anyone (police, insurance, landlord)

Be specific. "We have cameras for security" is not a description — it's a vague statement. "We have 6 cameras covering 2 shop entrances, the till area, the stockroom, the rear delivery entrance, and the car park. Footage is recorded 24/7 to an on-site NVR and retained for 30 days" is a description.

Step 2: Assess necessity and proportionality

For each camera, answer:

• What is the specific purpose? Security against break-ins, theft prevention, staff safety, insurance requirement — be precise
• Is CCTV necessary to achieve this purpose? Could you achieve it with better locks, lighting, access controls, or staffing?
• Is the coverage proportionate? A camera covering the entire shop floor to prevent till theft is disproportionate — a camera covering the till area is proportionate

This is where businesses most often fail. The ICO doesn't object to CCTV in principle — it objects to cameras that record more than necessary, for longer than necessary, with access wider than necessary.

The proportionality test in practice:

• Camera in the stockroom to prevent employee theft? Likely proportionate — if documented and employees are informed
• Camera in the staff break room? Almost never proportionate — high privacy expectation, minimal security benefit
• Camera covering the public pavement outside your shop? Only proportionate if you can demonstrate a specific security need and you've minimised the field of view

Step 3: Identify and assess risks

For each group of people your cameras capture, document:

Employees:

• Risk of excessive workplace monitoring
• Impact on behaviour and wellbeing
• Risk of footage being used for performance management beyond the stated purpose

Customers and visitors:

• Risk of capturing sensitive information (e.g., medical conditions visible, religious dress)
• Risk of inappropriate access to footage
• Impact if footage is breached or leaked

Members of the public (if cameras cover any external areas):

• Risk of recording people who have no relationship with your business
• Disproportionate surveillance of public spaces

For each risk, assess both how likely it is and how serious the impact would be if it happened.

Step 4: Document your mitigation measures

For every risk identified in step 3, describe what you've done to reduce it:

• Access controls: Who can view footage? Is it password-protected? Are access logs maintained?
• Retention limits: Footage deleted automatically after the retention period? Our retention calculator helps define appropriate periods
• Signage: Compliant signs at every entrance to the surveilled area — see our signage guide
• Policy: A written CCTV policy available to anyone who asks — generate one with our policy generator
• Field of view: Cameras adjusted to capture only necessary areas, not adjacent properties or public spaces beyond what's needed
• Audio disabled: Microphones switched off unless specifically justified
• Employee notification: Staff informed about cameras, their purpose, and their rights before cameras were installed
• DSAR process: A documented process for handling footage requests — see our subject access request guide

Step 5: Record the outcome

Your DPIA should conclude with one of three outcomes:

1. Risks are acceptable — your mitigation measures reduce risks to a level that's proportionate to the purpose. Proceed with recording.
2. Risks need further mitigation — additional measures are needed before recording is justified. Document what changes are required and implement them.
3. Residual high risk remains — even after mitigation, the processing presents a high risk you cannot reduce. In this case, UK GDPR Article 36 requires you to consult the ICO before proceeding.

For most SME CCTV setups with standard cameras, proportionate coverage, and reasonable retention periods, the outcome will be option 1 — risks acceptable with standard mitigation measures in place.

Quick Example: One-Camera vs Six-Camera DPIA

Scenario A — single camera, front entrance: One HD camera covering the shop entrance for break-in detection. Records 24/7, 30-day retention, overwritten automatically. Access limited to the business owner. No audio. Signage displayed at the entrance. DPIA outcome: low risk — standard mitigation measures (signage, retention limit, restricted access) are sufficient. One-page DPIA is adequate.

Scenario B — six cameras, mixed areas: Two cameras covering the shop floor (theft prevention), one at the till (cash handling), one in the stockroom (employee-access area), one at the rear entrance, one covering the car park. Different retention periods per purpose (14–30 days). Three staff members have DVR access. DPIA outcome: moderate risk — the stockroom camera requires specific justification (employee monitoring), the car park camera may capture public pavement (proportionality review needed), and access controls must be documented per user. Three-to-five page DPIA with per-camera assessments.

The difference isn't the number of pages — it's the depth of your proportionality and risk analysis for each camera.

What Your DPIA Document Should Include

You don't need a 40-page report. A clear document covering these sections is sufficient:

1. Date and author — who completed the DPIA and when
2. System description — step 1 above
3. Lawful basis — typically legitimate interests under UK GDPR Article 6(1)(f), with a supporting legitimate interests assessment
4. Necessity and proportionality — step 2 above
5. Risks identified — step 3 above
6. Mitigation measures — step 4 above
7. Consultation — who was consulted (employees, data protection officer if you have one, any other stakeholders)
8. Outcome and sign-off — step 5, signed by a decision-maker

Consultation matters. The ICO expects you to seek the views of people who will be filmed, or their representatives. For employees, this means informing them about the planned CCTV, explaining why, and giving them an opportunity to raise concerns before cameras go live. You don't need unanimous consent — but you need evidence that you asked.

