There are an estimated 5.2 million CCTV cameras in the UK — roughly one for every thirteen people. They protect commercial premises, deter crime, support investigations and help keep staff and customers safe. For most organisations, operating without them is no longer a realistic option.
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, CCTV footage that captures identifiable individuals is personal data. And every camera that captures a face captures personal data. But, as you’ll see, it’s not just faces that are the challenge.
This guide helps you understand: what the law requires of CCTV operators, where compliance breaks down in practice, how obligations differ across sectors, and how automated video redaction helps organisations meet their legal responsibilities.
#Why CCTV creates a data privacy obligation
Under the UK GDPR and the Data Protection Act 2018, any image that can identify a living individual — a face, a distinctive gait, a vehicle number plate — constitutes personally identifiable information (PII). What’s more, the Information Commissioner’s Office (ICO) treats CCTV footage as personal data wherever an individual can be identified, either directly or indirectly.
#What UK law requires of CCTV operators
The primary legal framework for CCTV in the UK is UK GDPR and the Data Protection Act 2018. These are supported by the ICO’s detailed guidance on video surveillance, the Surveillance Camera Code of Practice (issued under the Protection of Freedoms Act 2012), and sector-specific rules in healthcare, education and employment.
Here is a summary of your key obligations.
#The lawful basis for recording
Before deploying CCTV, an organisation must establish a lawful basis for processing. In most commercial settings, these will be legitimate interests, such as security or crime prevention, that do not outweigh individuals’ privacy rights. A Data Protection Impact Assessment (DPIA) is strongly recommended and, in some contexts, mandatory.
And, the situation may be different for public authorities, who may instead rely on a public task basis — meaning the processing is necessary for a task carried out in the public interest or under official authority, rather than justified through a balancing of legitimate interests. Consent is rarely appropriate for surveillance, because it implies the ability to withdraw, but withdrawing consent from a fixed camera is not a practical option.
#Transparency and signage
People must be told that they are being recorded. In practice, this means placing clearly visible CCTV signage at the entrance to any monitored area. Those signs should identify who is operating the cameras and for what purpose.
The ICO publishes detailed guidance on what signs should include. Requirements differ in the United States, where a patchwork of state laws applies — you can read more about US CCTV signage requirements here.
#Retention limits
You should not keep footage longer than necessary for the purpose for which it was collected. The ICO considers 30 days a reasonable default for most commercial settings, after which footage should be automatically overwritten or deleted.
The exception is when footage is relevant to an incident or an ongoing investigation. It may be retained longer, but the retention period must be documented and justified.
You need to pay attention to the retention rule because personal data cannot simply be collected and left on a hard drive. The law requires it to be collected:
for a specified and legitimate purpose
stored securely
retained no longer than necessary
protected from unauthorised access.
Bear in mind that you can retain footage that is relevant to an incident or an ongoing investigation longer, but
If someone exercises their right to see footage of themselves, through a data subject access request (DSAR), any third parties visible in that footage must normally be redacted before disclosure.
For an organisation with a handful of cameras in a quiet office, the above obligations may be manageable. But, for a hospital with hundreds of cameras, a retailer with CCTV across dozens of sites, or a transport operator running cameras in every vehicle, the sheer volume quickly becomes a significant operational challenge.
With all this in mind, one of the most practical steps you can take to reduce your data protection risk is to develop a clear retention policy that includes automated deletion rules where possible.
#Security
Access to CCTV footage must be restricted to those with a legitimate need. So systems should be protected against unauthorised access, and appropriate data processing agreements must bind any third-party contractors who can view footage. If you transmit footage over the internet, it must be encrypted.
You can find more details on secure storage practices in our guide to archiving and managing long-term CCTV footage.
#Data subject access requests
Any individual has the right to request access to footage in which they appear. When an organisation receives a DSAR, it must identify the relevant footage, redact any images of third parties who have not consented to disclosure, and provide the footage to the requester free of charge within one calendar month.
Failure to respond — or to properly redact third-party data before disclosure — is an ICO enforcement risk.
#Your five biggest CCTV compliance challenges
Understanding the legal requirements is one thing. But meeting them consistently across a large camera estate, under operational pressure and with limited resources, is another matter.
These are the five compliance challenges that cause the most difficulty in practice:
#1. Responding to data subject access requests at scale
A busy retail site might receive a DSAR covering an incident captured across six cameras over four hours. Identifying the relevant footage, reviewing it, and manually blurring every third-party face before disclosure can take a team several days — and the one-month deadline is already running.
