GDPR and CCTV: A Compliance Checklist

GDPR and CCTV Compliance

When the General Data Protection Regulation (GDPR) arrived, much of the noise focused on marketing emails and customer databases. Yet CCTV footage is personal data too—it shows faces, number plates and sometimes audio. Mishandle that data and the Information Commissioner’s Office (ICO) can fine you, insurers may refuse cover and staff morale will nosedive. The good news? Staying compliant is mostly about clear processes and a bit of housekeeping. This guide walks you through everything in plain English so you can tick the right boxes without turning into a lawyer.

1. Know Why You’re Filming

GDPR begins with a simple idea: have a lawful reason to collect data. For CCTV the usual reasons are legitimate interest (protecting property, staff or visitors) or legal obligation (meeting a regulator’s security requirement). Write your reason down in a short statement; it becomes the backbone of your policy and shows the ICO you have thought it through.

Helpful resource: Our earlier article CCTV Rules & Regulations UK explains lawful bases in more detail.

2. Carry Out a Data-Protection Impact Assessment (DPIA)

A DPIA sounds grand but is really a structured risk review. You list what you film, who can access it, how long you keep it and the safeguards in place. If the risks feel high—cameras in sensitive areas, for example—you record the extra controls you will put in place. The ICO offers a free template on its website, and most businesses complete one in an afternoon.

3. Register with the ICO

If you use CCTV for business (even a single camera), you must register as a data controller and pay the small annual fee—usually £40 or £60. The online form takes ten minutes and keeps you off the ICO’s “non-payer” list.

6. Set a Sensible Retention Period

The law does not fix a number of days; it simply says “no longer than necessary.” Thirty days works for many offices because incidents are noticed quickly. Retailers or remote sites sometimes need 60–90 days. Whatever period you pick, program the recorder to delete older files automatically so nothing slips through the cracks.

Long-term archiving? Consider off-site or cloud storage with access controls—see our guide to Cloud vs On-Prem CCTV Storage for pros and cons.

7. Protect Footage in Transit and at Rest

Encryption matters. Use HTTPS for remote viewing and enable TLS on any camera that offers it. If staff view feeds on mobiles, insist on VPN or two-factor authentication. Inside the building, place cameras and recorders on a separate VLAN so day-to-day internet browsing can’t touch them. These steps are quick wins against cyber-attacks and impress auditors.

For deeper advice, watch for our upcoming post on CCTV Cybersecurity.

8. Keep Software and Firmware Updated

Hackers love old firmware with known exploits. Schedule quarterly checks—log on, hit “update,” reboot outside working hours. Many modern recorders allow automated patching; switch it on if your risk policy allows. Firmware notes belong in your maintenance log (see step 10).

9. Handle Subject-Access Requests Smoothly

Anyone filmed can ask for a copy of their footage. You have one month to respond. Make life easier by:

• Tagging clips by date and time for quick search.

• Blurring third-party faces before release—built-in masking saves hours in editing software.

• Using encrypted USB sticks or secure download links for delivery.

A clear process stops GDPR requests becoming a scramble that soaks up staff time.

Common Misconceptions

“We have no audio, so GDPR doesn’t apply.”
GDPR covers any personal data; faces are personal.

“Footage is on-site, therefore secure.”
Physical security helps, but network breaches and rogue employees are real threats. Use passwords and patches.

“Deleting footage nightly keeps us safe.”
Deleting too soon can breach health-and-safety rules or miss slow-burn incidents like stock loss. Balance privacy with business need.

Practical Example: A 20-Camera Office in Reading

ACCL recently updated a client’s system. We:

1. Ran a quick DPIA (three pages).

2. Registered them with the ICO.

3. Shortened retention from 90 to 45 days to align with incident reports.

4. Added role-based log-ins—Facilities: full access; HR: export only.

5. Enabled HTTPS and put cameras on their own VLAN.

Audit completed in half a day, zero disruption, full compliance—proof that GDPR need not be a headache.

Your Quick-Reference Checklist

• Lawful basis recorded

• DPIA completed and filed

• ICO fee paid

• Signs installed

• Access list created

• Retention auto-delete set

• Encryption enabled

• Firmware up to date

• Audit folder current

Pin this near your recorder and you’ll never wonder what’s left to do.

Where ACCL Fits In

Compliance often surfaces when you upgrade cameras, extend coverage or integrate access control. ACCL designs systems with privacy in mind from day one—secure networks, masked zones for neighbours, and clear logs that satisfy auditors. If you’d like a free compliance walk-through, call 0333 900 0101 or contact us via our website.