Is It Legal to Record Customers Who Enter My Business?

As a business owner, you will want comfort that customers entering your business act appropriately. For example, shop owners want to ensure customers are not shoplifting. Whilst it is not illegal to record customers, there are several legal rules to follow when doing so. This article will set out the key rules to follow to ensure your recording of customers is legal. 

Legal Rules When Recording Customers

Business owners often use video recording systems (e.g. CCTV) to record customers entering their businesses. When recording customers, you must comply with data protection law rules under the UK General Data Protection Regulation (UK GDPR).

There are a lot of rules to follow when recording customers, but it is vital to comply with them. Breaching the UK GDPR rules can lead to various negative consequences, including:

• regulatory action with fines as high as £17.5 million, or 4% of your worldwide annual turnover, whichever is higher;
• claims from individuals whose rights you have breached; and
• loss of trust from customers and severe brand damage. 

Key Steps to Ensure Your Recording of Customers is Legal

The UK ICO (the data protection regulator) has issued guidance to help organisations ensure their recording of customers complies with data protection laws. 

The following checklist sets out the key steps to follow to ensure that your recording of customers is legal.

1. Ask if You Need to Record Customers

From the outset, check if you really need to record your customers. Is it necessary, or is there another, less invasive way to address your concerns?

2. Conduct a Data Protection Impact Assessment

If you decide you really need to record your customers and can justify it, carry out a ‘Data Protection Impact Assessment’. This is a risk assessment whereby you must consider the risks the recording poses to the privacy of customers and how to alleviate those risks. 

3. Implement Policies

You should implement a policy to document your procedures for recording customers (e.g. a CCTV policy). Likewise, appoint an individual responsible for your customer recording systems and compliance with your policy. 

4. Consider the Lawful Basis for Processing

When recording customers, consider and document a ‘lawful basis for processing’ (such as ‘consent’ or ‘legitimate interests’). The lawful basis for processing means the legal reason you are allowed to process personal data. You must also ensure that you use the recordings only for intended purposes. For example, if you intend to use footage to prevent crime, then ensure you are not using it to spy on staff. 

5. Inform Your Customers

Ensure your business can provide customers with information about how and why you will use their personal data. You need to give individuals a lot of information, including the identity of your business, your contact details and their legal rights. Some businesses display signs simply stating ‘CCTV is in operation’ – however, this is not enough information.

In practice, this obligation can be difficult to implement. When customers are browsing your shop, it is hard to give them such detailed information. Practically, many businesses give individuals basic information and direct them to where they can find further information. For example, you could put up a clear sign stating that the customers are being recorded, with your business name and contact details. Also, include a website address where individuals can find more detailed information about how you will use the data. 

6. Register With the UK ICO

If you use CCTV for crime prevention on your business premises, you will need to register with and pay the UK ICO a yearly fee.

7. Implement Procedures for Subject Access Requests

Implement procedures to respond to data subject rights relating to recording customers. Customers have various legal rights when you are recording them. For example, they can make a Subject Access Request requesting copies of the images you have recorded. 

In practice, providing these images can be very difficult and time-consuming. Therefore, you should ensure you have a clear system in place for handling such requests. 

8. Minimise Recording Footage

It is important to minimise the amount of recording footage you collect and only keep it for as long as you need it. Implementing and following a data retention policy can help achieve this. You should document exactly how long you will hold the recording footage and when your business must delete it.  

9. Train Staff

If your staff operate recording systems, it is essential to provide appropriate training on handling the recording footage. Likewise, explain key UK GDPR rules surrounding recording customers and how to handle, store and delete data safely.

10. Double-Check Your Systems

Finally, ensure you store the recordings securely, and you have data security measures in place to safeguard them. It is also critical to confirm the equipment (e.g. CCTV cameras, computers, hard drives) is in good working order. You want to ensure all images captured are of clear and high quality. Otherwise, blurry footage would defeat the purpose of recording customers in the first instance to prevent crime. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Key Takeaways

It is legal to record customers who enter your business, but you need to follow strict legal rules when doing so. Your business risks receiving financial and reputational damage if you breach the UK GDPR rules. As such, you should be cautious when recording customers and always follow the relevant rules. 

If you need help complying with the UK GDPR, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions