CCTV cameras and GDPR – what you need to know

A reliable CCTV camera system is a vital component of a business’ security environment. Whether it’s an external intruder or a staffing issue, it can alert you to the problem, and most importantly the video footage allows you get to the bottom of what happened using visible proof.The benefits of a CCTV system are clear – but did you know, that under the General Data Protection Regulation, bought into effect in May this year, you have some considerations around footage you collect and keep?

Here’s what you need to know about CCTV cameras, video surveillance and GDPR.


Personal data

GDPR governs the processing of personal data. “Personal data” is defined as information relating to a person who “can be identified directly or indirectly from the information in question”. There’s a strong argument to suggest that this includes video footage – an individual could be easily identified by various physical features, most notably their face (if it’s shown on the footage). This means that when you’re handling data and footage collected by your security camera system, you need to treat it as personal data which is subject to GDPR.


Grounds for processing

The GDPR guidelines state that an organisation must have a “lawful basis for processing personal data”. This essentially means that your processing of personal data should be necessary for a specific purpose. There are six lawful bases for processing, and in order to comply with GDPR, you should pick the one which is most appropriate for your activities, document your approach and make clear that this is your basis for processing.

The six lawful bases for processing are:

  • Consent – you’ve obtained clear permission from the individual to process their data
  • Contract – you can prove you need to process the individual’s data to fulfil your contractual obligations
  • Legal obligation – you need to process the data to comply with law or statutory obligation
  • Vital interests – the data must be processed in order to protect someone’s life or vital interests
  • Public task – you need to process data “in the exercise of official authority”
  • Legitimate interests – you are processing data in a way they would reasonably expect and has minimal privacy impact (you mostly see this applied to data processing for marketing purposes)

There are 3 which stick out as likely to be most applicable to collecting and handling CCTV footage.


If you use internal video surveillance for staff, you are able to collect consent from them to be recorded, and for this footage to be kept. The problem with this model is with visitors and perhaps passers-by who you would likely struggle to get clear consent from. If you’re using CCTV in a broader capacity, it might be best to explore some of the other bases for processing.

Legal obligation

It’s obviously common for CCTV footage to be used in police investigations and legal proceedings. This basis for processing will in the main apply to your need to disclose or share CCTV footage for legal reasons – but do bear in mind that publicly sharing footage to identify an individual may be best left to the police.

Vital interests

To shift the focus back again to internal use of CCTV – you may very well need to use surveillance to protect and ensure the health and safety of your staff.


Individual rights

Just as they did under the Data Protection Act (1998), individuals have a number of rights when it comes to the processing of their personal data under GDPR. One of these is “the right to be informed” – meaning that they have the statutory right to be informed that their data is being collected and used. The government is pretty clear on CCTV – “If your business uses CCTV, you must tell people they may be recorded.” The best way to do this is by clearly displaying a visible and readable sign.

Other rights an individual has under GDPR relate to being able to access the data you are holding which relates to them. Again, guidance around CCTV is clear – anyone can ask for video footage you have them, and you must provide this within 30 days.


Retaining footage

A big theme of GDPR is around necessity. There isn’t a specified maximum time you can keep personal data for – which includes CCTV images. However, the legislation does state that your business should have a documented retention policy, and that you should only keep the images for as long as is necessary for the purpose of recording them.


A CCTV camera system is an effective way to both detect and deter intruders as well as criminal or unreasonable behaviour by staff. But as a business, it’s important you consider your statutory obligations and take measures to comply. If you would like more advice on deploying a GDPR-compliant CCTV system in your business, get in touch.

Book a free consultation

Leave a Reply

Your email address will not be published. Required fields are marked *