For organisations with high DSAR volumes, manual redaction is simply not viable. The time cost alone makes it difficult to consistently meet the statutory deadline, and the risk of human error — such as missing a face in a single frame — creates its own compliance exposure. Those challenges mean a reliable, repeatable redaction process is essential if your organisation regularly receives DSARs.
#2. Retention and deletion
Many organisations retain footage far longer than the law requires because a retention policy has either not been written or not enforced. The solution can be surprisingly simple — all that’s needed is to configure automated deletion in video redaction software. Left to its own devices, a library of personal data held without justification represents a liability in the event of a breach or a regulatory audit.
#3. Third-party sharing
Footage is regularly requested by third parties, such as insurers investigating a claim, solicitors pursuing a litigation matter, employers conducting a disciplinary investigation, or police officers investigating a crime. In most cases, the footage can’t be made available as it is. It will need redacting unless every person has the right to have their data shared.
A police request, for example, does not automatically override the data protection rights of bystanders captured in the footage. Hiding behind GDPR to withhold footage entirely is not a compliant approach either — your obligation is to share the footage, but to redact it first.
#4. Workplace monitoring and employee rights
Employees have privacy rights at work. So CCTV in the workplace must be proportionate, limited to areas where monitoring is genuinely necessary, and communicated clearly to staff. Covert surveillance is, in most circumstances, unlawful.
The ICO expects employers to conduct a DPIA before installing workplace cameras and to inform staff clearly of what is recorded and why.
In disciplinary proceedings, when footage involving employees is used, care must be taken to ensure that only relevant material is disclosed and that you respect the employee’s rights under data protection law.
You can read more about employee rights surrounding CCTV cameras in the workplace.
#5. Keeping up with changing guidance
The regulatory landscape for CCTV is continuously evolving. The ICO updates its guidance, the Surveillance Camera Commissioner publishes sector-specific codes, and employment law and case law continue to develop.
If your organisation sets its CCTV policies once and never revisits them, they are likely to soon fall behind the current standard — and a policy that was compliant three years ago may no longer reflect the regulator’s expectations today.
#CCTV in different sectors
The core legal framework applies wherever CCTV is deployed, but the practical challenges — and the specific risks — vary significantly by sector.
#Hotels and hospitality
Hotel guests today have a heightened expectation of privacy, particularly in areas such as corridors near bedrooms. They are increasingly aware of their right to request footage of themselves, and DSARs in hospitality settings often require extensive redaction before footage can be released.
Read more: Hotel CCTV: A Human-Centred Approach to GDPR Compliance · Can Hotel Guests Access CCTV Footage of Themselves?
#Healthcare
Hospitals and care homes operate in environments where patients, residents and visitors are often in vulnerable situations. CCTV in these settings must be carefully justified, tightly controlled and subject to strict access restrictions. The presence of special category health data adds an additional layer of regulatory sensitivity.
Read more: CCTV in Hospitals: Why Cameras and Security Matter · CCTV in Care Homes: The Laws and Challenges.
#Retail
Retailers are among the highest-volume CCTV operators in the UK and among the most frequent recipients of DSARs. The combination of high camera counts, busy stores and frequent loss-prevention incidents means that both the compliance burden and the efficiency gains from automated redaction are at their highest in this sector.
Read more: Behaviour Detection and Video Redaction: Crime in Retail.
#Housing and public spaces
Housing associations and local authorities operating CCTV in public areas must demonstrate that the surveillance is proportionate and that footage is properly protected. Public-space cameras raise heightened concerns around surveillance creep and community impact.
Read more: Housing Associations and CCTV in Public Areas.
#Transport and logistics
In-vehicle cameras — dashcams, body-worn cameras, train and bus CCTV — generate large volumes of footage that capture both passengers and other road users. In those situations, retention, access and redaction obligations apply just as they do to fixed cameras. Still, managing footage from a moving fleet adds logistical complexity that fixed-site operators do not face.
Read more: How Long Should CCTV Footage Be Kept? · How to Archive and Manage Long-Term CCTV Footage Securely.
#How video redaction resolves the compliance gap
Video redaction is the process of obscuring identifying information in footage before it is shared. In a CCTV context, that typically means blurring faces, vehicle number plates and other identifying features — while leaving the events of interest clearly visible.
#Why manual redaction falls short
For many years, organisations that redacted footage did so manually, frame by frame, using video editing software. It is a process that can take hours or days, even for a short clip, requires specialist skills, and carries a high risk of human error — for example, a single missed frame can leave third-party PII exposed.
