GDPR and CCTV: ICO Registration, Signage Requirements, Retention Periods and Subject Access Requests
Quick Answer: CCTV footage is personal data under the UK GDPR (Data Protection Act 2018). Operators must: display clearly visible signage informing people they are being recorded; retain footage for the minimum necessary period (typically 7–31 days for most commercial CCTV); respond to Subject Access Requests (SARs) within one month; and, where CCTV is used by a non-domestic operator, register with the ICO (£40–2,900/year depending on tier). Domestic CCTV covering your own property only (not public areas or neighbours' properties) is exempt. Footage capturing public highways or neighbouring properties carries significant compliance obligations.
Summary
The ICO (Information Commissioner's Office) regulates all CCTV use in the UK that involves recording identifiable individuals. The UK GDPR (retained after Brexit, with the Data Protection Act 2018) treats CCTV images as personal data as soon as they are capable of identifying a person — even if no identification is actually made. This means the rules apply from the moment a camera is pointed at an area where identifiable individuals may be captured, not only when identification is actually used.
For installers, GDPR compliance is a customer obligation that you are best placed to advise on. Installing a system that gives the customer a compliance problem — because signage is not specified, or the system retains footage for two years without a policy in place — creates reputational and potential legal risk for the installer. Professional installers include a basic GDPR advisory in their handover documentation, particularly for commercial customers.
The key principle of UK GDPR is lawful basis. CCTV must have a lawful basis for processing personal data. The most commonly applicable bases for security CCTV are:
- Legitimate interests (commercial CCTV for security purposes) — most common for commercial operators
- Public task (CCTV operated by local authorities or public bodies)
- Consent — rarely used for CCTV (consent must be freely given; difficult when the camera covers a public access area)
Key Facts
- UK GDPR — UK General Data Protection Regulation; retained EU law post-Brexit; governs all personal data processing in the UK including CCTV
- Data Protection Act 2018 (DPA 2018) — UK implementing legislation alongside UK GDPR
- ICO — Information Commissioner's Office; regulates data protection in the UK; issues enforcement notices and fines
- ICO registration — most organisations using CCTV must register as a data controller with the ICO; annual fee: Tier 1 (micro-organisations, <10 staff, turnover <£632k): £40; Tier 2 (SME): £60; Tier 3 (large): £2,900
- Domestic exemption — CCTV covering only your own property interior and exterior (not capturing public areas or neighbours' properties) is exempt from most UK GDPR requirements
- Public area capture — if any camera covers a pavement, road, or neighbouring garden/driveway, the domestic exemption does not apply and UK GDPR obligations kick in
- Signage — must be clearly visible before entering the monitored area; must state who is operating the CCTV and a contact for enquiries; ICO has a CCTV signage guidance leaflet
- Privacy notices — a full privacy notice (available on a website or poster) must be accessible to anyone captured by the CCTV; the signage provides the brief notice; the full notice provides full detail
- Retention period — no specific statutory period; the principle is minimum necessary; most commercial CCTV operators use 7–31 days; longer periods require documented justification
- Subject Access Request (SAR) — any individual captured on CCTV can request a copy of footage in which they appear; must be responded to within one month; third parties' images must be redacted before providing the footage
- Data breach — if footage is stolen, unlawfully accessed, or accidentally destroyed (without proper security measures in place), this may constitute a data breach requiring ICO notification within 72 hours
- Impact assessment (DPIA) — a Data Protection Impact Assessment is required before deploying high-risk CCTV (e.g. systematic monitoring of public spaces, large-scale CCTV covering many individuals)
- Body-worn cameras — subject to the same rules as fixed CCTV; often deployed by security guards; specific policies required on when to activate, store, and delete footage
- Covert cameras — hidden cameras require very strong justification (criminal investigation, operational necessity); covert domestic surveillance cameras (e.g. facing neighbour's property) are potentially unlawful under both GDPR and the Protection from Harassment Act 1997
Quick Reference Table
Spending too long on quotes? squote turns a 2-minute voice recording into a professional quote.
