CCTV is a vital security measure for businesses up and down the country. By using CCTV cameras in the workplace, you can safeguard your property and employees from the threat of crime. However, without the right CCTV policy in place, you could also find yourself infringing strict privacy laws that protect the rights of individual people. Keep reading our guide to the laws of CCTV in the workplace for everything you need to know to ensure your business stays on the right side of UK CCTV laws, including GDPR.
If employers wish to install any types of CCTV cameras in the workplace, they must take the following actions in order to adhere to UK privacy and data protection laws (GDPR):
Beyond the fundamental GDPR requirements, modern business environments, especially those involving logistics or retail, present unique challenges that necessitate a deeper look into your surveillance strategy. The Information Commissioner’s Office (ICO) strongly encourages businesses to adopt a ‘data protection by design’ approach, meaning privacy should be built into the system from the start, not bolted on as an afterthought. This involves regularly reviewing the system’s necessity and proportionality, especially when considering upgrades to systems featuring high-definition or advanced video analytics capabilities. The introduction of tools like facial recognition, for instance, requires an extremely high bar of justification and transparency, often necessitating specific, stringent consent protocols that go far beyond standard CCTV notices.
Furthermore, the maintenance and security of the actual recording infrastructure are now critical components of compliance. If your business relies on network-connected, cloud-based security systems, it is vital to ensure that all data is encrypted both in transit and at rest. This proactive security posture is integral to protecting the integrity of the data and demonstrating due diligence, especially when compared to the growing risks associated with on-premise storage, as detailed in our guide on why cloud-based security is safer than on-premise in 2025. A lapse in cyber security that leads to a breach of video data can be treated just as severely as a physical breach of privacy.
Yes, cameras that monitor the activities of people constitute a processing of personal data. Therefore, this activity falls under the UK Data Protection Act 2018, which incorporates the EU-wide General Data Protection Regulations (GDPR).
All surveillance carried out away from a person’s domestic property is subject to the act, including recording from CCTV cameras in the workplace. A core principle of GDPR is that personal data, in this case video, should only be kept for as long as necessary.
Processing limits and the period of time footage can be kept for is flexible under the act. This is to take into account the differing aims and challenges each company has when introducing the cameras. The laws of CCTV do however insist upon complete transparency when it comes to the following:
UK employers must consider the following risks when putting CCTV in place at their premises:
While the risk of damaging employee trust and facing human rights claims is significant, the financial penalties levied by the ICO have become increasingly severe, reflecting a global push toward stringent data governance. In the UK, the ICO has the power to issue fines of up to £17.5 million or 4% of annual global turnover, whichever is higher, for serious breaches of GDPR. A failure to secure and manage CCTV data appropriately falls squarely under this risk category. In fact, a 2024 analysis of ICO enforcement actions published by Pinsent Masons noted a continued focus on transparency and the lawful basis for processing, which are the fundamental requirements often missed in poorly implemented surveillance policies. Companies, particularly those in sensitive sectors like healthcare and education, must view compliant CCTV monitoring not as an optional add-on but as a core component of operational integrity.
Furthermore, businesses must consider the costs associated with responding to Subject Access Requests (SARs). The burden of retrieving, reviewing, and redacting footage to comply with a SAR within the strict one-month deadline can be substantial, especially for large organisations or those with inadequate data retrieval systems. A well-defined CCTV policy built for GDPR efficiency is essential to manage this administrative and financial load effectively.
Somebody in your organisation needs to be made responsible for managing your CCTV system and become the data controller. They need to outline a clear CCTV policy in the workplace that is in line with GDPR.
Once the system has been registered with the ICO, the first step is to make a GDPR compliant company CCTV policy statement. This should explain to all individuals in the organisation why the cameras have been installed, how long the video data will be kept for and how it will be made secure.
A Data Protection Impact Assessment (DPIA) should be carried out to identify and manage the risks of processing video data and ensure the security of that personal data. Your procedure should be reviewed periodically to make sure that the risks continue to be managed effectively.
We have rounded up the most commonly asked questions from business owners across the UK below. If you have any other questions about CCTV systems and their relation to GDPR and the Human Rights Act, please contact our friendly security experts.
BusinessWatch know CCTV rules and related legislation inside out. We install, maintain and monitor CCTV systems for businesses across the UK.
Business owners need to display GDPR compliant CCTV signage if they install surveillance cameras in the workplace. CCTV signage requirements are simple. Signs should be clearly visible in all the areas where surveillance is taking place and they should be readable to anybody working in the vicinity.
If it isn’t already obvious, signs should make it clear which company is operating the cameras.
Employers must have a clear policy stating how long they intend to store video footage for. This should be in line with the purpose of recording the images.
For example, if you are using surveillance to protect your industrial property from crime, it would not be acceptable to store the footage for longer than six months. There is a reasonable expectation that any crimes committed at your property would have been detected and investigated in this timeframe. It’s critical to establish a firm retention schedule, as detailed in our guide on what are the regulations for CCTV in the UK, and adhere to it strictly to remain compliant.
Yes. Regardless of the reason why monitoring has been implemented, staff must be informed that they are being recorded. If you choose not to inform them then, depending on the location of the cameras, you could be violating their right to privacy under the Human Rights Act 1998.
Recording can only be legally kept secret in exceptional circumstances. For example, if disclosure would jeopardise a criminal investigation. Such situations are rare and should be assessed against strict proportionality, ensuring they do not violate the core principles of lawful monitoring of staff.
CCTV monitoring can be legally used to monitor staff as long as you have made them aware of this in writing and explained the reasons why. It is only acceptable to monitor staff secretly in rare circumstances.
For example, if you suspect a staff member of committing a crime at work, it could make it hard to prove this if they were aware of the surveillance. This is only acceptable in specific investigations. Recording should cease once the investigation is concluded. For large-scale premises, particularly in property management, monitoring must be targeted and justified, focusing on preventing or detecting crime, rather than general performance tracking.
All footage should be secured by a nominated data controller. They need to ensure that nobody else views the video data, without good reason to do so. Anybody who has been caught on camera has the right to see the footage, in which they are identifiable.
Under the 2018 Data Protection Act (GDPR), they are permitted to do this by submitting a subject access request for the relevant personal data. The data controller must respond within one calendar month and provide access to the footage. This includes staff and, in some cases, neighbours, which is why defining camera placement is crucial, especially concerning neighbouring properties in the UK.
CCTV audio recording laws state that conversations between members of the public are not allowed to be recorded. The only exceptions to this rule include panic buttons in a taxi or monitoring carried out in a private area of a police custody room.
It is only acceptable to introduce audio recording at your workplace if the purpose is justifiable. All employees also need to be made aware that both video and sound are being captured by cameras. This is an extremely sensitive area; the ICO warns that audio recording is generally highly intrusive, and justification is challenging to achieve in a typical office or commercial setting. The legal bar for justifying audio recording is significantly higher than for video alone.
Businesswatch are NSI Gold approved and design, install and manage bespoke CCTV systems for all industries. Our expert team of CCTV specialists are very knowledgeable in the legal requirements associated with CCTV systems in the workplace and will make sure yours is compliant with all rules, laws and regulations when they carry out the design and installation.
Get in touch for a free quote today. Call us on 0330 094 7404 or fill out our online contact form here.
