Can CCTV Footage Create GDPR Liability?

Millions of CCTV cameras operate across the UK every day. They protect premises, deter theft, support insurance claims, and provide evidence when things go wrong. For most business owners, a camera above the door feels like a sensible precaution — a low-cost, low-maintenance layer of security.

But CCTV footage is personal data. The moment your cameras capture an identifiable individual, UK GDPR kicks in. That means obligations around consent, storage, access, and disclosure — and real financial exposure if those obligations are not met.

This guide explains exactly how CCTV use creates GDPR liability, what the Information Commissioner's Office (ICO) expects of businesses, and why commercial insurance remains an important part of your risk management framework even when you follow the rules carefully.

Why CCTV Footage is Personal Data Under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, personal data means any information relating to an identified or identifiable natural person. A face captured on a camera — even without a name attached — is almost always personal data if the individual could be identified from it, either directly or in combination with other information you hold.

This matters because it means CCTV footage is not simply a passive recording that sits on a hard drive until you need it. It is actively processed personal data from the moment it is captured. Processing includes recording, storing, viewing, copying, sharing, and deleting footage — every one of those actions falls within the scope of UK GDPR.

The ICO confirmed this position clearly in its guidance on surveillance cameras, and it has investigated and fined businesses that failed to treat their CCTV systems accordingly. The scale of the fine does not require a dramatic breach — failures in basic record-keeping or inadequate retention policies have drawn regulatory attention.

The Legal Basis Problem

One of the most common errors businesses make with CCTV is failing to identify a clear lawful basis for the processing. UK GDPR requires that every time you process personal data, you have a legitimate reason to do so. For most commercial CCTV systems, the two most relevant bases are:

Legitimate Interests

Legitimate interests is the most commonly used basis for commercial CCTV. It allows you to process personal data where you have a genuine, proportionate business reason — such as crime prevention, premises security, or employee safety — provided that reason is not overridden by the rights and freedoms of the individuals being recorded.

However, relying on legitimate interests is not a blank cheque. You are required to carry out a Legitimate Interests Assessment (LIA) that documents your purpose, weighs it against the privacy impact, and confirms proportionality. A camera pointed at a public entrance to prevent shoplifting is unlikely to fail that test. A camera trained on a staff toilet corridor almost certainly would.

Legal Obligation

Some businesses operate in regulated sectors where surveillance is required by law or licensing conditions. In these cases, legal obligation may be the appropriate basis. However, this tends to be narrowly scoped, and you should always seek professional advice if you believe this applies to your circumstances.

Regardless of which basis you rely on, you must document your decision and be able to demonstrate your reasoning to the ICO if challenged.

Transparency: Telling People They Are Being Recorded

UK GDPR is built on the principle of transparency. Individuals must know their data is being processed. For CCTV, this means clear, prominent signage informing people they are entering a monitored area — before they enter it.

The ICO's CCTV guidance sets out what that signage should include: the identity of the data controller (your business), the purpose of the recording, and contact details or a reference to your full privacy notice. Vague signs that simply say "CCTV in operation" without identifying who operates the system are likely to be insufficient under a strict reading of UK GDPR.

Where cameras are positioned matters too. A camera that unexpectedly captures footage of neighbouring properties, public pavements, or residential areas beyond your boundary creates additional complexity, potentially requiring notification to a wider group of data subjects.

Data Retention: How Long Can You Keep Footage?

Storing footage indefinitely is one of the most common compliance failures the ICO encounters. UK GDPR requires that personal data is kept only for as long as necessary for the purpose for which it was collected. For most commercial CCTV systems, that purpose is incident detection and investigation.

In practice, industry guidance typically suggests a retention period of between seven and thirty-one days for standard premises footage. Footage retained beyond that point without a specific justification — such as an ongoing investigation or legal proceedings — is difficult to defend.

Your retention policy needs to be documented, applied consistently, and reviewed regularly. Automated deletion is preferable to manual processes, which can easily fall behind schedule. You should also have a clear protocol for what happens when footage becomes relevant to a claim or dispute — at that point, the normal retention rules may be suspended, but the footage must be managed carefully to preserve its evidential integrity.

