Search our news, events & opinions

23 October 2018 9 Comments
Posted in Opinion, Technology & media

Is your CCTV system GDPR compliant?

Posted by , Partner
Contributing authors: Andrew Kuemmerle

The UK is often cited as being one of the most video monitored societies globally, with up to 5.9 million CCTV cameras in operation in 2015 alone (one camera for every eleven people). Your organisation or business may use CCTV recording for a variety or reasons such as prevention of crime, health and safety or monitoring the workplace. Homeowners may also install domestic CCTV systems to protect their personal property.


If your CCTV system monitors or records the activities of individuals, this will constitute the processing of personal data under the General Data Protection Regulations (GDPR) and be caught by the data protection legislation.

If you are a homeowner using a CCTV system, the UK Data Protection Act 2018 (DPA), which implements the EU-wide GDPR, does not apply to CCTV installed on a person’s own home in order to protect it from crime such as vandalism or burglary. However, if the camera captures areas outside of the confines of the household, for example, a shared drive or car parking space, the data gathered will be subject to the DPA. The guidance for businesses below will then also be applicable to your home CCTV system and will need to be complied with in order to avoid penalties under the DPA.

Business owners can usually rely on their own legitimate interests or a legal requirement as the lawful basis for operating CCTV and processing the related data. However, they will need to demonstrate that lawful basis for the entire area covered by the camera. Individuals recorded by CCTV become “data subjects” when footage of them is recorded and stored. The data subject’s rights and freedoms cannot be overridden, especially where relying on legitimate interests as the lawful basis for processing their data. Even inside a work premises, employees have a right to privacy.

Data subjects are entitled to understand when their personal data is being recorded and stored. As a result, the recording and storage of CCTV images should be highlighted by clear signage indicating the areas monitored and who to contact for further information.

One of the core principles of the GDPR is that personal data should only be processed for as long as it is completely necessary. Each camera and its purpose will need to be assessed to determine how long footage can be stored for. There are no defined acceptable retention periods within the legislation; the relevant period is entirely dependant on its reasonableness in light of the purpose for which the footage is used. For example, a retail shop would not usually be expected to retain footage for any longer than 6 months – by that time any reported crimes are likely to have been investigated and relevant footage seized.

As with any other form of personal data, data subjects have a right to access their own data. If you are preparing data for disclosure arising from a data subject access request you will need to ensure that the requester is present in the footage and that by supplying the footage you do not disclose the personal data of any other third parties. This may require blurring parts of the footage such as faces and licence plates.

You should also note that under the new GDPR, the information must be provided to the data subject free of charge. A reasonable fee can only be charged if the request is ‘manifestly excessive or unfounded’ and can only cover the administrative costs involved. The footage must be supplied within 30 days of your receipt of the request.

Any act of storing or accessing CCTV footage is considered data processing and it is crucial that CCTV operators ensure the confidentiality and integrity of any footage. Screens displaying live or recorded footage should only ever be viewed by authorised individuals and not members of the public who walk past a CCTV operation room or security guard post.

The devices used to store CCTV images are a common target during a break-in (not only for their resale value but also to remove evidence of the crime). As a result, organisations need to consider the physical security of storage devices such as whether it is kept in a locked room. Newer systems may allow for recordings to be kept in an encrypted format which will prevent unauthorised access in the event of loss or theft.

CCTV systems which can transmit images over the internet, to allow viewing from a remote location, should ensure that these signals are encrypted to prevent interception and also require some form of authentication for access, such as a username and strong password. CCTV systems which make use of wireless communication links (e.g. transmitting images between cameras and a receiver) should ensure that these signals are encrypted to prevent interception.


The Information Commissioner’s Office recommends that any organisation using CCTV should carry out a data protection impact assessment (DPIA) on its use.

If you would like further information on the GDPR implications for your business then please contact Emma Banister Dean on:

01865 268 370     Email

Leave a comment

Thank you for choosing to leave a comment. Please keep in mind that comments are moderated and please do not use a spammy keyword or a domain as your name or it will be deleted.




9 comments on Is your CCTV system GDPR compliant?

  1. Posted by Nicola THOMPSON on February 13, 2019 at 1:03 pm

    Our neighbour has installed CCTV which monitors a shared drive which we and she alone have access over. The CCTV is activated as soon as we step out of our house and monitors our movements outside our property including our swimming pool, we have reported this to the police who aren’t interested. Is there anything we can do to protect our privacy?

    • Posted by Anna Arakcheeva on February 13, 2019 at 2:01 pm

      Dear Nicola,

      Thank you for your query. A member of our Privacy team will be in touch to provide further information.

      Kind regards,

      Andrew Kuemmerle

  2. Posted by Sandra Hallett on April 4, 2019 at 10:53 am

    My son has cctv covering his front door but it shows part of a shared path and only the path, which enables his neighbour access to his garden, the neighbour is now complaining although the camera has been up for 10 years. My son is autistic and needs the security but the neighbour is adamant it should come down. Is it enforceable.

  3. Posted by Paul Ward on April 9, 2019 at 2:58 pm

    Our situation is near identical to the comment from Nicola Thompson above. We have a shared driveway with two other neighbours both of whom have instantly recording CCTV. One neighbour is OK but the other is unresonable and had a few fall-outs with them. We dont have CCTV and dont want it but also want to be able to go out the front of our house without being watched. What can I do ??

  4. Posted by Heidi Clay on June 6, 2019 at 7:35 pm

    My partners co director has put up new cctv with audio recording in their business. There are no signs in the building advising customers or myself and other members of staff!
    I found the monitors in the main reception where friends of staff walk behind towards the bar and can see all monitors, during what he thought was a private rant, which was recorded and the evidence of his rant was witnessed by her and her partner and then given to the police!
    Myself and my partner have been recorded without our permission and the website is still not GDPR properly, she is taking full control and refuses to do anything. Can you advise if her recordings are legal?

    • Posted by Robert Wells on June 7, 2019 at 8:53 am

      Thanks for your comment. We wouldn’t be able to comment at this stage as to whether this is legal without understanding a little more. But if you would like to ask a specialist member of our team you can email your enquiry to and they will see how they can help.

      Many thanks.

  5. Posted by Mary McGivern on August 2, 2019 at 7:19 am

    Hi I’m looking for some help, my neighbour across the street is filming my home Ive reported it to the police, however I’ve not heard anything back from them. I have a small child who I think this man is trying to capture images of in my home. Example when he comes down stairs from his bath naked etc.
    This man lives in a council property and I’ve reported this to the housing association and the guy moved the camera for a day and then put it back. I want to take legal action as my son means everything to me.

    • Posted by Robert Wells on August 19, 2019 at 2:45 pm

      Hi there, thank you for getting in touch. This issue has been referred to one of our solicitors and we will contact you directly.


Learn more


T: 01865 268 607 (DDI)

Search our news, events & opinions