CCTV and GDPR for Small Businesses: What You Must Comply With

CCTV is one of the most useful tools a small business has. It deters theft, it captures evidence, it backs up insurance claims, and it gives staff and customers confidence that the premises are watched. What it also does, the moment it captures a recognisable image of a person, is bring the business into the scope of UK data protection law — UK GDPR and the Data Protection Act 2018, together with the changes introduced by the Data (Use and Access) Act 2025.

For a small shop, café, garage, warehouse, dental practice or office, this catches people by surprise. There is no "small business exemption" from the rules. A four-camera DVR over the back door of a Chichester corner shop has the same fundamental obligations as a fifty-camera estate at a hotel — different in scale, identical in principle. The good news is that the obligations are well-defined, the Information Commissioner's Office (ICO) publishes plain-English guidance, and getting compliant doesn't have to be complicated. The bad news is that almost every small business gets at least one element of it wrong.

This article is general information, not legal advice. UK data protection law is enforced by the Information Commissioner's Office and continues to evolve under the Data (Use and Access) Act 2025. Always check the latest guidance at ico.org.uk and, for complex setups, consult a qualified data protection adviser.

Why CCTV Is In Scope Of Data Protection Law

UK GDPR applies to any "processing" of "personal data" — and a CCTV recording that captures a recognisable individual is exactly that. The moment a camera is switched on and pointed at a doorway, customer area, car park or staff space, the business operating it has become a "data controller" with a defined set of legal duties.

Three things follow from that, and they're the things small businesses most often miss:

The "domestic exemption" does not cover business use. A homeowner with a doorbell camera pointed only at their own driveway is broadly exempt — but only narrowly, and recent case law (Fairhurst v Woodard) has tightened that further. A business is never exempt.

"Small" is not a defence. The Data Protection Act applies to a sole trader with one camera and to a hotel with fifty. The Information Commissioner's Office expects proportionate compliance — but not the absence of compliance.

Outsourcing the cameras doesn't outsource the responsibility. If a monitoring company watches your footage, you remain the data controller. They are your data processor — and you need a written data processing agreement to evidence that relationship.

"If your cameras are good enough to identify a thief, they're good enough to bring you under UK GDPR. The same image that protects your business is the personal data that obliges it."

The Core Obligations Every Business With CCTV Must Meet

Different setups carry different obligations, but the spine of compliance is the same across UK small businesses. These are the items the ICO will expect to see in place if it ever audits a complaint.

Lawful basis for processing

You must identify and document a lawful basis under UK GDPR before you switch a camera on. For most small businesses, this is legitimate interests (preventing crime, protecting staff, evidencing incidents). You must record a legitimate-interests assessment that shows you considered the purpose, the necessity and the impact on people's privacy. Some uses — for example workplace monitoring — may need a different or additional basis.

Transparency and signage

The public must know they're being recorded, by whom, and why. Clear, visible signage at each entrance and within the monitored area is the baseline. The signs must name the controller (your business), state the purpose of the recording, and give a contact point for further information. "CCTV in operation" on its own is no longer sufficient under UK GDPR.

Proportionality and necessity

You can only capture what is necessary for the stated purpose. Cameras pointed at neighbours' gardens, public pavements beyond what's needed, or staff break rooms where the purpose is unclear all fail this test. Audio recording carries a particularly high bar — most small businesses cannot justify it.

Retention

Footage must be kept only as long as necessary. For routine crime prevention, the ICO and industry practice settle around 30 days as a typical maximum. Longer retention is possible if it's specifically justified for a defined purpose (an ongoing investigation, a contested insurance claim). Indefinite retention is not.

Security and access

Recordings must be stored securely. Access should be limited to named individuals who need it. DVRs and cloud accounts should be password-protected, ideally with multi-factor authentication. USB exports, phone recordings of monitor screens and unencrypted backups are all common points of breach.

Subject access requests (SARs)

Any individual captured on your CCTV has the right to request a copy of footage that contains their image. You generally have one calendar month to respond. You can refuse only on narrowly defined grounds, and you must redact other identifiable people from the supplied footage. This is the obligation small businesses most often discover by accident.

ICO registration and the data protection fee

Unless you fall under one of a narrow set of exemptions, you must register with the Information Commissioner's Office as a data controller and pay the annual data protection fee. The fee starts from around £40 for the smallest businesses and rises with size and turnover. Failure to pay is itself an enforcement matter.

DPIA for higher-risk processing

A Data Protection Impact Assessment is required where the processing is likely to result in high risk — for example systematic monitoring of a public area, large-scale workplace surveillance, or use of facial recognition. Most small-business CCTV is not high-risk, but if any of those features apply, the DPIA is mandatory.

