CCTV and GDPR: What organisations get wrong

Blog overview

This blog explores some of the most common compliance mistakes organisation can make when using CCTV in the workplace and explains how to avoid them. 

Under the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR), CCTV footage is considered personal dataInformation which relates to an identified or identifiable natural person. if individuals can be identified. It means employers must follow strict rules when collecting, using, or sharing surveillance footage at work. 

To use CCTV responsibly and stay compliant, employers should focus on these important areas, each explained in more detail in the blog: 

• Choosing a lawful basis 
• Considering necessity and proportionality   
• Conducting a Data Protection Impact Assessment (DPIA)  
• Ensuring transparency with staff and visitors
• Implementing a CCTV policy
• Restricting access to the footage 
• Sharing CCTV footage  

Common CCTV question answered:

Can employers use CCTV in the workplace?
Yes, but only if it is necessary, proportionate, and clearly explained to staff through signage and privacy notices. 

What lawful basis should organisations use for CCTV?
Legitimate Interests is usually the best fit. See the section Choosing a lawful basis for more information. 

What should a CCTV policy include?
A robust policy should cover the purpose of the system, where cameras are used, who manages it, who can view footage, how long it’s stored, and how it’s protected. 

Who can access CCTV footage?
Only authorised individuals with a valid reason. 

Can CCTV footage be shared externally?
Yes, but only when it is lawful, necessary, and proportionate, taking care to protect others’ identities.

CCTV and GDPR: What organisations get wrong

Choosing a lawful basis

Organisations must identify an appropriate lawful basisIn the event of processing personal data, an appropriate rationale in order to process personal data. for processing personal data captured on CCTV systems. There are six lawful bases available (ConsentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed., Contract, Legal Obligation, Vital Interests, Public Task, Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.), but not all are suitable for workplace surveillance. 

While Consent may seem like the obvious choice, it is usually inappropriate in the workplace due to the power imbalance between employer and employee. Under GDPR, consent must be freely given, informed, and easily withdrawable – conditions rarely met in an employment context. 

In most cases, Legitimate Interests is the most suitable lawful basis for workplace CCTV. This allows organisations to processA series of actions or steps taken in order to achieve a particular end. data if it is necessary for a specific purpose, such as protecting staff, property, or preventing crime. 

To rely on Legitimate Interests, you must complete a Legitimate Interests AssessmentAn assessment that used to demonstrate whether not processing is necessary in the legitimate interests and does not prejudice the data subject’s interests, rights and freedoms. (LIA) and demonstrate that: 

• You have a clear and valid purpose 

• CCTV is necessary to achieve that purpose 

• The impact on individuals’ privacy is proportionate and justified 

The LIA will help you determine if this legal basis applies, whilst demonstrating your compliance with the GDPR’s AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. principle. 

Read the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. or the European Data Protection Board guidance to find out more.  

Considering necessityThe purpose of the personal data processing activity must not be able to be achieved by a less intrusive method. and proportionalityA balance must be struck between the means used and the intended aim to ensure that a processing activity is proportionate.

Before installing any new CCTV system, or adding cameras to an existing one, organisations must assess whether the use of surveillance is necessary and proportionate.  

• Necessity means asking whether surveillance is genuinely required to achieve your aim, such as preventing theft or protecting staff safety 

• Proportionality means checking if there are less intrusive ways to achieve the same result 

To help answer these questions, organisations should carry out a Legitimate Impact Assessment (LIA). This will guide you by prompting the right questions about the processing, helping you to explore whether surveillance is appropriate, considering how individuals might feel about being recorded, and decide whether the benefits outweigh the privacy risks. 

If you can meet your purpose through alternative methods, such as better lighting, physical barriers, or employee training, then CCTV may not be justifiable. Surveillance should always be a last resort, particularly in workplaces and locations where staff expect a reasonable degree of privacy. 

Failure to consider these questions at the outset makes it difficult to later defend the use of CCTV if you are challenged by individuals or a regulatory authority. 

Conducting a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project.

