0333 900 0101

Navigating the New UK CCTV Legal Landscape: What Your Business Needs to Know in 2025

Estimated Reading Time: 8 minute(s)

New UK CCTV Law: What Your Business Needs to Know in 2025

The world of commercial CCTV has just become significantly more regulated. As a data cabling company that’s worked alongside countless businesses implementing surveillance systems over the years, we’ve witnessed firsthand how technology evolves – but rarely have we seen such sweeping legislative changes happen so quickly.

The Data (Use and Access) Act 2025, which came into effect on 19th June 2025, has fundamentally shifted the legal framework surrounding CCTV operations in the UK. While these changes might seem daunting at first glance, they’re ultimately designed to create a fairer, more transparent environment that protects individuals while still allowing businesses to maintain effective security measures.

Understanding the Big Picture

Before diving into the specifics, it’s worth understanding why these changes have come about. The rapid advancement of AI-powered surveillance, facial recognition technology, and automated decision-making systems has outpaced existing regulations. The new legislation isn’t just about traditional CCTV anymore – it’s about creating a framework that can handle the sophisticated surveillance technologies of today and tomorrow.

The Data (Use and Access) Act doesn’t replace existing data protection laws like GDPR, but rather builds upon them, creating additional layers of protection and compliance requirements. Think of it as adding extra safety nets rather than starting from scratch.

The Key Changes That Affect Your Business

AI and Automated Decision-Making: The New Frontier

If your business uses CCTV systems that incorporate AI, facial recognition, or any form of automated processing, you’ll need to implement additional safeguards. This includes providing clear information to individuals about how significant decisions are made, allowing people to challenge automated outcomes, and ensuring meaningful human intervention is possible when needed.

What does this mean in practice? If your system automatically flags someone as a security risk or makes access control decisions, you’ll need clear processes for review and appeal. It’s not enough to simply have the technology – you need robust human oversight systems in place.

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Subject Access Requests: New Rules, More Flexibility

The legislation introduces a “stop the clock” rule for subject access requests. When someone asks to see CCTV footage of themselves, you can now pause the response deadline while waiting for clarification from the requester. You’re also only required to conduct “reasonable and proportionate” searches to locate relevant footage – a welcome change that prevents businesses from having to undertake impossibly extensive searches.

However, once you have the necessary information, the standard one-month response time still applies. The key is maintaining good documentation so you can locate relevant footage efficiently when needed.

Legitimate Purposes: Being Specific Matters

Gone are the days when “general security” was sufficient justification for CCTV installation. You now need specific, documented reasons that are both necessary and proportionate to the problem you’re addressing. Crime prevention, protecting staff safety, or monitoring access to sensitive areas are all valid purposes – but they need to be clearly defined and documented.

This requirement extends to ensuring your surveillance is proportionate. A small retail shop probably doesn’t need the same level of surveillance as a high-security facility, and your CCTV setup should reflect this reality.

Data Retention: Stricter Rules, Clearer Schedules

The new legislation tightens requirements around how long you can keep CCTV footage. Data must be deleted once it’s no longer necessary for its original purpose, and businesses are required to establish and follow clear retention schedules.

This isn’t just about storage space anymore – it’s a legal requirement. Many businesses we work with are finding that implementing automated deletion systems not only ensures compliance but also reduces storage costs and simplifies data management.

Covert Surveillance: Almost Always Off-Limits

Secret cameras are now almost always unlawful except in rare, serious cases involving proven criminal conduct. Even then, such measures must be temporary, fully justified, and extensively documented. For most commercial businesses, this effectively means all surveillance must be overt and properly signposted.

Security and Access Controls: Encryption is Expected

Regulators increasingly expect businesses to use encryption and strict access controls for CCTV systems. Role-based access control means only personnel with legitimate need should be able to view footage. If you’re still using systems where multiple people share login credentials or where footage is stored unencrypted, it’s time for an upgrade.

Field of Vision: Avoiding Unnecessary Intrusion

Your cameras should only cover areas relevant to their intended purpose. This means avoiding accidentally filming neighbouring properties, public walkways unrelated to your business, or private areas where people have a reasonable expectation of privacy. It’s about being surgical rather than sweeping in your surveillance approach.

Workplace Surveillance: Tighter Controls

Requirements for workplace CCTV have become more stringent, covering how footage is captured, stored, accessed, and shared. Audio recording is particularly discouraged unless absolutely necessary and properly justified. Many businesses are finding it easier to simply disable audio recording rather than navigate the additional compliance requirements.

