What is GDPR compliance for CCTV operators? | SafetyScope

Important disclaimer

This page provides general guidance for informational purposes only. It is not legal advice. GDPR obligations vary by organisation type, location, and use case. Always consult your Data Protection Officer or legal counsel for advice specific to your situation.

The six GDPR requirements for CCTV operators

Lawful basis

Every organisation operating CCTV must identify a lawful basis under GDPR for processing personal data through surveillance. Most organisations rely on "legitimate interests" (Article 6(1)(f)) — the argument that surveillance is necessary for the security of people, property, or assets. This requires a documented Legitimate Interests Assessment (LIA) that explains why surveillance is necessary, what alternatives were considered, and how the organisation balances its interests against the privacy rights of individuals captured on camera.

Signage and transparency

GDPR requires that individuals are informed that CCTV is in operation before they enter a surveilled area. Visible signs must state: that CCTV is in operation, the identity of the data controller (who operates it), the purpose of the surveillance, and contact details for making inquiries. The UK Information Commissioner's Office (ICO) provides a template for compliant CCTV signage.

Retention limits

Footage must not be kept longer than necessary for the purpose for which it was collected. This is the data minimisation principle in practice. Most Data Protection Officers recommend 30 to 31 days as a defensible default for standard commercial CCTV. Longer retention — 60, 90, or 365 days — is permissible if the organisation can document a legitimate reason (e.g. sector regulation, high-risk environment, or ongoing investigation).

Data subject rights

Individuals have the right to request a copy of any footage in which they appear — a Subject Access Request (SAR). Organisations must respond within one calendar month. If the footage includes third parties, their faces and identifying features must be redacted before the footage is shared. Organisations should have a documented SAR process before an incident occurs, not after.

Data Protection Impact Assessment (DPIA)

A DPIA is required when deploying surveillance technology that is likely to result in a high risk to individuals' rights. AI video analytics — particularly systems that analyse behaviour, detect individuals, or monitor at scale — almost always trigger the DPIA requirement. The DPIA must identify risks, assess their severity, and document the measures taken to mitigate them.

Data processor agreements

If any third party processes footage on the organisation's behalf — a cloud analytics platform, a managed security service provider, or a cloud storage provider — a Data Processing Agreement (DPA) must be in place. The DPA defines what the processor can and cannot do with the data, the security measures they must apply, and the obligations for data breach notification.

Additional considerations for AI video analytics

AI video analytics introduces additional GDPR complexity beyond standard CCTV. Three areas require particular attention.

Biometric data: If the analytics system uses facial recognition, gait analysis, or any technique that processes biometric characteristics, the resulting data may qualify as special category data under GDPR Article 9. Processing special category data requires explicit consent or another specific lawful basis — legitimate interests alone is insufficient.

Automated decision-making: If AI-generated alerts automatically trigger access control decisions — for example, locking a door when a detected person is not recognised — this may engage Article 22 rights, which give individuals the right not to be subject to decisions made solely by automated processing that significantly affect them.

DPIA requirements: AI video analytics at any meaningful scale almost certainly requires a Data Protection Impact Assessment. The more the system analyses behaviour, classifies individuals, or operates in public spaces, the stronger the requirement.

UK vs EU GDPR — key differences post-Brexit

UK GDPR — the retained version of the EU regulation — is largely equivalent to EU GDPR in substance. The UK Information Commissioner's Office (ICO) is the UK supervisory authority, while EU member states have their own Data Protection Authorities. Organisations operating in both the UK and EU must comply with both frameworks. In practice, a deployment that meets EU GDPR requirements will also meet UK GDPR requirements.

GDPR compliance and SafetyScope

SafetyScope supports GDPR-compliant deployments through configurable retention policies, comprehensive audit logs that track all access to footage and metadata, and Data Processing Agreement availability for cloud-processed footage. The platform's retention controls enforce automatic deletion at the configured period, and retention hold functionality allows footage to be preserved for specific investigations without extending the default retention policy across all cameras.

Frequently asked questions

Does GDPR apply to CCTV cameras?

Yes. Any CCTV system that captures footage of identifiable individuals is processing personal data and must comply with GDPR. This applies to both public and private sector organisations operating in the UK or EU.

How long can you keep CCTV footage under GDPR?

GDPR does not specify a fixed retention period. It requires that footage is not kept longer than necessary. Most Data Protection Officers recommend 30 to 31 days as a defensible default for standard commercial CCTV, with documented justification for any longer period.

Do I need a Data Protection Impact Assessment for AI video analytics?

In most cases, yes. AI video analytics — particularly systems that analyse behaviour, classify individuals, or operate at scale — is considered high-risk processing that triggers the DPIA requirement under GDPR.

What must CCTV signage say under GDPR?

CCTV signs must state that surveillance is in operation, identify the data controller, explain the purpose of the surveillance, and provide contact details for inquiries. The ICO provides a template for compliant signage.

Can employees request to see CCTV footage of themselves?

Yes. Under GDPR, any individual — including employees — can submit a Subject Access Request (SAR) for footage in which they appear. The organisation must respond within one calendar month. Footage of third parties must be redacted before sharing.