Commercial CCTV and Data Protection Responsibilities
Planning or upgrading commercial CCTV for a shop, office, school or site in West Yorkshire? Getting images and coverage right is only half the job. As soon as your cameras capture staff, visitors or the public, you take on legal duties under UK GDPR and the Data Protection Act 2018. We’ll cover what to decide before you switch on, how to set the system up properly, and the routines that keep you compliant day to day.
Note: this is practical guidance, not legal advice. If your risks are unusual or high, speak to your data protection officer or legal adviser.
Are you in scope?
If your Commercial CCTV system records people, you are processing personal data, so UK data protection law applies. Most organisations are in scope. If you only use cameras for purely domestic reasons inside a private home, different rules may apply. On business premises, assume you are in scope. Work through the checklist below. For help with system design and compliance, see our commercial services and CCTV services.
Decide before you switch on
Make these decisions first and keep a short record with dates and names.
Purpose and lawful basis for Commercial CCTV
Write down why you need the system. Most private organisations rely on legitimate interests because the aim is crime prevention, safety or incident investigation. Public authorities may rely on public task. Record your decision and the risks you considered.
When is a DPIA required?
If the risk to people is likely to be high, complete a Data Protection Impact Assessment before activation. In commercial settings, common triggers include wide public coverage on shop floors or entrances, monitoring staff beyond basic security, environments with children or vulnerable people, analytics that track behaviour such as people counting or vehicle plate capture and linking CCTV with access control or HR data.
Your DPIA should record your purpose and why CCTV is necessary, a simple map of each camera and what it sees, the main risks, and the controls you will use. Controls typically include privacy masking, clear sign wording and placement, a set retention period with automatic overwrite, role based access with unique logins, secure remote access without port forwarding, and audio left off by default. If significant risk remains after these controls, take specialist advice before you switch on.
Transparency: signage and your privacy notice
People should see a sign before they enter camera range. The sign should say CCTV is in operation, the purpose, the controller, and how to contact you. Place signs at public entrances and other key points. Update your privacy notice so it matches how the system works. Keep a short CCTV policy that explains purpose, retention, access and sharing.
Pay the ICO data protection fee
If you operate commercial CCTV for crime prevention or safety, you will usually need to pay the ICO data protection fee unless an exemption applies. Use the ICO’s fee checker if you are unsure.
Configure your system for compliant operation
Set the system up so day‑to‑day use stays within the rules.
Minimise what you capture
With Commercial CCTV, aim cameras where you need coverage while avoiding spill into public areas that are not relevant. Apply privacy masks for areas you do not need. Keep audio off by default. If you enable it, justify the use and sign the area clearly.
Secure access and connections
Use a strong admin password. Where supported, disable the default admin. Add individual user accounts with the right roles. Enable secure remote access without port forwarding or UPnP. If you want extra hardening, route access through a VPN. Turn on time sync so timestamps are accurate. Enable camera name and timestamp overlays. Keep a short record of who has access.
Set retention and storage
Choose a retention period that suits your purpose. Turn on automatic overwrite so old clips do not remain longer than needed. Many small sites choose fourteen to thirty-one days; some higher risk sites choose longer. Size disks to match the retention you set. Store recorders in a safe, ventilated location with restricted access.
Prove commissioning and handover
Before the commercial CCTV system goes live, capture day and night reference images. Export a short clip to confirm export works. Keep a device list with camera names and locations, recorder model and firmware version, plus a screenshot of the retention setting. Train staff to find and export clips and keep alerts useful rather than noisy
