Cookie consent

This site uses cookies that need consent. Learn more

Skip to content
Facit Data Systems
Insights

CCTV cameras capture people’s identity, which presents a GDPR data privacy problem

CCTV Privacy Cocerns.
The UK is one of the most video monitored societies, with around 6 million CCTV cameras in operation, or one camera for every eleven people.
Posted in: Articles, Video Redaction, CCTV, Data protection, Compliance, GDPR

CCTV and GDPR: A privacy challenge

Organisations use CCTV recording to prevent crime, ensure health and safety and monitor the workplace. When it comes to privacy and data protection rights, there has been much discussion. Privacy plays a crucial role in the exercise of many other rights, such as freedom of expression, freedom of association and freedom of religion.

Any CCTV system that monitors or records the activities of individuals constitutes the processing of personal data under the General Data Protection Regulations (GDPR).

You will find that Chief Data Officers at local councils post their Council’s fair processing policies, such as this typical example from The City of Westminster right alongside are subject access request (SAR) forms for anyone who wants to know what personal data is kept and how it is used. Check out our guide to CCTV video redaction and GDPR compliance strategies.

Subject access requests and data privacy

As with any other form of personal data, data subjects have a right to access their own data. If you are preparing data for disclosure arising from a data subject access request you will need to ensure that by supplying the footage you do not disclose the personal data of any other third parties. This requires blurring parts of the footage such as faces and licence plates.

Under GDPR, in order to ensure CCTV data protection and deal with any surveillance privacy issues, the information must be provided to the data subject free of charge and the footage must be supplied within 30 days of your receipt of the request.

Organisations should implement GDPR compliance strategies to ensure video surveillance regulations and best practice for CCTV privacy compliance are followed. These include:

  1. Ensuring people know they are being recorded

  2. Stating clearly why CCTV is being used

  3. Controlling who is accessing CCTV footage

  4. Implementing data retention policies, including Deleting footage when it is no longer required

  5. Making CCTV video surveillance compliance policies available

You can find out more in our guide to video surveillance best practices.

Understanding Personal Data Under the GDPR

The General Data Protection Regulation (GDPR) was introduced in the EU in 2016 and became enforceable on May 25, 2018. It aims to give individuals greater control over their personal data while establishing clearer guidelines for businesses handling such information.

What Qualifies as Personal Data?

Under the GDPR, personal data refers to “any information related to an identified or identifiable natural person.” This includes any data that can directly or indirectly identify an individual, whether on its own or combined with other information. Examples of personal data include:

  • Basic identifiers
    Names, addresses, phone numbers and email addresses

  • Official identification numbers
    Social Security, passport or driver’s licence numbers

  • Location data
    GPS coordinates, IP addresses

  • Biometric and genetic data
    Fingerprints, facial recognition DNA

  • Health-related information

  • Sensitive personal data
    Political views, religious beliefs trade union membership

Even seemingly harmless details, like website cookies, social media activity and audio/video recordings, may be considered personal data if they contribute to identifying an individual.

Who Must Comply with the GDPR?

The GDPR applies to any organisation processing the personal data of EU and UK residents, regardless of where the company is based. This includes:

  • Businesses inside the EU that collect or process personal data

  • Businesses outside the EU that offer goods/services to EU residents or monitor their behaviour

  • Data controllers, who determine how and why personal data is processed

  • Data processors, who handle data on behalf of controllers (e.g., vendors)

Failure to comply can result in severe penalties. Some exemptions exist for personal or household activities and cases involving freedom of expression, but most organisations handling EU and UK residents' data must comply.

Who is Responsible for GDPR Compliance?

GDPR compliance involves multiple stakeholders within a company. The Data Protection Officer (DPO) oversees privacy operations if required, particularly for businesses handling sensitive or high-risk data. However, ultimate responsibility lies with data controllers, who must ensure compliance, even when outsourcing data processing to third-party vendors.

