CCTV isn’t just a security add-on anymore; it’s woven into daily business life. Whether you run an office, a warehouse, a school, or even a construction site, you probably rely on cameras to keep people safe, spot trouble, and back up your side of the story if something goes wrong. But here’s the thing: as soon as those cameras start recording people you can identify, your business steps into the world of data protection law. And that’s a big deal, especially now.
The Data (Use and Access) Act 2025 shook things up when it kicked in on 19 June 2025. It doesn’t throw out the old data protection rules, but it does shift what’s expected from businesses, CCTV included. In other words, the way you’ve been handling surveillance might not cut it anymore. It’s time to take a hard look at your systems and policies.
So, what does the law actually say? Why does it matter? And what do you need to do differently now?
The Basics of UK CCTV Laws
When people mention “CCTV” laws in the UK, they’re really talking about a mix of regulations and guidance, not just one rulebook. The key ones are:
- UK GDPR – This sets the core rules for how CCTV footage (personal data) must be collected, used and stored. It requires organisations to be lawful, transparent and accountable, and to complete a DPIA where surveillance poses high risk.
- Data Protection Act 2018 – This sits alongside UK GDPR and sets out UK-specific exemptions, enforcement powers and obligations. It underpins how organisations must handle personal data, including CCTV footage, in practice.
And the supporting guidance:
- Information Commissioner’s Office (ICO) – The UK’s data protection regulator. It enforces the law, issues penalties and provides guidance on how CCTV and surveillance should be used safely, fairly and compliantly.
- Surveillance Camera Code of Practice – A set of principles under the Protection of Freedoms Act 2012 guiding the responsible and proportionate use of CCTV, especially in public-facing areas. Mandatory for public authorities, best practice for everyone else.
These rules aren’t here to ban CCTV. They’re about finding the sweet spot between safety and respecting people’s privacy. If you’re using cameras, you need a solid reason for them and must show you’re not overstepping or using indiscriminate blanket coverage. It’s all about clear purpose, transparency, and handling footage the right way.
What does that look like in real life? You install cameras for specific reasons, you tell people what’s going on, and you put sensible limits in place. No more catch-all, “just in case” monitoring.
Why Compliance With CCTV Laws is Important
Understanding CCTV and the law in the UK is not just a compliance exercise. When you do it well, you build trust. Employees, customers, visitors, they’re all more comfortable when they know what’s being recorded and why. If you go overboard or stay silent about your cameras, people notice. You risk souring workplace morale and racking up complaints.
There’s the money side too. Insurers and regulators want to see that your systems meet current standards. Cut corners, and you could face fines, a dented reputation, or headaches if you ever need to use your footage in court or with insurance.
And, honestly, clear rules just make life easier. When you know exactly why each camera is there and how long to keep the videos, your system runs more smoothly and costs less to manage.
Who and What is Covered by CCTV Regulation
The UK law on CCTV applies to most organisations that operate surveillance systems capturing identifiable individuals. If your cameras capture people as part of a business or organisation, the law almost always applies. The only real exception is when you install CCTV purely for home use.
Responsibility falls squarely on the data controller, that’s the business or group that decides why you’re filming and what happens to the footage. Even if you hire someone else to set up or watch the cameras, you’re still on the hook for following the law.
The rules go beyond basic video cameras now. Today’s CCTV might include:
- IP cameras and video management software
- Automatic number plate recognition (ANPR)
- Integrated access control and door systems
- Analytics and AI‑driven alerts
- In some cases, body‑worn cameras or audio capture
It all counts. You need to know where the data goes, how it’s stored, who sees it, when you delete it, and how you keep it safe.
ICO Guidance and Data Protection Impact Assessments (DPIAs)
If your CCTV system goes beyond basic recording, you may need to complete a Data Protection Impact Assessment (DPIA). Under UK GDPR and ICO guidance, a DPIA is legally required before processing starts where surveillance is likely to create a high risk to people’s rights and freedoms.
This often applies when CCTV involves:
- New or intrusive technologies, such as AI or automated analytics
- Systematic or extensive monitoring
- Large-scale processing of sensitive data
- Public-facing surveillance
The responsibility for raising and completing a DPIA always sits with the data controller, the organisation that decides why and how CCTV is used. It is usually led by the project manager or system owner, with input from the organisation’s Data Protection Officer (DPO) where one exists. Suppliers and installers must support the process by providing technical details about the system.
