Estimated Reading Time: 13 minute(s)

What to think through before you install commercial CCTV

CCTV rules and regulations UK businesses need to follow are not usually complicated, but they do need to be considered before cameras are installed. Most businesses we speak to already know they need CCTV. What they are less clear on is what needs to be in place before the cameras go up, and how the system should be managed once it is live.

Installing commercial CCTV in the UK does not need to be complicated, but it does involve more than choosing the right cameras and finding somewhere to put them.

You need to think about where footage is stored, who can access it, how long it is kept, what signage needs to go up, and whether the system is proportionate for the areas being monitored. Get those things right from the start and the installation is straightforward.

Overlook them and you can find yourself dealing with complaints, access requests, or ICO scrutiny further down the line.

This guide gives you a practical checklist to work through before your system goes in, with a clear focus on the CCTV rules and regulations UK businesses need to consider.

For the wider legal framework behind these requirements, read our guide to CCTV laws in the UK.

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Why the rules matter for commercial CCTV

CCTV cameras that record identifiable people are capturing personal data. That brings them under the UK General Data Protection Regulation and the Data Protection Act 2018. Unlike domestic systems, businesses do not benefit from the household exemption, which means the full requirements apply regardless of how small the company is or how few cameras are involved.

The Information Commissioner’s Office is the UK’s independent regulator for data protection. If a complaint is made about how your CCTV system is being used, the ICO may investigate. Non-compliance can result in formal enforcement action and financial penalties, but the more immediate risk for most businesses is the reputational damage that comes from being seen to have handled staff or visitor data carelessly.

None of this should put you off installing CCTV. It is a legitimate and valuable part of any commercial security setup. The key is understanding the CCTV rules and regulations UK businesses are expected to follow before the system goes live.

Start by defining why you need it

Before deciding where cameras go, it is worth being clear about what the system is actually for. This is one of the most important parts of the CCTV rules and regulations UK businesses need to think through, because each camera should have a clear purpose.

That might sound obvious, but it matters for compliance and it matters practically when someone asks you to justify a camera in a particular location.

Common reasons businesses install CCTV include protecting entrances and exits, monitoring loading bays and stock rooms, improving safety in car parks, deterring theft or vandalism, and supporting investigations after incidents. These are all legitimate purposes. What they have in common is that they are specific.

A camera pointed at the main entrance because people need to be able to identify who is coming in is a defined operational requirement. A camera pointed at a desk because someone once thought it might be useful is not. The ICO expects businesses to document why surveillance is needed in each location. Doing that exercise properly also makes it much easier to decide which cameras are necessary and which are not.

Think carefully about camera placement

The question of where cameras can go is less about whether it is physically possible to install one and more about whether it is proportionate and justified given the purpose. That is why camera placement sits at the centre of CCTV rules and regulations UK businesses need to follow.

Cameras covering entrances, exits, reception areas, car parks, warehouses, loading bays and stock rooms are generally straightforward to justify. These are areas with a clear security purpose and a reasonable expectation that some monitoring may be taking place.

Areas that need more careful consideration include meeting rooms, open plan offices where staff work throughout the day, and any space where a higher expectation of privacy exists. It is not that cameras can never be installed in these locations, but the justification needs to be clear and the need genuine.
Toilets and changing areas should be treated as off limits. There are very few circumstances under which surveillance in those spaces could ever be justified, and the ICO is explicit on this.

It is also worth thinking about what your cameras will capture incidentally. A camera covering your car park may also pick up part of a public pavement or a neighbouring property. That collateral capture should be acknowledged, minimised where possible, and documented.

Decide who can access recordings

This is one of the areas that businesses most often leave vague, and it is worth getting right before the system goes in rather than after.

Access to live footage and recorded footage should be limited to people with a clear reason to view it. That usually means a small number of named individuals, typically a security manager, a senior member of the facilities or operations team, and whoever is responsible for data protection in the organisation.

Password-protected access is the standard approach for IP CCTV systems. Where remote viewing is enabled, that access should be equally controlled.

You also need to be clear about what happens when a subject access request comes in, someone asks to see footage they appear in, or the police or an insurer requests recordings. Having a named person responsible for handling those requests, and a documented process for doing so, means you are not trying to work it out under time pressure when it actually happens.

Set a sensible footage retention period

There is no single retention period that applies to every business. The legal requirement is that footage is kept only for as long as it is needed for the purpose it was collected.

In practice, 30 days is the standard for most commercial sites. That gives enough of a window to identify and investigate incidents while keeping the retention period proportionate. Some businesses have good reasons to keep footage for longer, for example, a site that operates on a seasonal basis with extended periods of low activity. Others may find that 14 days is sufficient.

The important thing is that the retention period is defined, applied consistently, and that footage is actually deleted when the period expires rather than accumulated indefinitely.

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Can employers use CCTV to monitor staff?

Yes, but it requires care. Staff monitoring is one of the areas where CCTV rules and regulations UK businesses need to handle particularly carefully.

CCTV installed for security purposes, covering entrances, exits, common areas and secure zones, is generally straightforward to justify. Using the same cameras to track staff behaviour, monitor productivity, or record specific individuals without their knowledge is a different matter and requires a much stronger justification.

The starting point is transparency. Your staff should know CCTV is in use, where cameras are located, and what the footage may be used for. This should be communicated directly, not buried in a staff handbook that nobody reads. If your system is likely to have a significant impact on staff privacy, a Data Protection Impact Assessment is required under UK GDPR, and that assessment needs to be completed before the system goes live, not after.

Covert monitoring of employees is possible in limited circumstances, such as where there is a genuine suspicion of serious wrongdoing, but it carries significant legal risk and should only be considered with proper legal advice.

