Note: This article provides general information about CCTV and data protection obligations for businesses. It is not legal advice. For specific guidance on your GDPR obligations, contact the Information Commissioner's Office (ICO) or a qualified data protection solicitor.
If your business operates a CCTV system that captures images of people, it almost certainly falls under UK GDPR. This applies whether you run a retail shop in Belfast, a warehouse in Lisburn, a farm in Fermanagh, or any other business across Northern Ireland.
CCTV footage is personal data under UK GDPR because it can be used to identify individuals. As the operator, you are the data controller and you have specific obligations.
Lawful Basis for Operating CCTV
You need a valid lawful basis for processing personal data through CCTV. For most business CCTV systems, the appropriate basis is legitimate interests: you have a genuine, legitimate reason for operating the cameras (security, theft prevention, safety, insurance evidence) that outweighs the privacy interests of the people being recorded.
You should document this. A brief legitimate interests assessment (LIA) that sets out why you are using CCTV, what you are trying to achieve, and why less intrusive alternatives are not practical is sufficient for most small businesses.
Signage
You must let people know they are being recorded. The ICO requires CCTV signage that is visible before people enter the area being recorded. Signs should be clear and readable, and should include:
- The fact that CCTV is in operation
- Who the data controller is (your business name)
- Contact details or a way to find out more about the system
For most businesses, a standard CCTV warning sign with your business name and contact details satisfies this requirement. Signs should be at entry points and at the locations of cameras covering areas where the public or staff are present.
Retention Periods
You should not keep CCTV footage for longer than is necessary for the purpose it was collected. For most businesses, 28 to 31 days is the standard retention period. This covers the typical window within which an incident would be reported or investigated.
If footage is needed for a specific purpose (an ongoing investigation, an insurance claim, a police request), it can be retained for longer while that purpose applies. Once the purpose is resolved, the footage should be deleted.
Modern IP NVR systems can be configured to overwrite footage automatically after a set retention period. This is the easiest way to comply with the retention requirement without manual intervention.
Subject Access Requests
Individuals have the right to request a copy of their own image if they appear in your CCTV footage. This is a Subject Access Request (SAR). You have one month to respond. If you receive a SAR:
- Preserve the relevant footage immediately so it is not overwritten
- Provide a copy of the footage to the person making the request
- Redact or blur any other individuals who appear in the footage, as their data is not being released
- Do not charge a fee for the first request unless it is manifestly unfounded or excessive
Camera Placement
Cameras should be positioned to cover your own premises and not film private property (a neighbour's garden, a private road, a neighbouring building). Filming areas beyond your boundary without justification can create compliance issues.
Internal cameras in sensitive areas (toilets, changing rooms) are not permitted. Cameras in staff areas such as offices and warehouses are generally permissible where the legitimate interests basis applies, but you should inform staff that CCTV is in operation in those areas.
Privacy Policy and Documentation
If you have a website or public-facing documentation, a brief note in your privacy policy about your CCTV system is good practice. For businesses subject to more formal data protection requirements (such as those processing significant volumes of personal data), a full data protection impact assessment (DPIA) may be appropriate.
For most small businesses with a straightforward security CCTV system, the practical requirements are: legitimate interests documentation, clear signage, appropriate retention settings, and a process for handling subject access requests.
Further Information
The ICO publishes detailed guidance on CCTV and data protection on its website at ico.org.uk. The guidance is readable and covers most common business scenarios.
CCTV Installation Across Northern Ireland
Drakos Systems installs IP CCTV systems for businesses, farms, warehouses and construction sites across Northern Ireland. Free site surveys. Network-isolated cameras. Remote viewing configured on installation.