Anatomy Of A Compliant Small-Business CCTV Setup

Compliance is a sequence, not a single act. Here's the order to do it in.

Common Mistakes Small Businesses Make

The same handful of issues show up time after time when small businesses are audited or hit with a complaint. Worth knowing before you're the one doing the explaining.

"We have a sign — that's compliance."

A "CCTV in operation" sign is the beginning of compliance, not the end. Without a documented lawful basis, retention policy, access controls and SAR procedure behind it, the sign on its own is decorative.

Cameras capturing the street, neighbours or other businesses

Cameras that overlook the public pavement well beyond your premises, neighbouring gardens or other businesses' frontages are routinely the source of complaints — and a clear proportionality problem.

Audio recording without thinking about it

A number of modern systems record audio by default. Audio capture carries a much higher bar of justification under UK data protection law than video — and most small businesses cannot meet it. Switch it off unless you have a specific, documented reason.

Footage kept "in case we need it"

Indefinite retention is one of the most common breaches. Pick a defined period, set the system to auto-overwrite, and document the reasoning. Anything longer than 30 days should be justified case by case.

Sharing footage informally

Sending CCTV clips to a customer's WhatsApp, a landlord, a journalist or even Facebook without a clear lawful basis and SAR-compliant redaction is one of the easier ways to land in front of the ICO. Footage shared with police is a separate, defined regime — and should be evidenced on a formal request.

Forgetting the ICO fee

Small businesses regularly let the annual fee lapse, particularly after a change of ownership or accountant. The ICO actively chases this, and unpaid fees attract their own penalties.

Standard CCTV Setup vs Compliant CCTV Setup

Here's how the two compare across the obligations a small business has to meet.

Six Pillars Of CCTV Compliance For A Small Business

Whether you operate a corner shop or a multi-site warehouse, the building blocks are the same. These are the components we help clients put in place alongside our wider security services.

The Small-Business CCTV Compliance Checklist

Use the following as a working checklist. If a business can answer "yes" to all of it, it is on solid ground if a complaint or audit ever lands.

1 · Pay your ICO data protection fee — every year

Register with the Information Commissioner's Office and pay the annual fee. Set a calendar reminder. The fee starts from around £40 and is one of the simplest ways to demonstrate the business takes its obligations seriously.

2 · Document your lawful basis

Write a one-page legitimate-interests assessment for each location or camera group. Cover the purpose, the necessity test and the balancing exercise with people's privacy. Keep it on file.

3 · Put compliant signage at every entrance

Controller name, purpose, contact detail. Visible, readable, not behind a plant. Update it whenever the controller changes.

4 · Set a retention period and stick to it

Typically 30 days unless there is a defined reason to keep footage longer. Configure the DVR or platform to auto-overwrite. If a specific incident requires preservation, copy that clip out of the loop with a documented justification.

5 · Lock down access

Strong, unique passwords. MFA on cloud accounts. Named user accounts rather than shared logins. A log of who has access and when it was last reviewed.

6 · Be ready for a Subject Access Request

Have a written procedure for receiving, verifying and responding to SARs within one month. Know how to redact third parties from any footage you supply.

7 · Run a DPIA if anything is higher-risk

Systematic monitoring of public spaces, workplace surveillance, facial recognition or biometric capture all push you into DPIA territory. Use the ICO's published template as a starting point.

8 · Get a data processing agreement with anyone watching your footage

If a security or monitoring provider has access to your CCTV — including any of our key holding and alarm response services that involve CCTV access — you need a written data processing agreement. We provide ours as standard.

9 · Review the whole thing every year

Cameras get moved. Businesses change shape. The annual review is when you catch drift before it becomes a complaint.

How Advance Guarding Helps Small Businesses Stay Compliant

We're not a law firm — for the regulatory detail, the right starting points are the Information Commissioner's Office at ico.org.uk and, where the setup is complex, qualified legal advice. What we do bring to small-business CCTV is the practical operational side: properly proportioned camera placement during a site survey, signage and retention guidance built into the contract, MFA-protected monitoring on every account, and written data processing agreements as standard with every client.

That covers the day-to-day reality of running a compliant CCTV setup alongside your wider security cover — manned guarding, mobile patrols, key holding and alarm response, and the rest — across Sussex, Northamptonshire and the wider UK.

CCTV is one of the best investments a small business can make in its own protection. Done right, it pays back many times over. Done wrong, it creates the second risk it was supposed to solve.