Try squote free →| Camera Location | Domestic Exemption? | ICO Registration? | Signage Required? | SAR Response Obligation? |
|---|---|---|---|---|
| Inside own home only | Yes | No | No | No |
| Own garden/driveway (not capturing public) | Usually yes | No | Recommended | No |
| Own property but captures public pavement | No | Yes | Yes | Yes |
| Own property but captures neighbour's garden | No | Yes | Yes | Yes |
| Commercial premises, own property only | No | Yes | Yes | Yes |
| Commercial premises capturing public area | No | Yes | Yes | Yes |
| Public CCTV (local authority, BID) | No | Yes | Yes | Yes |
Detailed Guidance
Lawful Basis for CCTV
The lawful basis must be established before deploying CCTV — it cannot be justified retrospectively. For most security CCTV, the appropriate basis is:
Legitimate interests (Article 6(1)(f) UK GDPR):
- Applies when the operator has a genuine, legitimate security interest
- Must be balanced against the individual's rights — the camera cannot capture more than necessary for the stated purpose
- Required documentation: a Legitimate Interests Assessment (LIA) or brief written justification for each deployment
- Examples: retailer recording interior to prevent shoplifting; householder recording driveway to deter vehicle theft; employer recording server room to prevent data theft
Balancing test for legitimate interests:
- Purpose test: is there a legitimate interest? (Yes — security and crime prevention)
- Necessity test: is CCTV necessary to achieve this purpose? (Could it be achieved less intrusively? — assess alternatives like improved lighting, access control, alarms)
- Balancing test: do the individual's rights override the legitimate interest? (Consider whether individuals are monitored in private areas, whether they have reasonable expectation of privacy)
Signage — What the Law Requires
The ICO's CCTV guidance specifies that signage must:
- Be clearly visible before entering the monitored area (not inside the area after the fact)
- State who is operating the CCTV (company name or trading name)
- Provide a contact point for enquiries (website URL, phone number, or email)
- Include the ICO logo or reference to the Data Protection Act (optional but recommended)
Practical signage requirements:
For a small commercial premises:
- Sign on the door/entrance: "CCTV in operation. Recorded footage is monitored for security purposes. Data controller: [Company Name]. Contact: [website or phone]."
- Minimum sign size: A4 or equivalent — readable at arm's length from the entrance
For a large car park or open area:
- Signs at all entrances; plus additional signs so that wherever someone stands, they are within view of a sign
- For large areas, bilingual signage may be needed in some UK regions
For a residential driveway camera capturing the public pavement:
- A small sign near the camera or at the property boundary is sufficient: "[Name/Address] CCTV. For enquiries: [contact]."
The CCTV Code of Practice from the ICO provides example signage. Download and adapt from the ICO website.
Retention Period — Setting a Policy
No UK law sets a mandatory retention period for CCTV footage, but the UK GDPR principle of storage limitation requires that data is held no longer than necessary. For most security CCTV:
- 7 days — standard for low-risk commercial premises; adequate time for incidents to be reported and footage reviewed
- 14 days — common for retail and commercial properties with higher incident rates
- 31 days — typical maximum for most standard commercial CCTV; beyond this, most operators cannot justify extended retention without specific documented reason
- 90 days+ — BS 8418 ARC-monitored systems may have specific retention requirements for verified activations; or where regulatory requirements apply (e.g. financial services premises, licensed venues)
Setting the retention period: Document the retention period in a written CCTV policy. The policy should state:
- Retention period (e.g. 14 days for standard footage; 90 days for footage associated with a reported incident)
- How footage is deleted at the end of the retention period (NVR overwrite, or manual deletion)
- Who has access to the footage (management only; specific named individuals)
- Procedure for handling SARs
The retention period should be configured on the NVR/DVR — most systems can be set to overwrite after a defined number of days. This automatic overwrite is the most efficient way to comply.
