Commercial CCTV in the UK is regulated primarily by UK GDPR and the Data Protection Act 2018: you must have a lawful purpose for recording, register with the ICO and pay the data protection fee, display clear signage, secure the footage, retain it only as long as necessary (typically 30 days), and be able to answer a subject access request within one month. Get those six things right and you are most of the way to a compliant system.
Understanding the rules matters because non-compliance is not theoretical: the ICO investigates complaints from employees and the public, and footage handled badly can be ruled inadmissible exactly when you need it as evidence.
The legal framework in plain English
As soon as your cameras capture identifiable people — staff, visitors, passers-by — you are processing personal data and UK GDPR applies. The ICO's guidance for video surveillance sets out the expectations. In practice, compliance comes down to a set of concrete obligations rather than abstract principles.
The six obligations that matter
1. A documented, lawful purpose
“Security of premises, staff and stock” is a legitimate interest — but write it down. A short CCTV policy stating why each camera exists, what it covers and who can access footage is the single document that answers most ICO questions. Cameras pointed where they don't need to be (a neighbour's yard, a break room) are where complaints start.
2. ICO registration
Almost every business operating CCTV must register with the ICO and pay the annual data protection fee (from £52 a year for small organisations). It takes minutes. Operating CCTV without registration is the easiest enforcement win the ICO has.
3. Signage
People must know they are being recorded. Signs should be visible before someone enters the monitored area, and state who operates the system and how to contact them. Covert recording is lawful only in narrow, documented circumstances — if you think you need it, take advice first.
4. Security of the footage
Recorders behind locked doors or in locked cabinets, password-discipline on NVRs and viewing apps, named individuals with access, and export logs. If anyone in the building can browse the footage, you do not control the data.
5. Retention
Keep footage only as long as your purpose requires — 30 days is the common commercial standard, extended only where an incident is under investigation. Modern systems do this automatically by overwriting; your policy should state the period and the exception process.
6. Subject access requests
Anyone caught on camera can request their footage. You have one month to respond, you cannot charge in normal cases, and you must protect other people in the frame (blurring where necessary). A system that can export a clip quickly turns a legal duty from a crisis into ten minutes' work.
Employees and monitoring
Workplace CCTV is lawful for security purposes, but staff must be told what is recorded and why — normally via the staff handbook or privacy notice. Using security cameras for general performance monitoring is where employers get into trouble; if the purpose changes, the assessment and the notice must change with it.
How Hawthorne builds compliance in
- Camera placement designed to capture what matters and avoid what doesn't
- Retention configured to your policy, with automatic overwrite
- Access controls and audit trails on recorders and remote viewing
- Evidential-quality export so police and insurers can actually use your footage
- Template signage and a CCTV policy checklist with every commercial installation
Compliance is not a reason to avoid CCTV — it is a reason to install it properly. If you are unsure whether your current system would survive an ICO complaint or a subject access request, we will review it honestly.