End users, such as employees or members of the public, do not raise DPIAs themselves. They may be consulted as part of the assessment, but the legal duty remains with the organisation. If you’re concerned about a new or upgraded CCTV system, the right step is to ask your DPO or Information Governance team whether a DPIA has been carried out.
Live Facial Recognition and the Law
Live Facial Recognition (LFR) is one of the most tightly regulated forms of surveillance in the UK. Because it involves biometric data that can uniquely identify people, its use is governed by UK GDPR, the Data Protection Act 2018, and human rights law, particularly the right to privacy under Article 8 of the Human Rights Act.
LFR can only be used where it is lawful, necessary, and proportionate to a specific aim. For police, this means showing that LFR is strictly necessary for a clear law enforcement purpose, such as locating a named suspect or preventing an immediate threat. For private organisations, using LFR in public spaces is extremely difficult to justify. Consent is rarely valid in these settings, so businesses would need to rely on legitimate interests that clearly outweigh the privacy rights of the public.
Before any deployment, a full Data Protection Impact Assessment (DPIA) is mandatory. Organisations must also minimise data collection by deleting non-matching faces quickly, ensure the system is accurate and tested for bias, and be transparent about its use through clear signage and public information.
Retention rules are strict. Watchlists used for specific deployments should be deleted shortly after the operation ends, and footage is typically kept only for a limited period unless required for an active investigation.
The ICO oversees the use of LFR and has made it clear that public-space deployments are lawful only in very limited circumstances. If risks identified in a DPIA cannot be reduced, the ICO must be consulted before moving forward.
Responsibilities Of Business Owners
If you run a business with CCTV, you’ve got a checklist to follow.
- Nail down a clear, legal reason for every camera: Saying it’s “for general security” doesn’t cut it anymore. Be specific, maybe you’re stopping theft, protecting staff in a certain area, or keeping sensitive spaces secure.
- Keep it proportionate: Only point cameras where you need them and avoid filming private areas or the neighbours. No one wants to feel like they’re under constant watch, and the law backs that up.
- Transparency really matters: People need to know when CCTV is running, so clear signs should spell that out. Organisations also owe folks straightforward privacy info, who’s behind the cameras, what they’re watching for, how long they keep the footage, and what you can do if you have questions or want to see your own images.
- Storage: Storing footage safely isn’t optional anymore. Only trusted staff get access, and that’s managed with things like assigned roles, strong logins, and audit trails that track who’s seen what. These aren’t just nice-to-haves now, they’re the baseline.
Laws On CCTV Footage
CCTV laws mostly care about what happens after cameras record people. As soon as someone’s face or details show up on footage, that recording counts as personal data, and the rules kick in.
Footage needs to stay secure, and only people with a real reason should look at it. There’s no room for casual viewing, shared accounts, or dumping clips outside the system, which just opens the door to risk.
A lot of companies trip up on retention. You can’t just keep CCTV footage forever. Set a clear timeline based on why you’re recording and what risks you’re dealing with, then delete footage when it’s not needed. If a clip ties to an incident, then sure, keep it for as long as the investigation or legal process lasts.
People have a right to ask for footage of themselves. Organisations get about a month to answer, and sometimes have to blur or edit out other people who show up in the video.
Key Changes To UK CCTV Laws That Affect Your Business
The Data (Use and Access) Act 2025 is a big one. It’s shifted the ground rules for surveillance, especially if your CCTV uses newer tech.
The act builds on what’s already in place for data protection,but adds tougher rules for systems using automation. For example, if a system makes decisions by itself, you need to explain those decisions, let people challenge them, and make sure there’s real human oversight.
There’s also a new “stop the clock” rule for subject access requests. If you need more info from someone to find their footage, you can pause the response time, as long as your search stays fair and reasonable.
The act spells out what counts as a legitimate interest, like crime prevention or safeguarding, but also turns up the heat on transparency and how complaints and data are managed.
You can find official advice on these changes through the UK Government, and the full law is out there for anyone who wants to dig into the details.
What This Means In Practice For Your Business
You don’t need to overhaul your CCTV overnight, but you do need to take a hard, structured look at how your system operates and whether it still meets today’s legal standards
Check where your cameras point, review your signs and privacy notices, double-check how long you keep footage, and think about whether any analytics or connections to other systems create new compliance headaches.
Getting help from a security specialist can make all this a lot smoother. A smart surveillance system, built with the right security and controls, goes a long way toward keeping you compliant.
Advantex designs and supports IP video surveillance and access control systems that strike the right balance between strong security and meeting the rules. Contact us if you would like a clear assessment of where you stand and practical steps to get everything compliant and working smoothly.