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Transparency and Signage: Non-Negotiable Requirements

Perhaps one of the most visible changes is the enhanced requirement for clear, comprehensive signage. Your CCTV signs must now be in plain English and include the purpose of surveillance, your business name as the operator, and contact information for questions or concerns.

But signage is just the beginning. Privacy information should be available through multiple channels – posters, staff portals, induction handbooks, and your website. The goal is ensuring anyone who might be recorded understands how their data is being used and can easily find out more if they need to.

Maintenance and Registration: The Administrative Side

Regular, documented maintenance of CCTV systems is now a formal expectation, not just good practice. This links directly to insurance validity – many insurers are already updating their policies to require compliance with the new standards.

Additionally, all businesses operating CCTV must register with the Information Commissioner’s Office and pay the annual data protection fee. Non-compliance can result in fines up to £500,000 – a significant penalty that makes registration a business-critical requirement.

Special Considerations: Martyn’s Law

For public venues with a capacity of 200 or more people, Martyn’s Law introduces additional requirements for counter-terrorism preparedness. This explicitly involves enhanced CCTV usage alongside staff training and risk assessments. If your business falls into this category, you’ll need to consider security not just from a general safety perspective but specifically from a counter-terrorism angle.

The Implementation Timeline

The changes didn’t happen overnight. The legislation came into effect on 19th June 2025, but implementation is being phased in over the following year. This gives businesses time to adapt their systems and processes, but it also means compliance requirements will continue evolving as new guidance is released.

The Information Commissioner’s Office is currently reviewing all CCTV guidance, with updates expected throughout 2025 and into 2026. This creates both challenges and opportunities – while the regulatory landscape continues to shift, businesses that stay ahead of the curve will find themselves better positioned as requirements solidify.

Practical Steps for Compliance

So, what should your business be doing right now? Start with an audit of your current CCTV usage against the new requirements. Review your signage, update your privacy notices, and ensure you have clear documentation for your surveillance purposes, retention policies, and maintenance schedules.

If you haven’t already, register with the ICO and ensure you’re paying the required fees. Provide staff training on the new rules, particularly for anyone who has access to CCTV footage or makes decisions based on surveillance data.

Most importantly, don’t treat this as a one-time exercise. The regulatory environment will continue evolving and staying compliant means staying informed about ongoing changes.

Looking Forward

While these changes represent a significant shift in how businesses must approach CCTV, they’re ultimately about creating a more balanced approach to surveillance – one that protects individual privacy while still allowing legitimate security needs to be met.

The businesses that will thrive in this new environment are those that view compliance not as a burden but as an opportunity to implement more efficient, secure, and professionally managed surveillance systems. Yes, there are new requirements to meet, but many of these changes also represent best practices that forward-thinking businesses should have been following anyway.

The key is to approach these changes proactively rather than reactively. By understanding the requirements, implementing proper systems and procedures, and staying informed about ongoing developments, your business can maintain effective security while fully complying with the new legal landscape.

Remember, this isn’t just about avoiding penalties – it’s about building trust with your employees, customers, and the broader community by demonstrating that you take privacy and data protection seriously while maintaining the security standards your business requires.

 

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Key Takeaways

  • UK GDPR & Data Protection: Businesses must comply with the Data Protection Act 2018 and UK GDPR, meaning clear signage, restricted access, secure storage, and transparent notifications are mandatory for workplace CCTV.

  • Data Retention Policy: New laws require footage to be deleted promptly when no longer needed for its original purpose—indefinite retention is prohibited and must be documented.

  • Privacy Impact Assessment: A Data Protection Impact Assessment (DPIA) is essential before installing CCTV, especially for systematic monitoring or in areas where privacy is expected.

  • Subject Access Requests (SARs): Organisations must respond to requests for footage from individuals recorded, usually within one month, and redact third-party data as needed.

  • Cybersecurity & AI Surveillance: Ensure strong encryption, access control, and regular updates to defend against hacking. Be transparent and cautious when deploying AI features like facial recognition.

  • Proportionate Monitoring: Surveillance must be justified, avoiding excessive coverage and strictly excluding private or sensitive employee areas.

These key points help UK businesses understand how to balance effective surveillance with privacy obligations and regulatory demands in 2025.

Get in touch today

Have a no-obligation chat with one of our data cabling experts, who can recommend a solution to suit your requirements and budget.

0333 900 0101 sales@network-data-cabling.co.uk Contact us