Estimated Reading Time: 11 minute(s)

UK CCTV compliance 2026: the practical position for businesses

UK CCTV compliance in 2026 is an important review point for businesses that use cameras to protect people, property, equipment and premises. CCTV remains a widely used security measure, but when footage can identify people it also falls within data protection rules.

The key point is not that CCTV has been replaced by a brand-new standalone law. Instead, 2026 is a sensible time to review systems, policies and settings in light of updated data protection legislation and the ICO’s current review of its video surveillance guidance.

This guide explains the main areas businesses should review, including signage, retention, access control, subject access requests, data protection fees, staff monitoring and secure installation planning.

It is not legal advice, and higher-risk surveillance uses should be reviewed with an appropriate data protection or legal adviser. For the legal framework, see our guide to CCTV laws in the UK. For a practical implementation checklist, see CCTV rules and regulations for UK businesses.

Quick answer

Yes, CCTV is legal for UK businesses in 2026 when it is used for a clear purpose, installed proportionately, explained through signage, kept secure and retained only for as long as needed. For UK CCTV compliance 2026, businesses should review older systems, remote access, retention periods, user permissions and internal responsibilities.

  • Set a clear reason for using CCTV.
  • Avoid recording more than you need.
  • Use visible signage.
  • Restrict access to footage.
  • Keep footage secure and delete it when no longer needed.
  • Have a process for subject access requests.
  • Check whether your business needs to pay the ICO data protection fee.

ICO CCTV and video surveillance guidance |
GOV.UK: using CCTV in your business

0333 900 0101 sales@network-data-cabling.co.uk Contact us

What has changed for CCTV in 2026?

The most accurate way to frame 2026 is as a compliance review point, not as the start of a completely new standalone CCTV regime. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025, and the ICO has said its CCTV and video surveillance guidance is under review as a result.

In simple terms, most businesses do not need to replace existing CCTV systems because of a new 2026 rule. They should, however, review why CCTV is being used, where cameras are positioned, whether signage is clear, who can access footage, how long recordings are kept, whether remote access is secure and whether written processes still reflect the system they actually use.

Read the government summary of the Data (Use and Access) Act 2025.

UK CCTV compliance 2026 checklist for businesses

AreaWhat to check
PurposeCan you clearly explain why CCTV is needed?
CoverageAre cameras limited to the areas that are necessary?
SignageAre people told CCTV is operating before or when they enter the monitored area?
AccessIs footage restricted to authorised users only, with strong passwords and account control?
RetentionIs footage kept only for as long as needed, with automatic overwrite or deletion in place?
SecurityAre recorders, cloud accounts, remote access and exports properly secured?
Staff monitoringIf employees may be recorded, is the monitoring justified, explained and proportionate?
Assessment / DPIAHave you documented why the system is needed and whether a DPIA is required or appropriate for higher-risk use?
RequestsCan you identify footage, protect third parties and respond properly to subject access requests?
ICO feeHave you checked whether your organisation needs to pay the ICO data protection fee unless exempt?
Review cycleIs the system checked periodically to make sure it is still needed and configured appropriately?

The ICO also provides a practical self-assessment tool and checklist for organisations using limited CCTV systems.

ICO checklist for limited CCTV systems

1. Reconfirm why your business uses CCTV

Before installing, upgrading or expanding CCTV, your business should be able to explain the reason for using it. A general reference to “security” is a start, but a more useful statement explains the real purpose, such as deterring theft, protecting staff and visitors, monitoring access points or supporting incident investigations.

That defined purpose helps shape camera placement, retention settings, signage and access permissions. It also makes it easier to show that the system is necessary and proportionate rather than excessive.

2. Review whether camera placement is still proportionate

Cameras should be positioned to cover the areas that are genuinely needed for the stated purpose, not every possible angle just because coverage is technically available. Businesses should be especially cautious where cameras may capture neighbouring property, public areas beyond what is necessary, staff rest spaces or sensitive private areas.

Good CCTV design balances security coverage, image quality, privacy and operational practicality. For the legal fundamentals, see our guide to CCTV laws in the UK.

3. Check that CCTV signage is clear and visible

People should know when CCTV is in use. Signs should normally be visible before or as people enter monitored areas, and they should explain that CCTV is operating, why it is being used and who is responsible for the system.

A practical sign may also include a contact route for further information. Clear signage helps demonstrate transparency and reduces confusion for staff, visitors, customers and contractors.

4. Check whether your retention period is still justified

There is no single fixed retention period that applies to every UK business. Footage should be kept only for as long as necessary for the purpose it was collected, and many businesses use around 30 days as a practical working default rather than a legal rule.

Your chosen period should be justified, documented and reflected in the actual recorder or cloud platform settings. You should also know what happens when footage is exported for investigation or legal purposes. For a broader overview, see our guide to CCTV rules and regulations for UK businesses.

5. Review who can access CCTV footage

Access to live and recorded footage should be limited to authorised people who need it for a clear business reason. This is particularly important where systems allow mobile viewing, cloud access or remote administration outside the premises.

Businesses should review user accounts, password standards, access logs, export controls and leaver processes so permissions do not continue indefinitely after roles change.

6. Review remote access and system security

Modern IP CCTV systems rely on sound infrastructure as well as sound policy. Recorder security, network segmentation, firmware updates, PoE capacity, switch configuration and secure remote access all affect reliability and risk.

If your system depends on the wider network, it helps to plan the installation properly from the start. See our guidance on structured cabling for IP CCTV systems and related network infrastructure.