Subject Access Requests (SARs)
Any individual who appears in CCTV footage can submit a SAR requesting a copy. The operator must:
- Verify the identity of the requester
- Search the footage for the time period requested
- Extract the relevant footage
- Redact (blur or pixelate) any third parties who appear in the footage who did not submit the SAR
- Provide the footage in a usable format (typically on a USB drive or secure download)
- Respond within one month; extension of 2 further months possible for complex requests (with notification)
- Provide the footage free of charge (charging for SARs is no longer permitted under UK GDPR)
Challenges with CCTV SARs:
- Identifying the requester in the footage (many NVRs do not have facial recognition; manual search is required)
- Redacting third parties (requires video editing software; time-consuming for long footage)
- Retention period expiry — if the requested footage has been overwritten, you must tell the requester that the data no longer exists
What to do when you receive a SAR:
- Acknowledge receipt in writing immediately; the one-month clock starts from receipt
- Request reasonable proof of identity if the requester is unknown to you
- Search the footage; if found, proceed to redact and export; if not found, explain why (overwritten, not on camera, etc.)
- Never delete footage you believe may be subject to a pending or expected SAR — deletion of requested data may be treated as obstruction
Installer Responsibilities
As an installer, you do not process the CCTV data — the customer (the data controller) does. Your obligations are:
- Advise the customer of their basic GDPR obligations at handover
- Configure retention periods to a sensible default (e.g. 14 or 31 days, clearly documented)
- Do not retain access to the customer's footage without agreement — if you have remote access for maintenance, this should be documented and access should be limited to what is necessary
- Data processing agreement — if you retain any ability to access the customer's footage (e.g. for monitoring contract), you must have a data processing agreement in place with the customer; you become a data processor
If you act as a data processor (e.g. you operate the monitoring service or retain recordings), you have direct obligations under UK GDPR to maintain appropriate security and not process data for purposes beyond those agreed with the customer.
Frequently Asked Questions
Does a pub or restaurant need to register with the ICO for CCTV?
Yes — any commercial operator using CCTV that captures identifiable individuals must register with the ICO unless they are a sole trader/micro-organisation with specific exemptions. Most pubs and restaurants would register as a Tier 1 or Tier 2 organisation. The registration is straightforward and takes approximately 15 minutes online; the fee is £40 or £60 per year.
Can I use CCTV footage to dismiss an employee?
Yes — if the footage was captured lawfully (employees were aware of the CCTV system; it was not covert; the footage captures misconduct within a relevant monitored area). Using CCTV footage in disciplinary proceedings is lawful and accepted by employment tribunals. However, covert monitoring of employees in areas where they have a reasonable expectation of privacy (changing rooms, break rooms) without strong justification is likely unlawful and can invalidate the evidence.
Can my customer share CCTV footage with the police?
Yes — sharing footage with police for the prevention or detection of crime is a recognised lawful basis for disclosure under the Data Protection Act 2018. Customers should not withhold footage from police investigating a crime on the grounds of GDPR. However, speculative sharing of footage (e.g. handing footage to a third party without a genuine law enforcement request) without a lawful basis is a potential breach.
Regulations & Standards
UK GDPR (retained Regulation (EU) 2016/679) — main data protection framework; principles, lawful basis, data subject rights
Data Protection Act 2018 — UK implementing legislation; domestic exemption; criminal offence provisions
ICO CCTV Code of Practice — ICO guidance on CCTV; available at ico.org.uk; covers signage, retention, SARs, and impact assessments
Protection from Harassment Act 1997 — relevant where CCTV cameras are used to monitor neighbours
Human Rights Act 1998 (Article 8) — right to privacy; must be considered in CCTV deployment decisions
ICO CCTV Guidance — comprehensive ICO guidance on CCTV compliance
ICO Register of Data Controllers — check registration status
Surveillance Camera Commissioner Code of Practice — statutory code for public-space CCTV operated by local authorities and police
BSIA GDPR Guidance for Security — industry-specific GDPR guidance from the British Security Industry Association
bs 8418 registered cctv — monitored CCTV under BS 8418 and the additional data obligations
nsi ssaib approval guide — professional installer approval and compliance context
cctv camera types selection — camera placement to minimise unnecessary data capture
nvr dvr storage sizing — configuring retention periods at the recording device