For an organisation receiving ten DSARs a month, each involving footage from multiple cameras, manual redaction quickly consumes more resources than most teams can spare.
#Identity Cloak for CCTV video redaction
Identity Cloak is designed specifically for this workflow. It processes CCTV footage from any camera system, automatically detects and blurs faces, vehicle plates and other identifying information, and produces a redacted file ready for disclosure. What used to take hours now takes minutes. Identity Cloak handles the detection and tracking; the operator reviews the output and exports the redacted file.
It enables you to efficiently handle:
DSARs: automated face and body redaction satisfies the access right while protecting third-party privacy, and reducing response time from days to minutes.
Third-party sharing: redaction tools produce a tamper-evident audit trail recording what was redacted, by whom, and when. The original footage is preserved; only the disclosed version is redacted.
Retention: scheduling that automatically flags footage for deletion once its storage period expires, supporting data minimisation obligations.
Identity Cloak can be deployed as an on-premise desktop solution — keeping footage within your own secure environment — or as a plug-in for Milestone XProtect. It handles legacy video formats, supports audio redaction for bodycam and mobile phone footage, and offers flexible blur settings including face, body and inverse blur modes.
On average, our customers complete their redaction projects in under 30 minutes:
Ready to see Identity Cloak in action? Download a 7-day free trial of Identity Cloak and process your first CCTV clip today. Or talk to the team about CCTV redaction for your organisation.
#Explore CCTV topics
The articles and resources below cover every aspect of CCTV compliance in depth.
GDPR & Compliance
GDPR and CCTV in the Workplace: A Complete Guide — The most comprehensive guide on site: lawful basis, DPIAs, employee rights, DSARs, penalties and more.
Guide to CCTV Video Redaction and GDPR Compliance — Step-by-step guide to what redaction is required, when and how.
CCTV and GDPR: A Privacy Challenge — Why CCTV footage is personal data and what that means in practice.
CCTV and Privacy — ICO guidance, the privacy checklist, and the balance between security and rights.
CCTV Redaction Software for Business Compliance — Choosing the right software: features, compliance requirements and cost considerations.
Hiding Behind GDPR Is No Defence for Withholding CCTV Footage — Why refusing to share footage by citing GDPR is not a compliant approach.
GDPR Pulls the Plug on Live CCTV in Ireland Council — A case study in what happens when CCTV systems fail to meet data protection standards.
#Workplace & Employee Rights
Employee Rights Surrounding CCTV Cameras in the Workplace — What employers can and cannot do: UK law, proportionality and ICO expectations.
#Sector-Specific
Hotel CCTV: A Human-Centred Approach to GDPR Compliance — Privacy-by-design for hospitality: camera placement, guest rights and DSAR handling.
Can Hotel Guests Access CCTV Footage of Themselves? — Guest rights explained: what they can request and how hotels must respond.
CCTV in Hospitals: Why Cameras and Security Matter — Healthcare CCTV: safeguarding, access controls and the specific risks of the sector.
CCTV in Care Homes: The Laws and Challenges — Consent, safeguarding and the legal framework for surveillance in care settings.
Housing Associations and CCTV in Public Areas — Tenant privacy, proportionality and the obligations on housing providers.
Behaviour Detection and Video Redaction in Retail — Using CCTV analytics for crime prevention while staying on the right side of privacy law.
#Technical & Practical Guidance
Can CCTV Cameras Work Without the Internet? — Local vs cloud storage, offline operation and the implications for data security.
How Long Should CCTV Footage Be Kept? — Retention periods, ICO guidance and how to set up automatic deletion.
How to Archive and Manage Long-Term CCTV Footage Securely — Storage architecture, encryption and access controls for footage archives.
CCTV Signage Requirements in the UK — ICO-compliant sign placement, wording and size requirements.
CCTV Signage Requirements in the U.S. (2025) — State-by-state guide to US signage law for surveillance systems.
#Informational
Benefits of CCTV for Businesses — Beyond security: the full range of operational and safety benefits of CCTV.
The History of CCTV in the UK — From Liverpool Street Station in 1961 to AI-powered analytics: how CCTV evolved.
The Power of CCTV Footage as a Training Medium — How redacted CCTV footage is being used for staff training and process improvement.
Manage your CCTV compliance with Facit. Identity Cloak automates the redaction of faces, number plates and other identifying information in CCTV footage, cutting hours of manual work to minutes. Available as an on-premise installation or as a Milestone XProtect plug-in.
Download your 7-day free trial · Talk to the team · See Identity Cloak pricing