If you decide that CCTV is necessary and proportionate, the next step is to conduct a Data Protection Impact Assessment (DPIA). This is a key requirement under the GDPR and is strongly recommended by regulators such as France’s CNIL, Germany’s BfDI, Ireland’s DPC, and the UK’s Information Commissioner’s Office before installing any CCTV system. 

A DPIA will help you: 

• Demonstrate compliance with the GDPR’s Accountability principle 
• Justify the necessity and proportionality of your planned surveillance 
• Assess the impact on the data subjectAn individual who can be identified or is identifiable from data. captured by the system, including identifying and mitigating any risks 

It should clearly outline the purpose of monitoring, who will be recorded, the potential risks to individuals’ rights, and how those risks will be mitigated (for example, by limiting recording areas, restricting access, or setting appropriate retentionIn data protection terms, a defined period of time for which information assets are to be kept. periods). 

A properly completed DPIA will also support your decision to rely on Legitimate Interests and, if conducted properly, will also fulfil the requirements of completing an LIA.  

For help conducting a DPIA for CCTV use, read the ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). or EDPB guidance.  

Ensuring transparency with staff and visitors

Under the GDPR, employers must meet fairness and transparency requirements. This means, employees need to know when and why they are being recorded. This can be achieved through employee privacy notices, explaining the purposes for monitoring and individuals’ rights, alongside signage displayed prominently at CCTV entry points and within monitored areas. 

CCTV signage should: 

• Clearly state that surveillance is in operation 
• Identify the organisation responsible for the system 
• Explain the purpose of monitoring 
• Provide contact details for further information 

If individuals are unaware that they are being recorded, the processing is unlikely to be lawful, even if you have a legitimate interest.  

Implementing a CCTV policy

If you proceed with CCTV, you must also implement a CCTV policy that governs its use. Having a clear policy and applying it consistently is essential for meeting the GDPR’s Accountability requirements. 

The policy should clearly set out: 

• Purpose: Why the system is in operation and how it supports organisational aims 
• System details: The number of cameras, their locations, and hours of operation 
• Management: Who is responsible for the system, who can access footage, how access will be controlled, and what security measures are in place 
• Retention: How long footage will be stored, where it will be kept, and how it will be securely deleted 

Staff must be trained on the use of the system and must read the CCTV policy to understand their responsibilities.  

Restricting access to CCTV footage

Under the GDPR, CCTV footage must only be accessed by individuals with a legitimate need, such as security personnel or HR staff investigating a specific incident.  

Access controlsA series of measures (either technical or physical) which allow personal data to be accessed on a need-to-know basis. should be in place, including: 

• Password-protected systems 
• Clear access logs recording who accessed footage and when 
• Regular audits of access permissions 

Staff with access to footage must be trained on how to handle it appropriately, protect its confidentiality, and safely share the data to authorised individuals or organisations. 

Sharing CCTV footage

Organisations may receive requests for CCTV footage from a variety of sources, including the police, insurance companies, or individuals submitting Data Subject Access Requests (DSARs). In all cases, any disclosure must be lawful, necessary, and proportionate. 

To ensure compliance, organisations should have a clear policy for handling such requests. Staff must be trained on the process, access to footage should be logged, and the reasons for any disclosures carefully documented. 

For DSARs, individuals are generally only entitled to access footage showing themselves. If third parties are identifiable, you must either redact the footage to obscure them, obtain the consent of the individuals in the footage to share the data unredacted (often difficult to achieve), or carefully assess the data protection risks before sharing. 

When sharing any footage, you should encrypt and password-protect files to prevent unauthorised access.

Step-by-step guide for handling DSARs

Key takeaways

CCTV can be an effective tool for improving security, but organisations must ensure their use of surveillance complies with data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data.. By carefully considering necessity and proportionality, conducting thorough DPIAs, implementing clear policies, and maintaining transparency with staff and visitors, organisations can minimise risks and meet their GDPR obligations. 

Taking a considered, compliant approach to CCTV not only reduces the risk of regulatory scrutiny but also helps build a culture of trust and accountability across the organisation. 

In case you missed it… 

• White paper: Looking through the lens – A data protection guide to CCTV 
• Live Facial Recognition deployment and data protection compliance 
• Europrivacy certification for GDPR compliance