Common DPIA Mistakes

Writing it after the cameras are installed. The legal requirement is to assess impact before processing begins. Retrospective DPIAs are better than nothing but demonstrate non-compliance from the start.

Treating it as a one-off. A DPIA is a living document. Review it annually and update it when anything changes — cameras added, purposes changed, technology upgraded.

Copying a template without customising it. Generic DPIAs that don't reflect your specific cameras, locations, and purposes are worthless. The ICO looks for evidence that you assessed your actual system, not that you ticked boxes on a downloaded form.

Skipping consultation. "We didn't ask employees because we knew they'd object" is not a valid reason. Document the consultation even if the outcome is that concerns were noted but you proceeded with modified plans.

Ignoring audio recording. If your cameras have microphones (many IP cameras do by default), your DPIA must address audio recording separately. Recording conversations is significantly more intrusive than video alone and harder to justify.

How a DPIA Connects to Your Other Compliance Obligations

Your DPIA doesn't exist in isolation. It connects directly to:

• Your CCTV policy — the policy should reference the DPIA, and the DPIA should reference the policy
• Your camera register — the system description in the DPIA should match your camera register
• Your retention schedule — retention periods in the DPIA should match what's actually configured on your DVR/NVR
• Your signage — signs should reference the purposes documented in the DPIA

If these documents contradict each other — your DPIA says 30-day retention but your NVR is set to 90 days, for example — that inconsistency is a compliance failure in itself.

Check your overall compliance position with our free compliance checker, and read the full CCTV regulations guide for the complete picture of UK CCTV obligations.

This guide covers DPIA requirements for CCTV under UK GDPR Article 35 as of March 2026. It is not legal advice. If your DPIA identifies high residual risk or involves complex processing (facial recognition, AI analytics, cross-border transfers), consult a qualified data protection professional.

Sources

• ICO — How can we comply with the data protection principles when using surveillance systems?
• ICO — CCTV for your organisation: things you need to do
• Data Protection Act 2018 — legislation.gov.uk

Here's the exact process for handling a CCTV subject access request (SAR), the exemptions you can rely on, and what your response should include.

What Counts as a Valid CCTV Subject Access Request

A SAR doesn't need to use specific wording. The requester doesn't need to say "subject access request" or cite UK GDPR. According to ICO guidance for employers, a request can be made verbally, in writing, by email, or even via social media.

If someone asks "can I see the camera footage from Tuesday?" — that's a valid SAR if the footage contains their personal data.

You must respond even if you plan to refuse. The one-month deadline applies to all responses, including refusals.

The 7-Step CCTV DSAR Process

Step 1: Log the request immediately

Record the date received, who made the request, what footage they've asked for, and any specifics (date, time, camera location). This date starts your one-month clock.

Step 2: Verify identity

You need reasonable confidence the requester is who they claim to be. For employees, your existing records are usually sufficient. For external requesters, ask for photo ID plus proof of address.

Don't over-verify — the ICO considers excessive identity checks a form of obstruction. If you already know the person (a current employee, a regular customer), asking for formal ID may be unreasonable.

Step 3: Locate the footage

Check whether the footage still exists. If your retention period has expired and the footage has been deleted, tell the requester — that's a valid response. You're not required to retain footage longer than your policy states just because a request might arrive.

If the footage exists, identify every camera that may have captured the requester during the time period they've specified.

Step 4: Review and redact

This is where most businesses get stuck. CCTV footage almost always contains other identifiable people. You cannot hand over unredacted footage showing third parties unless:

• You have their consent, or
• It's reasonable to disclose without consent (rare for CCTV)

Practical redaction options:

• Blur or pixelate faces and identifiable features of third parties
• Provide still images with third parties redacted instead of full video
• Offer an in-person viewing where you can control what's shown

The ICO's SAR advice for small organisations confirms that redaction is expected when third-party data is involved.

If your DVR/NVR system doesn't support video export with redaction, you may need to use screen recording with areas manually obscured, or arrange a supervised viewing.

Step 5: Check exemptions

You may be able to withhold some or all footage if:

• Crime prevention or detection: Disclosure would prejudice an ongoing investigation (e.g., the footage is evidence in a theft investigation)
• Legal proceedings: The footage is subject to legal professional privilege
• Third-party rights: Redaction isn't possible and disclosure would identify others without justification
• Manifestly unfounded or excessive: The request is designed to harass rather than exercise a genuine right — but this is a high bar. A request you find inconvenient is not "manifestly unfounded"

Document your reasoning if you rely on any exemption. "We decided not to provide the footage" is not sufficient — you must explain which exemption applies and why.