Organisations with joint controllership share responsibility for handling personal data, requiring clear agreements on compliance. Beyond legal obligations, adhering to GDPR standards builds trust with customers and strengthens brand reputation.

ICO Security Advice

The ICO offers 11 practical ways to keep your IT systems safe and secure.

1. Back up your data

2. Use strong passwords and multi-factor authentication

3. Be aware of your surroundings

For example, if you’re on a train or in a shared workspace, other people may be able to see your screen. A privacy screen might help you.

4. Be wary of suspicious emails

You and your staff need to know how to spot suspicious emails. A phishing email could appear to come from a source you recognise.

5. Install anti-virus and malware protection

6. Protect your device when it’s unattended

7. Make sure your Wi-Fi connection is secure

8. Limit access to those who need it

9. Take care when sharing your screen

10. Don’t keep data for longer than you need it

Getting rid of data you no longer need means you have less personal information at risk if you suffer a cyber-attack or personal data breach.

11. Dispose of old IT equipment and records securely

You must make sure no personal data is left on computers, laptops smartphones or any other devices, before you dispose of them.

Potential gap in CCTV capabilities 2024-25

A report by the Centre for Research into Information Surveillance and Privacy (CRISP) warns that the UK government’s plan to abolish biometrics and surveillance safeguards will create a dangerous oversight gap. If the Data Protection and Digital Information Bill passes, key roles of the Biometrics and Surveillance Camera Commissioner (BSCC) will be lost, including reviewing police use of biometrics and maintaining surveillance standards. Experts fear this will weaken accountability amid rising AI-driven surveillance technologies.

CCTV and GDPR – Frequently Asked Questions (FAQ)

What is GDPR and how does it relate to CCTV use?

The General Data Protection Regulation (GDPR) is a legal framework that governs the collection, processing, and storage of personal data in the EU. Since CCTV footage can identify individuals, it is classified as personal data under GDPR, meaning organisations must handle it lawfully, transparently and securely.

What are the key data privacy concerns associated with CCTV?

Privacy concerns include excessive surveillance, lack of consent, unclear data retention policies and inadequate security measures. Organisations must ensure that CCTV use is necessary, proportionate and does not infringe on individuals’ rights, such as recording in private areas without justification.

How can businesses ensure compliance with GDPR when using CCTV?

To comply with GDPR, businesses should:

  • Conduct a Data Protection Impact Assessment (DPIA) if surveillance poses risks

  • Display clear signage informing individuals of CCTV use

  • Limit recording to legitimate purposes and store footage securely

  • Restrict access to authorised personnel only

  • Establish a retention policy and delete footage when no longer needed

What rights do individuals have regarding their data captured by CCTV?

Under GDPR, individuals have the right to:

  • Be informed about CCTV usage

  • Request access to their recorded footage (subject to certain conditions)

  • Request deletion of footage if unlawfully recorded (Right to Erasure)

  • Object to processing in certain circumstances

  • Report misuse to data protection authorities

Organisations that fail to comply with GDPR can face fines of up to €20 million or 4% of their global annual revenue, whichever is higher. Non-compliance may also result in legal action, reputational damage and enforcement measures by data protection authorities.

Yes, CCTV footage can be used as evidence in legal cases if it has been obtained lawfully and stored securely. Organisations must ensure the footage has not been tampered with and that its collection and processing comply with GDPR requirements, including redaction when required.

Efficient solutions for video redaction compliance

Identity Cloak enables organisations to mask the identities of all but the data subject and/or persons of interest in minutes. Our auto redaction software provides the ideal solution to meet strict deadlines and reduce the high costs of outsourced editing services or lengthy manual processes. It can also redact in real-time, so operators cannot view confidential or private information.

Visit our CCTV anonymisation software to protect personal privacy page to find out more.

Related Insights

What happens when there is a data breach.
Articles

Consequences of a Data Breach?

Read Article
How blur faces in videos.
Articles

How to Blur Faces in Videos

Read Article
GRA.
Articles

GRA publishes CCTV guidelines after concerns over data protection

Read Article