Think about how CCTV connects to the rest of your security setup

CCTV rarely works in isolation. On most commercial sites, it sits alongside access control, intercoms, data cabling and network infrastructure, all of which need to be considered together.

IP CCTV systems run over your data network. That means the cabling infrastructure needs to support them, the network switches need to have Power over Ethernet capacity for the cameras, and the recording equipment needs somewhere to live. If you are also upgrading access control or installing new intercoms at the same time, the cabling for all of those systems can often be planned and installed together, which is significantly more efficient than treating them as three separate projects.

A site survey before installation gives you an accurate picture of what your building can support, where cameras can realistically be positioned, and what the most sensible routing is for the cabling. It also gives your installer the information they need to scope the work accurately and avoid costly changes once work has started.

Your pre-installation checklist

Before your commercial CCTV system goes in, it is worth being able to answer yes to each of the following:

  • We have defined the specific purpose for each camera location.
  • We have checked that cameras are only covering areas where surveillance is proportionate.
  • We have considered and documented any incidental capture of neighbouring or public areas.
  • CCTV signage is in place so that staff, visitors and contractors are aware the system is in operation.
  • Access to live and recorded footage is restricted to named, authorised individuals.
  • We have a process in place for handling subject access requests.
  • A footage retention period has been set and is being applied.
  • Footage is stored securely and access is password protected.
  • Staff have been informed that CCTV is in use and why.
  • The system has been planned alongside our wider security infrastructure, including access control and data cabling.
  • The installation is being carried out by a professional commercial CCTV installer.
0333 900 0101 sales@network-data-cabling.co.uk Contact us

What a professional installation actually involves

A good commercial CCTV installer does more than fit cameras. They should understand the practical side of CCTV rules and regulations UK businesses need to consider, as well as the technical requirements of the installation.

They should assess your site, advise on camera placement and coverage, identify blind spots, plan cable routes, specify the right recording equipment for your needs, and make sure the system integrates properly with your network and any other security systems already in place.

At ACCL, we carry out a free site survey before any installation. That visit gives us everything we need to scope the work accurately, recommend the right system for your premises, and make sure what gets installed is compliant, proportionate, and built to last.

Key Takeaways

CCTV rules and regulations UK businesses need to follow are not just about choosing cameras. Before installation, your business needs to be clear on why surveillance is needed, where cameras will be placed, who can access footage, how long recordings will be kept and how people will be informed.

The main risk comes from treating CCTV as a simple fit-and-forget system. Cameras need to be proportionate, justified and managed properly once they are in use, especially where staff, visitors or members of the public may be recorded.

A professional site survey helps you get those decisions right before work begins. It gives you a clear plan for camera locations, cabling, recording equipment, signage, access control and how the system fits into your wider security setup.

Done properly, CCTV gives your business stronger security and better visibility without creating avoidable compliance issues.

If you are reviewing an older system or planning an upgrade this year, see our UK CCTV compliance 2026 checklist.

FAQs

Q. Do businesses need to follow CCTV rules and regulations in the UK?

A. Yes. If your CCTV records identifiable people, it is classed as personal data under UK GDPR and the Data Protection Act 2018. That means your business needs to consider privacy, signage, footage access, retention periods and how the system is managed day to day.

Q. How long should a business keep CCTV footage?

A. There is no single retention period that applies to every business. Many commercial sites use around 30 days, but the key point is that footage should only be kept for as long as it is needed for the purpose it was collected.

Q. Can businesses use CCTV to monitor staff?

A. Yes, but it needs to be handled carefully. CCTV used for security purposes is usually easier to justify than CCTV used to monitor staff behaviour or productivity. Staff should know where cameras are located, why they are being used and what the footage may be used for.

Q. Do businesses need CCTV signage and do staff need to be told?

A. Both. Signage should be clearly visible at the entrance to any area covered by cameras, explaining that CCTV is in operation and who is responsible for the system. Staff should also be told directly that CCTV is in use, where cameras are located and what the footage may be used for. Signage alone is not enough where employees work in surveilled areas.

Q. Can CCTV cameras cover public areas or neighbouring properties?

A. CCTV should only capture what is necessary for the purpose of the system. If a camera records part of a public pavement, road or neighbouring property, that capture should be minimised where possible and documented. A professional site survey before installation helps plan camera angles correctly so you are not recording more than you need to.

Q. Who should be allowed to view business CCTV footage?

A. Access to CCTV footage should be limited to named, authorised people who have a clear reason to view it. For most businesses, this means a small number of senior, security, facilities or operations staff. Live viewing, recorded footage and remote access should all be password protected and managed properly.

Q. Do businesses need to register with the ICO?

A. Most businesses that operate CCTV will need to pay a data protection fee to the ICO and register as a data controller. The fee depends on the size of your organisation, starting at £40 per year for small businesses. You can check whether you need to register and pay the fee on the ICO website.

Q. What happens if a member of staff or visitor asks to see CCTV footage?

A. Anyone recorded on your CCTV has the right to request access to footage of themselves under UK GDPR. Your business should have a named person responsible for handling those requests and a clear process for responding within the one month legal deadline. Where footage includes other people, you may need to redact those individuals before sharing it.

Planning CCTV for your business?

We can survey your site, advise on camera locations and compliance, and install a commercial CCTV system that works alongside your access control, intercoms and network infrastructure.
Book a free site survey.

Related: CCTV laws UK | UK CCTV compliance 2026 checklist | CCTV Employee Rights

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Get in touch today

Have a no-obligation chat with one of our data cabling experts, who can recommend a solution to suit your requirements and budget.

0333 900 0101 sales@network-data-cabling.co.uk Contact us