Step 6: Prepare your response

Your response must include:

• Confirmation of what personal data you hold (the footage)
• A copy of the footage, or an explanation of why you're withholding it
• Information about your retention period and when the footage will be deleted
• Your lawful basis for processing (likely legitimate interests)
• The requester's right to complain to the ICO if unsatisfied

Deliver the footage securely. Password-protected USB drives, encrypted file sharing, or secure download links are all acceptable. Do not send unencrypted footage by email.

Step 7: Record your response

Log what you provided, when you provided it, and any exemptions relied upon. Keep this record — if the requester complains to the ICO, you'll need to demonstrate your process was lawful.

Response Deadlines: The One-Month Rule and Extensions

Standard deadline: One calendar month from the date you receive the request. Note that "one calendar month" is not always exactly 30 days — a request received on 15 January is due by 15 February; one received on 31 January is due by 28/29 February.

Identity verification and the clock start: If you reasonably need to verify the requester's identity before you can process the request, the one-month period begins when you are satisfied of their identity. However, you should request ID promptly — do not delay as a way to extend the deadline.

Clock pause for clarification: If the request is unclear (e.g., "I want all footage of me" without specifying dates or locations), you can ask the requester to narrow it down. Under the Data (Use and Access) Act 2025, the deadline pauses until they respond. This is separate from identity verification — clarification pauses the clock, while identity verification delays the clock's start. You can only pause the clock if you genuinely need clarification — not as a stalling tactic.

Extension for complexity: If the request is genuinely complex — multiple cameras, long time periods, extensive redaction needed — you can extend by up to two additional months. You must tell the requester within the original one-month period that you're extending and explain why.

No fee: SARs are free. You cannot charge for providing CCTV footage unless the request is manifestly unfounded or excessive (in which case you can charge a "reasonable fee" or refuse entirely).

CCTV SAR Response Template

Use this structure for your written response:

Subject: Response to your subject access request — [Date of original request]

• Confirm you received their request on [date]
• State that you've identified footage from [cameras/dates/times] containing their personal data
• Describe what you're providing (video file, stills, or offer of viewing)
• Note any redaction applied and why (third-party data protection)
• State any footage not provided and the specific exemption relied upon
• Include your retention period ("this footage will be deleted on [date] in line with our retention policy")
• Provide your contact details for follow-up
• Inform them of their right to complain to the ICO if dissatisfied

Keep the language plain. The ICO expects responses to be understandable, not buried in legal jargon.

Common Mistakes That Trigger ICO Complaints

Ignoring the request. The single most common failure. Even if you think the request is unreasonable, you must respond within one calendar month.

Demanding formal paperwork. Requiring a specific form, a written letter, or a particular format is not permitted. The request can be verbal.

Over-redacting to the point of uselessness. If you blur so much that the requester can't identify themselves in the footage, you haven't fulfilled the request. Redact third parties, not the requester.

Deleting footage after receiving the request. Destroying footage that's been requested is a serious breach. Once you receive a SAR, preserve the relevant footage until you've completed the response — even if your retention period expires in the meantime.

Missing the deadline without explanation. If you need more time, communicate that within the initial one-month period. Silent delays are treated as non-compliance.

When You Can Refuse

Refusal is possible but limited:

• The request is manifestly unfounded (e.g., the requester has explicitly stated the purpose is to disrupt your business)
• The request is manifestly excessive (e.g., requesting footage from every camera for an entire year with no legitimate reason)
• Providing the footage would prejudice a criminal investigation

If you refuse, you must tell the requester why, inform them of their right to complain to the ICO, and do so within one calendar month. You cannot simply not respond.

Practical Tips for SMEs

Set up your system properly now. Choose a DVR/NVR that supports footage export and date/time search. If extracting footage requires calling your installer, every SAR becomes expensive and slow.

Keep your camera register current. When a SAR arrives, you need to quickly identify which cameras may have captured the requester. A documented camera register saves hours of searching.

Have a named DSAR handler. One person who knows the process, has DVR access, and can respond within the deadline. For most SMEs, this is the owner or office manager.

Document your retention periods. Our retention calculator helps you set appropriate periods for each camera — which also tells you whether requested footage still exists.

Check your compliance gaps. Subject access requests often arrive alongside broader compliance questions. Our free compliance checker assesses your full CCTV compliance position in under 5 minutes.

This guide covers CCTV subject access request handling under UK GDPR and the Data Protection Act 2018 as of March 2026. It is not legal advice. For complex DSARs — particularly those involving ongoing legal proceedings or police investigations — consult a qualified data protection professional.