7. Check that staff monitoring is handled carefully

CCTV can be used in workplaces, but employers need to be careful where monitoring affects employees. Cameras should not be used in an excessive, hidden or unjustified way, and systems installed for crime prevention should not casually drift into monitoring routine staff activity or productivity.

If employees may be recorded, be clear about why CCTV is being used, where cameras are located, who can access footage, how long recordings are kept and when footage may be reviewed. Covert monitoring should only be considered in exceptional circumstances. For the underlying legal framework, see CCTV laws in the UK.

8. Make sure you have a process for subject access requests

People can ask for CCTV footage of themselves, so businesses should have a process for identifying relevant footage and responding appropriately. In practice, that means knowing who receives the request, who searches the system, how footage is exported securely and how actions are logged.

You should also be ready to protect the privacy of other people captured in the same footage, including redaction or other appropriate safeguards before disclosure where needed. See GOV.UK guidance on requesting CCTV footage and our own guide to CCTV laws in the UK.

9. Review whether audio recording is necessary

Audio recording is generally more intrusive than video-only CCTV and can be harder to justify. In most business environments, it is safer to avoid audio unless there is a strong, specific and documented reason for using it.

For most commercial systems, clear camera coverage, good image quality and secure recording matter more than conversation capture.

10. Document higher-risk use and review whether a DPIA is needed

Some CCTV use needs more than a basic common-sense review. If your system involves extensive staff monitoring, audio recording, broad public-area coverage, integrated analytics, cloud sharing or other higher-risk features, it is sensible to document the privacy impact and review whether a formal DPIA is appropriate.

Even where a full DPIA is not mandatory, a written assessment helps show that the system was designed deliberately rather than expanded without review.

11. Plan the installation around compliance and reliability

CCTV compliance is easier when the system is designed properly from the start. Businesses should think about coverage, recorder location, remote access, retention settings, handover documentation, network support and who will manage permissions before installation begins.

For practical implementation support, see our pages on CCTV rules and regulations for UK businesses, structured cabling and commercial CCTV installation.

Common CCTV compliance mistakes to avoid in 2026

Many CCTV compliance issues happen when systems are expanded over time without reviewing the original purpose, access controls or retention settings.

  • Adding extra cameras without reviewing the original purpose.
  • Recording neighbouring property or public areas more than necessary.
  • Keeping footage indefinitely or longer than the stated retention period.
  • Leaving old user accounts active after staff leave.
  • Allowing remote access without proper password and account controls.
  • Using unclear, outdated or poorly positioned CCTV signage.
  • Not having a clear process for subject access requests.
  • Using audio recording without a strong, documented reason.
  • Letting older CCTV systems expand without reviewing documentation or responsibilities.
0333 900 0101 sales@network-data-cabling.co.uk Contact us

A note on wider video surveillance technologies

This page focuses on standard business CCTV, but the ICO’s wider video surveillance guidance also covers related technologies such as ANPR, body-worn video, drones, smart doorbells and some forms of facial recognition or analytics. Where surveillance becomes more intrusive or more complex, additional assessment and safeguards may be needed.

See the ICO’s wider video surveillance guidance.

Frequently asked questions (FAQs)

Has UK CCTV law changed in 2026?

CCTV has not been replaced by a completely new standalone CCTV law in 2026. The more accurate point is that the Data (Use and Access) Act 2025 updated parts of the UK’s data protection framework, and the ICO has said its CCTV and video surveillance guidance is under review, which makes 2026 a sensible point to review existing systems and policies.

Is CCTV legal for UK businesses?

Yes. CCTV is legal for UK businesses when there is a clear reason for using it, the system is proportionate, signage is in place, footage is kept secure and recordings are not held longer than necessary.

Do businesses need to pay the ICO data protection fee for CCTV?

Many businesses using CCTV need to pay the ICO data protection fee unless they are exempt. The ICO states that companies using CCTV for crime prevention purposes are required to pay the annual data protection fee, so businesses should check their position rather than assume they are outside the requirement.

How long can a business keep CCTV footage in the UK?

There is no single fixed retention period for every business. Footage should be kept only for as long as necessary for the purpose it was collected, and many businesses use around 30 days as a practical default rather than a universal legal rule.

Do businesses need CCTV signs?

Yes, clear signage is normally expected so staff, visitors, customers and contractors know that CCTV is in operation and understand who is responsible for the system and why it is being used.

Can employers use CCTV to monitor staff?

Employers can use CCTV where there is a clear, justified and proportionate reason, but they should be careful not to use systems excessively or repurpose crime-prevention systems for routine staff monitoring without proper justification. Covert monitoring should only be considered in exceptional circumstances.

Can someone request CCTV footage of themselves?

Yes. People can make a subject access request for footage that identifies them, and businesses should have a process for locating footage, protecting third-party privacy and disclosing recordings securely where appropriate.

Should old CCTV systems be reviewed in 2026?

Yes. Older systems should be reviewed to check whether camera locations, signage, retention settings, recorder security, access permissions and remote access arrangements are still appropriate for current use.

Planning a CCTV upgrade or new installation?

ACCL supports businesses with the technical side of commercial CCTV planning, including camera placement, recorder location, structured cabling, PoE switching, network readiness and clear handover documentation. We do not provide legal advice, but we can help you build a system that is easier to manage, secure and keep under review.

Book a free CCTV site survey or explore our commercial CCTV installation services.

0333 900 0101 sales@network-data-cabling.co.uk Contact us