On May 25th 2018 GDPR (General Data Protection Regulation) came into full force replacing and enhancing the 1998 Data Protection Act. say that “Companies covered by the GDPR are accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.”

So how is the commercial operation of CCTV effected?

Images captured by CCTV are considered to be personal data under the new GDPR rules. Whether that CCTV just covers business premises or if it overlooks public areas. GDPR requires data users to inform people at the point of capturing their information.

For CCTV images this means putting up clear notices explaining that images are being captured wherever there are cameras present. It is also required to explain why CCTV is being used.

Photo Credit:

Failure to do so can result in some hefty fines as one business learnt earlier this year.

Back in July 2018, Noble Design and Build of Telford, Shropshire, which operates CCTV systems in buildings across Sheffield, broke data protection laws by failing to comply with an Information Notice and were subsequently prosecuted for failing to alert people to its use of CCTV, for failing to register with the ICO and for failing to comply with an Information Notice.

Any organisations and sole traders (with few exemptions) that process personal data must pay an annual data protection fee to the UK regulator, the Information Commissioners Office (ICO). If fees are not paid then the business  does not appear on the public register.

Aside from giving clear usage notice and paying the due fees here are 3 other ways to make sure that CCTV operation is GDPR compliant.

1.       Control access to CCTV images, so no footage/images can be leaked

2.       Train staff with access to CCTV images and keep an up to date log of training

3.       Delete the CCTV footage you no longer need


To find out more about GDPR and how it can affect you visit