Sources

• ICO — Subject access request advice for small organisations
• ICO — Subject access request Q&As for employers
• Data Protection Act 2018 — legislation.gov.uk
• ICO — CCTV and video surveillance guidance

Here's the detail behind that answer, the one exception, and what it means for your business.

Why CCTV Footage Counts as Personal Data

UK GDPR defines personal data as "any information relating to an identified or identifiable natural person." CCTV footage meets this definition whenever a person in the footage could be identified — directly or indirectly.

You don't need to see someone's face clearly. A person can be identifiable from their clothing, build, location context (e.g., footage of a specific desk or workstation), or vehicle registration plate. If any of these make it possible to work out who the person is, the footage is personal data.

The ICO's CCTV guidance is unambiguous: CCTV footage containing identifiable individuals is personal data, and processing it is subject to UK GDPR.

The One Exception: Purely Domestic Use

Data protection rules do not apply to CCTV used by individuals for purely personal or household purposes. As GOV.UK guidance confirms, a camera on your own home to protect against burglary — covering only your own property — falls outside data protection law.

The moment a camera captures areas beyond your property (a public pavement, a neighbour's driveway, a shared car park), or is operated by a business rather than an individual, GDPR applies.

For businesses, there is no exception. Any CCTV operated by a business, charity, or other organisation is covered by data protection law — regardless of the number of cameras, whether footage is recorded, or whether anyone reviews it.

Which Laws Apply and How They Overlap

Three pieces of legislation work together:

Data Protection Act 2018 and UK GDPR set the core rules: you need a lawful basis for processing, you must be transparent about what you're doing, footage must be stored securely, and individuals have rights over their data.

Surveillance Camera Code of Practice adds 12 guiding principles specific to surveillance cameras. It applies directly to police and local authorities, but the ICO expects all organisations to follow it as good practice.

Data (Use and Access) Act 2025 amended UK GDPR and DPA 2018 with updated DSAR procedures and a mandatory complaints-handling duty (effective 19 June 2026). The core CCTV obligations haven't changed, but procedural requirements have been refined.

Seven Obligations GDPR Creates for CCTV Operators

Because CCTV footage is personal data, your business must:

1. Have a lawful basis for recording. Most businesses rely on "legitimate interests" under UK GDPR Article 6(1)(f). This requires a documented legitimate interests assessment demonstrating your interest in recording (e.g., preventing theft) outweighs the privacy rights of the people being filmed.

2. Maintain a camera register. Document every camera's location, purpose, and retention period.

3. Complete a DPIA. A Data Protection Impact Assessment is required when processing is likely to result in high risk — CCTV monitoring of workplaces and public areas qualifies.

4. Display compliant signage. Signs must include your business name, the purpose of recording, and contact details — placed before the camera's field of view. See our full signage guide.

5. Set retention limits. Keep footage only as long as necessary. The ICO recommends 30 days for routine business CCTV. Our retention calculator can help you define appropriate periods.

6. Handle subject access requests. Anyone filmed can request a copy of their footage. You have one calendar month to respond.

7. Register with the ICO. Pay the annual data protection fee (£52–78 for most SMEs). Failure to pay can result in enforcement action from the ICO.

For a detailed walkthrough of each obligation, read our complete CCTV regulations guide. Or check your current position with our free compliance checker.

What About Audio Recording?

Audio recording on CCTV is a separate and more sensitive issue. The ICO considers recording conversations "particularly intrusive" and harder to justify than video alone. Unless you have a specific, documented reason for recording audio — and have assessed it in your DPIA — keep microphones switched off.

Most SME CCTV setups have no legitimate reason to record audio. If your cameras have microphones enabled by default (many modern IP cameras do), disable them unless you've assessed and documented the justification.

What Happens If You Ignore It

ICO enforcement powers include:

• Information notices requiring you to provide information about your processing
• Assessment notices allowing the ICO to audit your CCTV compliance on-site
• Enforcement notices requiring you to change how you operate your cameras
• Penalty notices of up to £17.5 million (or 4% of annual global turnover)

In practice, most SMEs encounter the ICO through complaints — an employee files a DSAR, a customer complains about signage, or a neighbour reports cameras pointing at their property. The ICO investigates the complaint and often finds broader compliance failures.

The simplest way to avoid this: treat your CCTV footage as the personal data it is, and follow the obligations that come with it. Our 7-point compliance checklist shows you exactly where to start.

This article covers CCTV and UK GDPR as of March 2026. It is not legal advice. For specific situations, consult a qualified data protection professional.

