Security cameras are a legitimate tool for protecting business premises, but under the General Data Protection Regulation (GDPR), video footage of identifiable people is personal data. That means businesses operating in the EU and EEA must follow specific rules when installing and operating CCTV systems. Here is what you need to know in practical terms.
You Need a Lawful Basis
GDPR requires a legal justification for processing personal data. For business CCTV, the most common basis is “legitimate interest” (Article 6(1)(f)). Your legitimate interest could be preventing theft, protecting staff safety, or securing your premises. You must document this in a Legitimate Interest Assessment (LIA)—a short written record showing that your interest outweighs the privacy impact on individuals being filmed.
Signage Is Mandatory
Anyone entering an area covered by cameras must be informed before they are recorded. This means clearly visible signs at every entry point to the surveilled area. Each sign should include: the purpose of the recording, who is responsible (your company name), and how to get more information (a contact email or reference to your privacy policy). Many businesses use the standardised yellow CCTV warning sign with these details printed below.
Limit What You Record
Cameras should only cover areas where surveillance is necessary and proportionate. Recording the shop floor or warehouse is reasonable. Recording staff break rooms, toilets, or changing areas is not. If a camera captures public pavement or a neighbouring property, consider adjusting the angle or using privacy masking to black out areas outside your premises.
Retention: Do Not Keep Footage Forever
GDPR’s storage limitation principle means you should keep footage only as long as you need it. For most businesses, 30 days is a reasonable retention period—long enough to review incidents but not so long that you are hoarding unnecessary personal data. Your NVR or cloud storage should be configured to automatically overwrite old footage. If footage is relevant to an ongoing incident or investigation, you may retain it longer, but document the reason.
Access Requests
Under GDPR, anyone captured on your cameras has the right to request a copy of the footage showing them (a Subject Access Request, or SAR). You must respond within one month. In practice, this is rare for business CCTV, but you should have a process in place: know how to search footage by date and time, and be able to blur or redact other individuals before sharing.
Data Security
Treat your camera system like any other IT system containing personal data. Change default passwords on cameras and NVRs. Use encrypted connections for remote access. Restrict access to footage to authorised personnel only. If you use cloud storage, ensure your provider has appropriate data processing agreements in place.
Practical Steps
- Write a short CCTV policy document covering purpose, lawful basis, retention period, and access controls
- Add CCTV details to your privacy policy (or create a separate CCTV privacy notice)
- Install compliant signage before cameras go live
- Set automatic retention limits on your NVR
- Keep a log of who has access to footage
These steps are straightforward and do not require a lawyer for most small and medium businesses. The key principle is transparency: tell people you are recording, explain why, and do not keep footage longer than necessary.
All Nordensite camera kits support configurable retention periods, user access controls, and encrypted remote access to help you stay GDPR-compliant from day one. View our kits or get in touch for guidance.