CCTV surveillance is commonplace across workplaces – from office lobbies to warehouses and retail stores. But did you know that every second of CCTV footage captured is regulated under the UK and EU GDPR General Data Protection Regulation?
That’s because the GDPR applies to any personal data that can identify an individual – and that includes video recordings and images, not just written information. Improper handling of this footage can result in significant legal and financial consequences.
In this 2025 guide, we’ll walk you through:
- How the GDPR applies to workplace CCTV systems
- What your legal responsibilities are
- The critical steps you must take to remain compliant
1. Make it clear that CCTV is in use
Transparency is one of the seven core principles of the GDPR. You must inform individuals when and why they’re being recorded.
What you need to do:
- Post clear signage at all entrances and monitored zones. Use wording such as:
“CCTV in operation for safety and security purposes.” - Include a link or contact for further privacy details on the sign.
- In your privacy notice, explain that workplace CCTV is in use, what it monitors, and why.
If you fail to provide this information, individuals cannot exercise their rights (e.g. requesting access to their footage), and your surveillance may be considered unlawful under Articles 5 and 13 of the GDPR.
2. Document a lawful basis for using CCTV
Under Article 6 of the GDPR, every data processing activity – including video recording – must have a lawful basis.
Common lawful bases for CCTV in the workplace:
- Legitimate interests – e.g. crime prevention, security, or protecting property
- Compliance with legal obligations – e.g. health and safety monitoring
- Vital interests – e.g. emergencies affecting employee safety
Best practice in 2025:
Include your lawful basis on all signage and in your documentation. If monitoring employees, legitimate interests may be acceptable, but you must balance it against the individual’s privacy rights using an LIA (Legitimate Interests Assessment).
For example:
“CCTV is used in this area to ensure employee safety and prevent unauthorised access. Our use of CCTV is based on our legitimate interests, balanced against employee rights.”
3. Limit access to CCTV footage
CCTV footage is classified as personal data and access should be strictly controlled.
You must:
- Store digital recordings on encrypted, access-controlled systems.
- Restrict access to authorised individuals only (e.g. security staff, HR, management).
- Log who accesses footage, when, and for what purpose.
- Secure physical tapes or drives in locked environments.
In 2025, regulators increasingly expect encryption and RBAC (role-based access controls) as part of the appropriate technical and organisational measures required by Article 32 of the GDPR.
4. Establish and enforce a retention policy
You cannot retain CCTV footage indefinitely. The GDPR requires that personal data is only kept for as long as necessary for its original purpose.
What this means in practice:
- Define retention periods (e.g. 7–14 days for general footage, longer for incident investigations).
- Automate deletion where possible.
- Document your policy in a data retention schedule or CCTV policy.
Storing footage “just in case” is not a valid justification under GDPR.
5. Conduct a DPIA before installing CCTV
A DPIA (data protection impact assessment) is mandatory when processing is likely to result in a high risk to individuals’ rights and freedoms – and that includes the systematic monitoring of public or workplace areas.
A DPIA will help you:
- Evaluate the necessity and proportionality of CCTV
- Identify risks to employee and visitor privacy
- Design safeguards (like masking or limited retention)
Without a DPIA, your CCTV programme could be deemed non-compliant under Article 35 of the GDPR.
6. Be ready for DSARs (data subject access requests)
Anyone recorded on CCTV – including employees, contractors, and visitors – can request access to footage that features them.
You must:
- Respond within one month (extendable to 3 months for complex cases).
- Provide footage in a secure, accessible format (e.g. MP4).
- Redact third parties or use video masking tools where others are visible.
In 2025, DSARs involving CCTV footage are on the rise, and failure to comply has led to fines and enforcement notices across the UK and EU.
Enforcement example: CCTV fine for non-disclosure
One of the first GDPR-related CCTV penalties was issued to an Austrian retailer for failing to inform people that surveillance cameras were operating outside its premises. The organisation was fined €4,800 (about £4,000) for breaching transparency obligations.
While the fine was relatively modest, the reputational damage and investigation costs were far more significant. Regulators across Europe and the UK have since stepped up their enforcement around workplace surveillance.
Your CCTV compliance checklist for 2025
- Post visible signage with purpose and contact details
- Identify and document a lawful basis
- Limit access and log all views or exports
- Define a clear retention period and automate deletion
- Conduct a DPIA before any new camera installation
- Prepare for DSARs with redaction capability
- Include CCTV information in your privacy policies and internal training
The penalties for non-compliance
Those looking for help meeting their surveillance requirements should consider our CCTV Data Protection Policy templates.
Developed by our team of data protection experts, this set includes comprehensive guidance to help you create and document a surveillance system that meets the GDPR requirements.
It contains everything you need to know about:
- Why your organisation requires CCTV surveillance and how to use these systems appropriately;
- How surveillance should be considered according to laws, regulations, codes of practice and standards;
- What elements of privacy will need to be considered before using CCTV surveillance;
- How to store and process CCTV records in accordance with the GDPR’s data processing principles;
- Advertising CCTV systems and recording on your premises;
- Selecting surveillance systems and outsourcing partners; and
- Assigning roles and responsibilities regarding CCTV
A version of this blog was originally published on 3 October 2019.
The post CCTV and the GDPR in 2025: What Employers Must Know appeared first on IT Governance Blog.