Sources

• ICO — CCTV and video surveillance guidance
• GOV.UK — Data protection and your business: Using CCTV
• Data Protection Act 2018 — legislation.gov.uk
• Data (Use and Access) Act 2025 — ICO

Run through each point. If you can't tick it off, you have a gap that needs fixing.

The 7-Point CCTV Compliance Checklist

1. Camera register — documented and current

You need a written record of every camera you operate. Not a mental note. Not a folder from the installer that hasn't been opened since installation day.

Your register must include for each camera:

• Location (building, floor, specific area)
• Purpose (security, theft prevention, health and safety)
• Areas captured and whether the field of view includes any public areas
• Whether audio recording is enabled
• Retention period
• Named data controller

How to check: Open your register right now. Does the number of entries match the number of cameras actually installed? If you've added, moved, or removed cameras since the register was last updated, it's out of date.

2. DPIA — completed before cameras were switched on

A Data Protection Impact Assessment is required under UK GDPR Article 35 for any processing likely to result in a high risk to individuals. Systematic CCTV monitoring of workplaces or public areas qualifies.

Your DPIA should document why each camera is necessary, whether the surveillance is proportionate, what risks exist for the people being filmed, and what measures you've put in place to reduce those risks.

How to check: Do you have a written DPIA document? If the answer is "no" or "I'm not sure what that is," this is your highest-priority gap. The ICO's CCTV guidance for small organisations walks you through the basics.

3. CCTV policy — written and accessible

A documented policy explains why you use CCTV, your lawful basis, how footage is stored and secured, who can access it, retention periods, and how people can exercise their rights.

Your policy needs to be available to anyone who asks — employees, customers, visitors. Many businesses publish it on their website or reference it on their CCTV signage.

How to check: Can you produce your CCTV policy within 30 seconds? If it takes longer than that, it's either buried or it doesn't exist. Our free policy generator creates one tailored to your business setup.

4. Signage — compliant and visible at every entrance

Generic "CCTV in operation" stickers don't meet the legal requirements. Your signs must include:

• Your business name (the data controller)
• The purpose of recording
• Contact details (phone, email, or postal address)
• Where to find your full CCTV policy

Signs must be placed before the camera's field of view — people need to see the sign before the camera sees them.

How to check: Walk the route a visitor or employee would take to enter your premises. Can you read the sign before you're in view of the first camera? Does it name your business and state why you're recording? For the full requirements, read our signage guide.

5. Retention schedule — defined, documented, and enforced

UK GDPR's storage limitation principle means you must keep footage only as long as necessary for its stated purpose. The ICO's general recommendation is 30 days for routine business CCTV.

You need a defined retention period for each camera (or group of cameras serving the same purpose), and a process for securely deleting footage when the period expires.

How to check: Log into your DVR/NVR. How far back does the oldest footage go? If it's months or years old with no documented justification, you're in breach. Use our retention calculator to work out appropriate periods.

6. DSAR process — documented and ready to use

Anyone filmed on your CCTV can request a copy of that footage under UK GDPR. You have one calendar month to respond. The Data (Use and Access) Act 2025 added a "stop the clock" provision — the deadline pauses if you need more information from the requester.

You need:

• A named person responsible for handling DSARs
• A documented process for locating, reviewing, and redacting footage
• A method for securely delivering footage to the requester
• Knowledge of when you can and can't refuse a request

How to check: If an employee emailed you right now requesting footage of themselves from last Tuesday, could you fulfil that request within one calendar month? If you're not sure where to start, you don't have a process.

7. ICO registration — paid and current

Most UK organisations processing personal data must pay the annual ICO data protection fee:

• Tier 1 (micro): £52/year
• Tier 2 (small/medium): £78/year
• Tier 3 (large): £3,763/year

Failure to pay can result in enforcement action and penalty notices from the ICO.

How to check: Search the ICO register for your organisation. If you can't find yourself, you're either not registered or your registration has lapsed.

What to Do With Your Results

All 7 ticked: You're covering the core obligations. Review annually, especially after adding or moving cameras, changing staff access, or when the ICO updates guidance.

4–6 ticked: You have gaps, but you're not starting from zero. Prioritise: DPIA and ICO registration are the highest-risk items if missing (one's a regulatory failure, the other can result in ICO penalties).

0–3 ticked: Significant exposure. Start with the DPIA and camera register — everything else builds on those foundations.

For a more detailed assessment with specific recommendations for each gap, use our CCTV compliance checker. For the full breakdown of each obligation, read our complete UK CCTV regulations guide.

This checklist covers CCTV compliance obligations under UK legislation current as of March 2026. It is not legal advice.

Sources

• ICO — CCTV for your organisation: things you need to do
• Data Protection Act 2018 — legislation.gov.uk
• Data Protection (Charges and Information) Regulations 2018 — legislation.gov.uk

Here's exactly what your signs need to include, where to place them, and the mistakes that leave you non-compliant.