Subject Access Requests and Your Obligations

Any individual who has been captured on your CCTV footage has the right to request a copy of that footage under UK GDPR. This is a Subject Access Request (SAR), and you have one calendar month to respond. In most cases, you cannot charge a fee.

Fulfilling a CCTV SAR is more technically demanding than a standard data SAR. You may need to redact footage to remove the faces or identifying features of third parties before handing over the recording. Failure to provide the footage within time, or providing it without appropriate redaction, both constitute compliance failures.

Businesses that receive frequent SARs — retailers, hospitality operators, and landlords of multi-occupancy premises are particularly exposed — need a clear documented process for handling them, not just a general awareness that SARs exist.

Third-Party Disclosure Risks

Sharing CCTV footage with third parties is one of the highest-risk activities associated with commercial surveillance systems. Common scenarios include:

• Providing footage to police or other law enforcement agencies
• Sharing recordings with insurers as part of a claim
• Disclosing footage to solicitors in connection with litigation
• Allowing neighbouring businesses or landlords to view recordings
• Uploading footage to social media platforms as a means of identifying suspects

Each of these scenarios carries distinct risks. Sharing with police is generally permitted where it is necessary for the prevention or detection of crime, but should still be documented. Sharing with insurers is typically covered by legitimate interests and contractual necessity, but the footage should be transmitted securely.

Uploading footage to social media to identify a suspected shoplifter, on the other hand, is an area where businesses have attracted significant ICO scrutiny. Even where the intent is legitimate, the act of publishing identifiable images of individuals to a public platform without a clear lawful basis is almost always disproportionate and likely to constitute a data breach.

What Counts as a CCTV Data Breach?

A personal data breach under UK GDPR is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Applied to CCTV, breaches can occur in several ways:

• Footage accessed by an unauthorised employee or third party
• Recordings transmitted without encryption over an insecure network
• A hard drive or storage device containing footage being lost or stolen
• Footage inadvertently captured or retained beyond its intended scope
• Cloud-based CCTV systems compromised through weak passwords or unpatched software
• Footage shared in error with the wrong recipient

Not every breach requires notification to the ICO — only those that are likely to result in a risk to the rights and freedoms of individuals. However, breaches that meet the threshold must be reported within 72 hours of discovery, and if individuals are likely to suffer serious harm, they must be notified too.

The 72-hour window is tight. Businesses that do not have a documented incident response plan often find themselves struggling to assess the breach, gather the facts, and make a notification decision within that timeframe — which itself can create additional regulatory risk.

ICO Enforcement: Real Consequences for Businesses

The ICO has demonstrated a willingness to take enforcement action against organisations — including smaller businesses — for CCTV-related GDPR failures. Examples from ICO enforcement records include:

• A facial recognition system operated by a UK retailer that resulted in a significant fine for unlawful processing of biometric data
• Reprimands issued to housing associations and local authorities for excessive or poorly targeted CCTV deployment
• Enforcement notices requiring businesses to overhaul their retention policies and signage

For UK businesses, the maximum fine under UK GDPR is the higher of £17.5 million or 4% of global annual turnover. For most SMEs, a fine significantly below that ceiling can still represent a materially damaging financial event, particularly when combined with the cost of remediation, legal advice, and reputational fallout.

The ICO has also made clear that it expects businesses to be able to demonstrate compliance proactively — not just to fix problems after they are discovered. That means documentation, policies, and regular reviews are not optional extras.

Special Considerations for Specific Business Types

Retail and Hospitality

Retailers and hospitality operators typically run some of the most extensive commercial CCTV networks. The high volume of individuals captured, the frequency of SARs, and the likelihood of footage being used in connection with incidents or insurance claims makes compliance infrastructure particularly important. A written CCTV policy, clearly maintained retention schedules, and staff training on SAR handling are baseline requirements.

