Business CCTV and the ICO: A 2026 Compliance Guide for UK Businesses

CCTV is one of the most widely used security technologies in UK business, and also one of the most frequently misunderstood in compliance terms. Many small businesses install cameras without a clear view of what the Information Commissioner's Office (ICO) actually expects, and only discover the gaps when a subject access request lands or a complaint is made.

This guide sets out what the ICO expects from UK business CCTV operators in 2026, what the UK GDPR and Data Protection Act 2018 require in practice, and the most common compliance mistakes we see when we survey businesses across Essex and Greater London.

When CCTV Becomes a Data Protection Issue

CCTV footage that captures identifiable people is personal data under the UK GDPR. That applies whether the camera is on a high street shop, a warehouse loading bay, an office reception, or a private car park used by staff and visitors. As soon as you are capturing images of identifiable individuals, your business becomes a data controller for that footage and the full body of UK data protection law applies.

There is a narrow household exemption for purely domestic use, but it does not apply to businesses, landlords of rental property, or the commercial areas of mixed-use premises. For any SME installing CCTV for security, stock protection, or workplace monitoring, compliance is not optional.

The Five Things the ICO Expects You to Have

Based on current ICO guidance, any business operating CCTV should be able to produce the following on request:

1. A documented lawful basis for the processing, usually "legitimate interests" for security purposes, with a written legitimate interests assessment explaining why the business need outweighs the privacy impact on individuals captured.
2. A Data Protection Impact Assessment (DPIA) where the CCTV is large-scale, monitors a publicly accessible area, or captures areas where people have a higher expectation of privacy (staff-only areas, welfare facilities, and so on).
3. Signage that tells people they are being recorded, who the operator is, and how to contact the operator. The signage must be clearly visible before a person enters the monitored area, not after.
4. A retention policy with a defined maximum retention period. Footage should be held only as long as necessary for the stated purpose and then deleted. For most retail and office applications, 30 days is a common ceiling.
5. A documented process for handling subject access requests, so that when a member of the public or an employee asks for footage of themselves, the business can respond within the statutory one-month deadline.

None of this is exotic. It is standard operational documentation that any business can produce with a small amount of preparation.

CCTV Signage: What It Must Say

The ICO is specific about signage. At minimum, every sign should state:

• That CCTV is in operation.
• The purpose of the CCTV (for example, "for crime prevention and the safety of staff and customers").
• The name of the operator (the business name).
• Contact details for enquiries, typically an email address or phone number.

Signs should be placed at every entrance to a monitored area and be legible from a normal approach distance. A single small sticker by the front door is not sufficient for a shop with multiple entrances, a yard, and a back office. In practice, we recommend a dedicated CCTV notice at each pedestrian entry point and at any staff-only door where internal cameras begin.

Retention: How Long Can You Keep Footage?

There is no statutory maximum retention period for CCTV in UK law. The UK GDPR principle of storage limitation requires that footage is kept for no longer than necessary for the purposes it was collected. In practice, the ICO expects controllers to set a retention ceiling and justify it.

Common benchmarks:

• 7 days for low-risk sites where the purpose is purely live deterrence.
• 28 to 31 days for general retail, hospitality, and office environments. This is by far the most common figure we see.
• 60 to 90 days for higher-risk sites or where incident investigation timelines justify a longer period.

Retention longer than 90 days needs a specific documented justification. "We might need it one day" is not enough. A modern digital recorder will automatically overwrite old footage on a rolling basis, so setting retention is usually a matter of configuring the recorder correctly at commissioning.

Covert CCTV, Audio, and Workplace Monitoring

Three high-risk areas trip up small businesses more than any others:

1. Covert cameras. Hidden cameras aimed at staff or customers without their knowledge are almost never lawful and require a very specific, documented basis. If you are considering covert CCTV for a suspected theft investigation, take legal advice first. Do not install covert cameras as a default measure.
2. Audio recording. CCTV that also records audio is significantly more intrusive than video alone and is very rarely justified in a business context. Most commercial CCTV systems should have audio recording disabled unless there is a very specific, documented reason to enable it on a particular camera.
3. Staff monitoring. Cameras pointed at workstations, break rooms, or welfare facilities require a DPIA, clear employee communication, and usually a consultation with affected staff. The ICO has been increasingly active on workplace monitoring complaints, and employment tribunals have awarded damages in cases where monitoring was excessive or poorly disclosed.

Responding to a Subject Access Request

Any individual captured on your CCTV has the right to request a copy of the footage that contains them. Once you receive a valid request, you have one calendar month to respond. In most cases you will need to:

• Verify the requester's identity.
• Ask for enough information to locate the footage: approximate date, time, and location.
• Retrieve the relevant footage from the recorder.
• Redact or blur any third parties visible in the footage who have not consented to disclosure.
• Provide the footage in a commonly used format, usually MP4 on a USB stick or via secure download.

The redaction step is the most technically difficult and is where many businesses trip up. If your CCTV system or software does not support masking of third parties, you may need to use a separate redaction tool or engage a specialist. A good installer can advise on this at the design stage.

Common Compliance Mistakes

When we survey business CCTV across Essex and Greater London, these are the issues we see most often:

1. No signage, or signage that does not name the operator.
2. Cameras covering the public pavement or neighbouring property when they do not need to.
3. Recording audio by default on every channel without any business justification.
4. Retention set to "indefinite" on the recorder because no one configured it at commissioning.
5. No written policy and no named person responsible for CCTV data.
6. Staff unaware of what to do if someone requests their own footage.
7. Old systems still in service where the operator has no way to extract footage without the original installer, who is no longer trading.

Most of these are fixable in a single visit. A CCTV compliance review takes a couple of hours and produces a short action list covering signage, configuration changes, and policy documents. For most SMEs this is a far smaller exercise than they expect.

How J&L Security Helps Businesses Stay Compliant

At J&L Security, every commercial CCTV installation we carry out includes compliance considerations as part of the design. We recommend camera positioning that avoids unnecessary capture of neighbouring property and public areas, set appropriate retention periods on commissioning, disable audio by default, supply initial ICO-compliant signage, and provide a written commissioning pack that forms the basis of your internal policy.

We also review existing systems for businesses that inherited their CCTV from a previous installer or tenant. If you are unsure whether your system meets ICO expectations in 2026, a review is the cheapest way to find out.

To arrange a free CCTV survey or compliance review for your business, contact us or call 0204 538 5925. Read more about our CCTV installation services or explore our full range of business security services.

This article is general guidance based on ICO publications and is not a substitute for legal advice. For specific compliance questions, consult a qualified data protection professional or the ICO directly.