What UK Law Requires on CCTV Signs

The signage obligation comes from two sources: UK GDPR (the transparency principle, Articles 12–14) and the Surveillance Camera Code of Practice (Principle 2: the use of a surveillance camera system must take into account its effect on individuals and their privacy).

Together, they require that anyone entering a monitored area is informed clearly and in advance.

Five Things Every CCTV Sign Must Include

1. The data controller's identity

Your sign must name the organisation responsible for the CCTV system. For most SMEs, this is your business name or trading name — not your installer or security company.

Right: "Operated by ABC Retail Ltd" Wrong: "CCTV in operation" with no name

2. The purpose of recording

State why the cameras are there. Keep it specific to your actual reason for recording.

Right: "For the prevention and detection of crime and to ensure the safety of staff and customers" Wrong: No purpose stated, or a vague "for security purposes"

3. Contact details

Provide a way for people to contact the data controller — a phone number, email address, or postal address. People need to know how to ask questions, make a complaint, or submit a subject access request for footage of themselves.

4. Where to find more information

Reference your CCTV policy or privacy notice. This can be a URL, a QR code, or a physical location ("Our full CCTV policy is available at reception"). If you don't have a CCTV policy yet, generate one with our free policy generator.

5. A clear statement that recording is taking place

The sign must make it obvious that CCTV cameras are operating in the area. This sounds obvious, but signs hidden behind doors or obscured by foliage don't count.

Example Compliant Sign Wording

Based on industry practice, a compliant CCTV sign might read:

CCTV IN OPERATION

Operated by: ABC Retail Ltd

Purpose: For the prevention and detection of crime and to ensure the safety of staff and customers

Contact: data@abcretail.co.uk / 0123 456 7890

Our full CCTV policy is available at reception or at www.abcretail.co.uk/cctv-policy

Adapt the wording to match your business, purposes, and contact details. The key is that all five required elements are present and clearly readable.

Where to Place CCTV Signs

Signs must be visible and readable before someone enters the monitored area. Place them:

• At every entrance to a building, car park, or fenced area where cameras operate
• At eye level — typically 1.5 to 1.7 metres from the ground
• Before the camera's field of view — the person must see the sign before the camera sees them
• At each distinct monitored zone if your premises has separately monitored areas (e.g., warehouse and reception have different camera systems)

Sign sizing guidelines

There's no legal minimum sign size, but the ICO expects signs to be "clearly visible and legible." In practice:

• Internal doorways and corridors: A4 minimum
• External building entrances: A3 minimum
• Perimeter gates or car park entrances (vehicles approaching): A2 or larger, with text readable from a vehicle

If in doubt, stand where a visitor or employee would approach and check whether you can read the sign comfortably. If you have to squint, it's too small.

Common Signage Mistakes

Missing data controller name. The single most common failure. Your installer might have left a generic sign that says "CCTV in operation" — it doesn't name your business, so it fails the transparency requirement.

No contact details. Without a phone number, email, or address, people have no way to exercise their data rights. This is a UK GDPR Article 13 failure.

Signs placed after the camera. If someone is already being recorded before they see the sign, you haven't given them fair notice. The sign must come first.

Outdated business name. If your business has rebranded, changed its legal name, or moved premises, your signs need updating. A sign naming a business that no longer exists doesn't identify the current data controller.

Signs obscured or damaged. A faded, dirty, or blocked sign isn't "clearly visible." Check your signs regularly — especially outdoor ones exposed to weather.

What Happens If Your Signage Is Non-Compliant

Non-compliant signage doesn't automatically mean the ICO will fine you. But it creates three risks:

1. ICO complaints. If someone requests their CCTV footage (a DSAR) and discovers they weren't properly informed they were being recorded, the ICO is likely to investigate your wider CCTV compliance — not just the signage.

2. Employee tribunal evidence. In workplace disputes, non-compliant signage can undermine your ability to use CCTV footage as evidence. If the employee wasn't properly informed, the footage may be challenged.

3. Broader compliance failures. If your signage is wrong, it often signals other gaps — missing DPIA, no retention policy, no documented CCTV policy. The ICO looks at the whole picture.

Signage Checklist

Run through this for every monitored entrance on your premises:

• Sign names the data controller (your business)
• Sign states the purpose of recording
• Sign includes contact details (phone, email, or postal address)
• Sign references where to find the full CCTV policy
• Sign is placed before the camera's field of view
• Sign is at eye level and legible from a normal approach distance
• Sign is clean, undamaged, and current

Use our CCTV compliance checker to assess your overall compliance, including signage. For the complete picture of UK CCTV obligations, read our full regulations guide.