Landlords and Property Managers

Landlords operating CCTV in communal areas of residential or mixed-use buildings face additional complexity. Tenants have heightened privacy expectations in their residential environment. The ICO expects a proportionate approach — covering entrances and communal areas where there is a clear security purpose, rather than deploying blanket surveillance of all shared spaces.

Employers and Workplace Surveillance

Using CCTV to monitor employee activity is legally permissible but heavily regulated. Covert monitoring of employees is permitted only in very limited circumstances, such as where there is a serious suspicion of criminal activity and overt monitoring would undermine an investigation. Routine covert surveillance of staff is almost always unlawful and represents one of the highest-risk CCTV scenarios from a GDPR perspective.

Healthcare and Care Providers

Organisations providing healthcare or care services may capture footage of individuals whose health status is apparent from the recording — for example, patients in a hospital setting. Health data is a special category under UK GDPR and subject to stricter rules. Any CCTV deployment in these environments requires careful legal review.

Best Practice Checklist for CCTV Compliance

The following checklist reflects the ICO's expectations for commercially operated CCTV systems:

• Document your purpose: Record why you operate CCTV and what lawful basis you rely on, including a completed Legitimate Interests Assessment where applicable.
• Position cameras proportionately: Cameras should capture only what is necessary for your stated purpose; avoid capturing public areas beyond your boundary without good reason.
• Display clear, compliant signage: Signs must identify the data controller and explain the purpose of recording; vague signs are insufficient.
• Set and enforce a retention policy: Decide how long you will keep footage and automate deletion where possible; document exceptions for ongoing incidents.
• Restrict access to footage: Only authorised individuals should be able to view, copy, or export recordings; maintain access logs.
• Secure your storage systems: Ensure footage is stored securely, whether on-site or in the cloud; apply encryption and strong authentication controls.
• Create a SAR process: Know how you will identify, retrieve, redact, and provide footage in response to Subject Access Requests.
• Prepare a breach response plan: Know who is responsible for assessing and reporting data breaches; practise the 72-hour notification timeline.
• Train relevant staff: Employees who manage or have access to CCTV systems should understand their obligations.
• Review regularly: CCTV policies and systems should be reviewed at least annually and whenever there is a material change to your operations.

How Insurance Fits Into Your CCTV Risk Strategy

Good compliance practice significantly reduces the likelihood of a GDPR incident arising from your CCTV system. But even well-managed businesses face enforcement action, civil claims, and breach response costs — sometimes for reasons that are only partially within their control.

Cyber and data protection insurance provides a financial safety net that many UK businesses underestimate. A comprehensive policy can cover:

• ICO investigation and regulatory defence costs
• Fines and penalties where insurable under UK law
• Legal costs associated with civil claims from affected individuals
• Costs of notifying individuals following a data breach
• Forensic investigation expenses to identify the scope of a breach
• Reputational management and crisis communications support
• Business interruption losses arising from a data security incident

For businesses that rely on CCTV as part of their security infrastructure — which now includes the majority of commercial premises in the UK — data protection liability cover is an increasingly important line of protection, not an optional add-on.

At Insure24, we work with businesses across a wide range of sectors to ensure their insurance programme reflects the data risks they actually face, including those arising from surveillance systems. If you are unsure whether your current cover addresses CCTV-related GDPR exposure, we would be glad to review it with you.

Conclusion

CCTV footage creates genuine GDPR liability for UK businesses. It is personal data from the moment it is captured, and every aspect of how it is collected, stored, accessed, shared, and deleted must meet the standards the ICO sets. The consequences of getting it wrong — fines, enforcement notices, civil claims, and reputational damage — can be significant.

The good news is that compliance is achievable with the right framework in place. Clear documentation, proportionate deployment, strong access controls, and a reliable breach response process go a long way towards demonstrating the accountability UK GDPR demands.

Insurance does not replace that framework, but it provides meaningful financial protection for the risks that remain even when you have done everything right. Speak to Insure24 today to find out how a cyber and data protection policy can complement your CCTV compliance strategy.

Call us on 0330 127 2333 or visit insure24.co.uk to get a quote or discuss your cover requirements.