Ask A Question

CCTV rules and regulations in the UK

Anurag Chaudhary
1/20/2025

CCTV cameras have quickly emerged as the third eye for businesses and homes alike to keep a watch for intrusion and monitoring. The growing importance of CCTV cameras for security measures has led to the UK alone having five million security cameras in place. That is one camera for every 14 people—the highest count in Europe.

Some argue that CCTV systems not only enable security but also pave the way for increased surveillance that infringes on people's privacy rights. The debate over which part outweighs the other continues to advance with the advancement of technology. As the complexities of surveillance loom over society, it ultimately falls to lawmakers to find a balance.

Rules for commercial CCTV systems

Although CCTV cameras in business settings are a common thing to spot, they don't go unnoticed by lawmakers and data protection regulators. In the UK, installing CCTV cameras in commercial places requires specific rules to be followed as per two laws: the DPA and GDPR. Both laws view the visuals of individuals captured in CCTV footage as a form of personal data, especially if there is a likelihood of them being identified.

GDPR and the DPA require commercial and industrial property to record footage in a way that respects the rights of the individuals being filmed and uses the footage only for the intended purposes. Using the footage beyond its intended purposes—such as originally recorded for security reasons, if used for marketing or tracking—can result in fines and legal action. If a business is found to be misusing CCTV, the enforcement actions can result in fines of up to £500,000 or even criminal charges.


Permission and reason justification for CCTV systems

Although permission for setting up CCTV cameras is not required, the owners of the commercial property must inform the ICO of their intent to deploy them. Businesses need to have a clear and legitimate reason, such as security or crime prevention, for deploying CCTV. It ensures the cited reason aligns with the principles of necessity and proportionality as outlined in the DPA and GDPR.

Usually, security is cited as a legitimate reason why businesses need CCTV on their premises to safeguard assets, monitor operations, or deter crime. Achieving a justified security strategy requires more than just security measures in place. Assessing and documenting how CCTV aids in their cited strategy eliminates the vagueness of the reasoning.

A thorough documentation of a security strategy involves the following:

  • Creating a detailed security plan outlining areas where CCTV will be installed. It makes sure the purpose of CCTV is limited only to the cited security purposes and not for any other unauthorized means.
  • A risk assessment of theft, unauthorized access, or vandalism to business assets;
  • Identifying vulnerabilities in the current security measures that could be exploited. For example, poorly lit areas or a lack of security cameras in certain locations;
  • Effectiveness of CCTV in providing evidence in cases of incidents or enhancing overall security.

Further, justification requires regularly reviewing the significance of CCTV in conjunction with business operations as it evolves. It means that as the business persists and, over time, its mode of operation shifts to something else than its existing one, the need for CCTV to be in place should again be reviewed for justification. For example, the need for a retail store to have CCTV surveillance in place may no longer be justifiable if it shifts to an online e-commerce platform.


Consent and notification

In areas like workplaces, employees expect a reasonable level of privacy. It is necessary to obtain written consent or provide the details of the CCTV surveillance in agreements signed with them while onboarding. Additionally, it is also important to inform visitors of the CCTV presence by verbally informing them or by having visible signage in place. Communicating any updates introduced in the CCTV policies to employees ensures the use of CCTV does not hamper their privacy rights. This proactive approach encourages transparency and reduces the distress caused by surveillance.

CCTV footage management and data protection

CCTV cameras, with their high-resolution recording, produce a large amount of video data. Additionally, the suggested retention period for footage to avoid legal complications is as long as it is necessary for business needs.

Businesses need to have robust storage solutions, like cloud-based options, to handle data production without compromising performance or running out of space when extended retention is required.

When an individual requests a copy of data, businesses need to fulfill their request within one calendar month. Moreover, charging someone a fee for providing images from CCTV is not ethically sound.

CCTV footage often contains sensitive information, including images of individuals. Data protection laws require enhanced security features like encryption and access controls for businesses to protect the integrity and confidentiality of the footage.


Additional responsibilities for businesses in CCTV use

  • Appointment of a data protection officer (DPO) The DPO acts as a point of contact for data subjects and regulatory authorities. As per Article 37 of the GDPR, the appointment of a DPO is required when organizations are involved in processing large volumes of personal data or systematic monitoring of individuals, including CCTV operations. For businesses to ensure compliance, the DPO should be skilled in data protection matters, conducting data protection impact assessments, and formulating CCTV policies and practices.
  • Conducting regular privacy impact assessments (PIAs)
    The inherent privacy risk associated with the use of surveillance systems for the processing of sensitive data poses a high risk to individuals. Therefore, it is a legal obligation for businesses to comprehend the risks and mitigate them before they occur. Both GDPR and the DPA require businesses using surveillance systems to carry out a data protection impact assessment. Conducting a PIA not only encourages a proactive approach to data protection but also ensures compliance with laws.

Rules for domestic CCTV systems

If the CCTV system only covers the areas up to your property boundary, you need not worry about the regulations and ensuing restrictions. However, if the range of CCTV footage overlooks neighboring properties, streets, or public footpaths, then the regulations (GDPR and the DPA) become applicable. Property owners must be aware of the applicable regulations to maintain compliance and avoid potential legal issues.

Footage captured may breach privacy rights under Article 8 of the European Convention on Human Rights (ECHR), which is incorporated into UK law through the Human Rights Act 1998. It requires homeowners to be mindful of the visuals cameras can capture. The Information Commissioner's Office (ICO), a statutory body that regulates and enforces GDPR and the DPA 2018, receives many complaints regarding neighbors spying on them through their domestic CCTV system.

Therefore, the ICO has formulated a list of considerations to reduce the risk of domestic CCTV cameras to the privacy of others.

  • There is visible signage in place to notify people that they may be recorded.
  • Limitation of coverage only to meet the intended purpose without intruding into neighboring properties or public spaces.
  • Implementation of basic security measures like password protection to prevent unauthorized access.
  • Staying up-to-date with evolving laws and regulations that may affect domestic CCTV camera usage.
  • Establishment of policies for retaining and deleting footage after a reasonable period (unless access requests are made, as stated below).

    For the concerned individuals who believe their image has been captured on some private property's CCTV camera, they may request its deletion or a copy of the footage for legal or personal purposes. The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) empower individuals to exercise their privacy rights for privacy protection or arrange proofs for any potential legal proceedings.
    The property owners must verify the identity of an individual exercising the right to request access to CCTV footage. They should ensure the copy of the data being handed over only pertains to that individual. They may also deny the request if the recording contains content infringing on the privacy rights and freedoms of third parties. Individuals with any dispute arising out of a request not being fulfilled can reach out to the Information Commissioner's Office (ICO) for resolution.

    The bottom line


    The widespread deployment of CCTV systems in the UK, with one camera for every 14 people, has created a complex regulatory landscape that businesses and homeowners must carefully navigate. While CCTV provides essential security benefits, compliance with GDPR, DPA, and other regulations requires implementing sophisticated technical measures. Video anonymization has emerged as a critical solution for handling Data Subject Access Requests (DSARs) and enabling compliant sharing and storage of recordings with third parties. This technology, which can be integrated as either a VMS module or standalone software, helps organizations "stay on the safe side" of privacy regulations. Gallio PRO represents a cutting-edge standalone solution, leveraging advanced AI algorithms for video anonymization. Organizations interested in exploring this solution can download a demo version or contact the company directly for more information about implementing this privacy-enhancing technology in their CCTV operations.
Download free demo
Anurag Chaudhary

Anurag Chaudhary

Anurag specializes in privacy and personal data protection. His interests include issues related to GDPR and ISO 27001. He is the author of several dozen articles on this subject.