This guide covers CCTV signage requirements under UK GDPR and the Surveillance Camera Code of Practice as of March 2026. It is not legal advice.

Sources

• Surveillance Camera Code of Practice (amended 2022) — GOV.UK
• ICO — CCTV and video surveillance guidance
• Data Protection Act 2018 — legislation.gov.uk

This guide covers every UK CCTV regulation that applies to businesses in 2026, including changes introduced by the Data (Use and Access) Act 2025. No legal jargon — just what you need to do and how to prove you've done it.

Three Laws That Govern UK CCTV Regulations

Three pieces of legislation set the rules for business CCTV:

Data Protection Act 2018 and UK GDPR — the core data protection framework. CCTV footage counts as personal data whenever it captures identifiable individuals. Every rule that applies to personal data — lawful basis, purpose limitation, storage limitation, security — applies to your cameras.

Surveillance Camera Code of Practice — issued under the Protection of Freedoms Act 2012, this code sets 12 guiding principles for operating surveillance cameras. It applies directly to police and local authorities, but the ICO expects all organisations to follow it as best practice.

Data (Use and Access) Act 2025 — received Royal Assent in June 2025. This amends parts of UK GDPR and DPA 2018. Key changes for CCTV operators include updated subject access request procedures and mandatory complaints handling. The ICO is currently reviewing its CCTV guidance in light of these amendments.

Seven CCTV Compliance Obligations for UK Businesses

1. Maintain a camera register

Document every camera you operate: its location, purpose, field of view, retention period, and who is responsible for it. The ICO expects you to know exactly what surveillance equipment you run and why.

A paper logbook from your installer isn't enough if it hasn't been updated since installation day. Your register needs to reflect what's actually in place — updated when cameras are added, moved, or decommissioned.

Record per camera:

• Physical location (building, floor, specific area)
• Purpose (security, theft prevention, health and safety)
• Areas captured and whether the field of view includes public areas
• Whether audio recording is enabled (almost always disproportionate for SMEs — switch it off unless you have a documented justification)
• Retention period for footage from this camera
• Named data controller

Use our CCTV compliance checker to see where your current setup stands against these requirements.

2. Complete a Data Protection Impact Assessment (DPIA)

Under UK GDPR Article 35, you must carry out a DPIA before processing that is "likely to result in a high risk" to individuals. Systematic monitoring of public or workplace areas via CCTV qualifies.

Your DPIA should address:

• What you're recording and why it's necessary
• Whether the surveillance is proportionate to the stated purpose
• Privacy risks to the people being filmed — employees, customers, visitors, passers-by
• Specific measures to reduce those risks (restricted access, signage, retention limits, encryption)
• Whether you consulted the people affected

The ICO's CCTV guidance includes a self-assessment checklist covering DPIA requirements. If you haven't completed a DPIA for your cameras, you're already non-compliant — it's one of the first things the ICO checks during an investigation.

3. Write a CCTV policy

You need a documented policy explaining:

• Why your business uses surveillance cameras
• The lawful basis you rely on (usually "legitimate interests" for commercial CCTV)
• How footage is stored and secured
• Who can access footage and under what circumstances
• How long footage is retained
• How individuals can exercise their data rights, including making subject access requests
• How complaints about your CCTV use are handled

Your policy should be available to anyone who asks. Many businesses publish it on their website or display a summary alongside CCTV signage.

Generate a compliant CCTV policy tailored to your business in minutes with our free policy generator.

4. Display compliant signage

The Surveillance Camera Code of Practice and UK GDPR require you to inform people they're being recorded before they enter the monitored area. A generic "CCTV in operation" sticker is not sufficient.

Compliant signs must include:

• The identity of the data controller (your business name or trading name)
• The purpose of the surveillance (e.g., "for the prevention and detection of crime")
• Contact details — a phone number, email address, or postal address where people can reach the data controller
• A reference to how they can get more information (e.g., "Our full CCTV policy is available at reception" or a URL)

Place signs at every entry point to a monitored area. They must be clearly visible and legible before someone enters the camera's field of view.

For the full breakdown — including sign placement, sizing, and common mistakes — read our guide to CCTV signage requirements in the UK.

5. Set and enforce retention schedules

There is no fixed legal maximum for how long you can keep CCTV footage. But the storage limitation principle under UK GDPR means you must retain footage only as long as necessary for its stated purpose — and no longer.

The ICO's general position is that 30 days is appropriate for most routine business CCTV. Keeping footage longer requires a documented justification (ongoing investigation, insurance claim, legal proceedings).

Typical retention periods:

• Routine security footage: 30 days
• Incident-related footage: duration of the investigation or claim
• Footage subject to a DSAR: retained until the request is fulfilled, then deleted per normal schedule

Once the retention period expires, footage must be securely deleted. "We forgot to delete it" is not a lawful basis for extended retention.

