Skip to content
LegalVision UK

Are CCTV Systems Safe for My UK Business to Use Under the GDPR?

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

Most UK businesses utilise CCTV systems to protect their premises, staff and property. There are around 6 million CCTV cameras in the UK, with approximately 1 camera for every 11 people. Whilst your company can use closed-circuit television systems, it must comply with the GDPR rules. Any failure to comply with the GDPR can result in a hefty fine from the Information Commissioner’s Office (ICO). This article will detail how your business can safely use CCTV to protect staff and property while avoiding ICO fines. This will help your company deter unlawful behaviour without the threat of hefty financial penalties.

What is the GDPR?

The UK General Data Protection Regulation (GDPR) is a UK law detailing data protection principles, including rules which apply to the safe use of CCTV. Most UK companies are motivated to comply with GDPR rules because of the genuine threat of ICO fines in case of a breach.  

Whilst the GDPR rules on CCTV rules are not always straightforward, the following requirements stand out as being worthy of attention:

  • use noticeable CCTV warning signs near cameras to warn individuals of closed-circuit television usage;
  • carry out periodic risk assessments regarding CCTV usage (sometimes referred to as Data Protection Impact Assessments);
  • share CCTV footage with the police without unreasonable delay;
  • provide CCTV footage with individuals within one calendar month of any Subject Access Request;
  • keep CCTV recordings no longer than truly necessary; and
  • pay the relevant data protection fee to the ICO.

We will explore each of these in turn below. But, before doing so, let us consider the role of the ICO.

Who Are the ICO?

The Information Commissioner’s Office is an independent organisation that can impose hefty financial penalties on UK businesses in breach of the GDPR. Most UK companies take heed of the ICO and seek to comply with its online guidance due to their ability to fine UK organisations up to £17.5m for data protection violations. 

The ICO takes a hard stance on the misuse of CCTV due to the risks of large-scale privacy breaches.  Any UK business found to use video surveillance outside the parameters of the GDPR will likely face heavy ICO fines.

In reality, the ICO accepts that most UK businesses desire CCTV as a deterrent against unlawful activity. Accordingly, they seek to ensure that video surveillance is reasonable and transparent.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

1. CCTV Signage

The ICO sets out most of its expectations for CCTV signage on its website. Overall, they expect UK businesses to notify individuals of CCTV system usage in a sensible and conspicuous manner. 

The primary data protection requirements regarding CCTV include the following:

  • the use of large font and CCTV symbols on large signs;
  • placement of CCTV warning signs near the relevant cameras;
  • ensuring CCTV signs are placed near eye level and not hidden around corners; and
  • placing a telephone number on the CCTV signage so an individual can ring the CCTV  operator with any queries or concerns.

The ICO will likely punish any UK company that does not use prominent and noticeable CCTV signage. So, for example, your sign should be at eye level, use large font and CCTV symbols and contain contact details for the CCTV operator. Conversely, it should not be a small sign, high up with no relevant information.

2. Data Protection Impact Assessment

Every UK business operating CCTV technology should carry out a Data Protection Impact Assessment (DPIA). This is a type of risk assessment in which your business considers any potential privacy risks to individuals and details how it will mitigate them. So, if you believe placing a CCTV camera near a communal kitchen area may risk privacy, the DPIA could record that the CCTV camera does not record audio.

A DPIA also sets out your company’s main reasons for using CCTV. Most UK businesses will name crime prevention and staff safety as their main reasons. Naturally, most UK companies hope that CCTV signage and cameras will be an effective deterrent against unlawful activity. 

3. Share CCTV Images With the Police

The GDPR emphasises the processing of data for lawful purposes. In this way, you can provide CCTV recordings to the police upon request, absent the consent of any individuals within those recordings.

Whilst this may appear slightly obvious, there needed to be more clarity upon introducing the Data Protection Act regarding whether businesses were free to do so. The GDPR changes nothing in this regard, and data protection law requires your company to provide CCTV content to crime agencies as soon as practicable.

4. Provide Images Within One Calendar Month

It is not only crime agencies that may request CCTV recordings. Individuals can request CCTV footage and may do so through a Subject Access Request. Your business should provide CCTV footage to any individual who requests such information (as long as that footage contains images of them) within one calendar month.

One example of why an individual may request CCTV footage may be to provide evidence of an assault. For instance, suppose an individual enters a retail store and then suffers physical assault and wishes to sue the individual responsible.

5. Delete CCTV Recordings When No Longer Necessary

This is one of the lesser-known CCTV regulations within the GDPR. If the CCTV footage serves no further purpose, you can delete it. This may relieve your business as CCTV content takes up a lot of digital storage space, and storing dozens of days of footage may require expensive hard drives.

However, this does not mean you simply pick a period and delete everything automatically. For example, suppose an employee complains of an incident on the premises three weeks ago and your company starts a disciplinary investigation. In that case, it should ensure that relevant recordings are deleted once the matter is over.

6. Pay Data Protection Fee to ICO

Any UK business using CCTV for crime prevention must pay a data protection fee to the ICO. The ICO sets three levels of data protection fees depending on the size of the company, with the cost ranging from £40 to £2,900 per year. These figures are subject to change each year.

The ICO website contains a helpful summary of the fees payable, albeit most UK businesses pay either £40 or £60 per year. Any failure to pay the data protection fee can result in a fine of up to £4,000 for non-payment.

Key Takeaways

The good news is that the ICO is happy with UK businesses using CCTV systems to protect their property and staff, and they simply want UK organisations to ensure full GDPR compliance when doing so. Following the above-mentioned legal requirements can help your company avoid a hefty ICO fine and have peace of mind when operating its CCTV network. 

If you need help ensuring the safe use of your CCTV system, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Does the GDPR specify the type of CCTV device?

No, the GDPR and ICO simply hold any device capable of video or audio recording as CCTV.  So, for example, a dash cam on a company vehicle could constitute CCTV under its definition. 

How broad is the definition of crime prevention?

A UK business can use crime prevention as a good reason for operating a CCTV system if it seeks to deter unlawful behaviour and protect its company property and staff members from harm. 

Register for our free webinars

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

Do GDPR Rules Cover My Company’s Telephone Conversations in the UK?

Does the GDPR Cover Information Relating to My Company’s Car Park in the UK?

I Run a Yoga Studio in England.  Do I Need a CCTV Policy?

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times