How the GDPR affects UK businesses with CCTV

How the GDPR affects UK businesses with CCTV

Whether you’re a UK business that already has CCTV or you’re thinking of getting CCTV in the future, there are some important things you need to know with regard to the new GDPR privacy laws.

GDPR stands for General Data Protection Regulation (GDPR). The GDPR replaced the Data Protection Act 1998 on the 25th of May 2018. The new data regulations have been implemented to change the way data privacy is approached in all UK organisations.

It’s important to know how the GDPR works, and, more importantly, how it affects your business; especially when it comes to your CCTV system. Penalties for not complying with the new regulations reach a hefty €20 million, or, 4% of global annual turnover.

The British Security Industry Authority (BSIA) estimates there are up to 5.9 million closed-circuit television cameras across the UK, meaning there is around one surveillance camera for every 11 people in Britain! That’s a lot of cameras, and a lot of business owners that need to ensure they complying with the new laws.

Let’s take a look at the key points.

Is your CCTV justified?

Under the GDPR it is extremely important that your CCTV system is being used for a legitimate reason, of which is justified. The ICO claims “you must have a valid lawful basis in order to process personal data”. 

Taking this into consideration, CCTV in the workplace can be used to monitor employees health and safety, or, perhaps assist in keeping employees safe and secure, by preventing crime. For these reasons, CCTV is well justified and conducted on a lawful basis. However, there are certain areas of the workplace in which CCTV is not prohibited. For example, CCTV should not be used to target and monitor a certain group of employees, nor should it be placed in areas of privacy. 

If you would like further advice on the set up of Cammy cameras, ensuring they meet the requirements of the GDPR, you can contact our support team at


Obtaining consent

When operating CCTV in the workplace, you must notify all employees (before recording begins), that their image may be captured by the CCTV system in place. In collecting these recognisable images from the CCTV footage, your employees become ‘Data subjects’. Because of this, it is now very important that consent is obtained either via an employment agreement, or a staff handbook. As employees are now data subjects, their rights must not be dismayed or overridden.

It is a great idea to establish a level of understanding with your employees, explaining why company CCTV is in place, and, that it is perhaps in their best interest. Business CCTV for employees should be looked at as a means of security and safety.


The GDPR states that you must have a clear and informative notice that CCTV is present within the building, or, around the premises. Those being captured by your CCTV cameras, including potential visitors, must be made fully aware that the premises are being monitored before they enter. 


Data retention

Another core principle of the GDPR is that personal data should only be retained for as long as it serves a purpose. At Cammy, our app has 30-day cloud storage which means after this period of time, your footage is automatically deleted. This feature eliminates the risk of data being held for too long and in turn, keeps you in line with the GDPR. It’s an effortless advantage!

If an event is exported before the 30-day period, it must be for a valid reason, such as theft or crime. You will need to carry out a risk assessment form in order to validate this footage being held. Any events exported during this time and thereby saved into personal possession, must also be deleted upon request from any data subject.

Please contact our Support team at if you require any assistance with the 30-day cloud storage feature.


Access Requests 

The ICO states that “individuals whose information is recorded have a right to be provided with that information, or, if they consent to it, view that information” meaning that businesses are legally obliged to provide the footage from CCTV if requested. An access request is free and must be provided within 30 days.

Businesses should have an appropriate format in place to effectively respond and provide information promptly. This is especially important in the instance of 30-day retention periods before footage is erased.



Taking the above points into consideration, it is a good idea for businesses to reassess their CCTV system in regards to the regulations of the GDPR; ensuring there are no data breaches.

  • Businesses must notify staff that CCTV is present in the workplace, however not to monitor individuals or private places.
  • Consent must be obtained from all staff members.
  • Businesses must display clear signs that CCTV is operating in the grounds.
  • Businesses are obliged to remove or delete any data once it no longer serves a purpose.
  • Businesses are legally obliged to provide the footage from CCTV if requested by the individual recorded.

Keeping in line with the above points will ensure your CCTV system is justified and lawful, whilst also preventing large fines.

We encourage you to take a look at our Privacy Policy and Terms of Service.