Work out the right retention period for each of your cameras with our free retention calculator.

6. Handle subject access requests within one calendar month

Under UK GDPR, anyone captured on your CCTV can request a copy of that footage. This is a Data Subject Access Request (DSAR), and you have one calendar month to respond from the date you receive it.

The Data (Use and Access) Act 2025 introduced a "stop the clock" provision: if you need additional information from the requester to locate the footage (the date, approximate time, which camera or location), the one-month clock pauses until they provide it. Once they respond, the countdown resumes.

When fulfilling a DSAR:

• Provide the footage free of charge unless the request is manifestly unfounded or excessive
• Redact or blur other identifiable individuals in the footage before sharing it
• If the footage has already been deleted under your retention policy, explain this clearly to the requester — you're not required to retain footage in anticipation of possible requests

Failing to respond within the one-month deadline is one of the most common triggers for ICO complaints about CCTV.

7. Register with the ICO and pay the data protection fee

Most UK organisations processing personal data — including via CCTV — must pay the annual ICO data protection fee. The amount depends on your organisation's size:

• Tier 1 (micro organisations): £52/year — up to 10 staff, turnover under £632,000
• Tier 2 (small and medium organisations): £78/year — up to 250 staff, turnover under £36 million
• Tier 3 (large organisations): £3,763/year

Failure to pay the data protection fee can result in enforcement action and penalty notices from the ICO.

Set a calendar reminder for your renewal date. It's a small cost with disproportionately large consequences if you forget.

What Changed in 2025–2026

The Data (Use and Access) Act 2025 doesn't replace UK GDPR or the DPA 2018 — it amends them. For CCTV operators, the practical changes are:

Subject access requests — the new "stop the clock" rule means your one-month response window pauses while you're waiting for information from the requester (e.g., date, time, camera location). This is genuinely helpful for DSARs where the requester's initial description is vague.

Complaints handling — from 19 June 2026, you will be required to have a documented process for handling complaints about your data processing, including CCTV. While this duty is not yet in force, the ICO recommends establishing a complaints process now as good practice.

ICO guidance under review — the ICO has flagged that its video surveillance guidance is being updated in light of the DUAA. Check back for revised requirements as they're published.

The core obligations haven't changed — camera registers, DPIAs, signage, retention, DSARs, and ICO registration are all still required. The DUAA adds procedural refinements, not new obligations.

Where Most SMEs Get It Wrong

Five compliance failures that the ICO sees repeatedly:

1. No DPIA at all. Cameras get installed for security. Nobody assesses the privacy impact. The DPIA is required before you switch the cameras on — not after the ICO asks for it.

2. Non-compliant signage. A "CCTV in operation" sticker without your business name, the purpose of recording, or contact details fails the requirements under both the Code of Practice and UK GDPR.

3. No retention policy. Footage sitting on a DVR or NVR indefinitely with no deletion schedule breaches the storage limitation principle. Define a retention period, document it, and enforce it.

4. Ignoring DSARs. Employees and customers have a legal right to footage containing their image. Not responding within one calendar month is one of the easiest ways to trigger an ICO investigation.

5. Lapsed ICO registration. The annual fee is £52–78 for most SMEs. Forgetting to renew can result in a penalty notice from the ICO.

Your Compliance Checklist

If you're starting from zero or want to confirm where you stand:

1. Audit your cameras — use our CCTV compliance checker to identify gaps in under five minutes
2. Build your camera register — document every camera's location, purpose, and retention period
3. Complete a DPIA — assess whether each camera is necessary and proportionate to its purpose
4. Write your CCTV policy — our policy generator creates one tailored to your setup
5. Check every sign — each entry point needs a sign with your business name, purpose, and contact details. See our signage guide for the full requirements
6. Set retention schedules — define how long footage is kept per camera and set up a deletion process. Our retention calculator helps
7. Prepare a DSAR process — document how you'll find, redact, and deliver footage within one calendar month
8. Verify your ICO registration — confirm you've paid the current year's data protection fee

For a condensed version of these obligations, see our CCTV compliance checklist.

This guide covers CCTV compliance for UK businesses under legislation current as of March 2026. It is not legal advice. For complex situations — covert surveillance, audio recording, body-worn cameras, or cross-border data transfers — consult a qualified data protection professional.

Sources

• ICO — CCTV and video surveillance guidance
• Data Protection Act 2018 — legislation.gov.uk
• Surveillance Camera Code of Practice (amended 2022) — GOV.UK
• Data (Use and Access) Act 2025 — ICO
• Data Protection (Charges and Information) Regulations 2018 — legislation.gov.uk