Are you using CCTV lawfully under UK GDPR?

CCTV cameras mounted on a grey wall

The use of CCTV and Video Surveillance has been used for years, often as a crime deterrent. But more organisations are now using it for other purposes. Learn more about CCTV and UK GDPR compliance in this article. 

What organisations have done in the past

For years organisations have used CCTV for things like crime prevention and detection. For example, it was commonplace to see cameras installed in staff carparks in the hope that this would deter criminals from breaking into or stealing the cars. If they did, evidence of their criminality would be captured and could be used in any subsequent prosecution.

What’s happening these days?

More and more organisations are now introducing video surveillance for other purposes, such as monitoring staff. This is especially the case since the outbreak of COVID-19, which has resulted in us all having to adjust to a new normal. For example, employers may want to install video surveillance inside their premises so they can check that staff are adhering to social distancing rules and wearing PPE.

In addition to this, there has been a sharp increase in employers wanting to access the webcams on the computers of staff working from home to check that they are actually sat at their computer and working. Is this lawful?

Employers may insist that they have good reasons for this activity, such as health and safety concerns and/or productivity goals to be achieved. However, staff may consider it to be a massive intrusion to their privacy to be constantly monitored in this way. 

The old law

Under the Data Protection Act 1998, it was best practice to carry out a Privacy Impact Assessment (PIA) before embarking on a new project such as installing CCTV / video surveillance. The purpose of a PIA was to identify and assess the privacy risks. However, it was not mandatory and as a result, many organisations did not bother with the process.

The new law and UK GDPR

Things changed when the EU GDPR became enforceable from 25 May 2018. Incidentally, whilst the UK are no longer in the EU, we do have our own version of the EU GDPR in the UK namely, the UK GDPR. This legislation mirrors the EU GDPR in most material respects.

Under the UK GDPR, the PIA took on a new name: Data Protection Impact Assessment (DPIA). The purpose is the same, that is to identify and assess the privacy risks, but it now requires a lot more detail. Importantly, it has become a legal requirement under Article 35 of the UK GDPR to carry out a DPIA in certain situations.

One such situation is using CCTV / video surveillance. This is because capturing images of people is effectively processing personal data. Therefore, the data protection legislation needs to be complied with. 

What do you need to do to comply?

When you carry out a DPIA you will need to:

  • explain exactly what you intend to do with the personal data. This should cover the nature, scope, context and purpose of the project
  • consider whether or not you need to consult the data subjects and/or other interested parties before implementation
  • assess whether the scheme is necessary and proportionate. Is there another, less intrusive way to deal with the issue?
  • identify and assess the privacy risks. How you will ensure these are mitigated or at least minimised?

All of the above needs to be documented and set out in as much detail as possible. This will satisfy your legal obligation under Article 35. It will also help to demonstrate that you are also complying with the Accountability Principle under Article 5(2), which means that you need to PROVE that you are complying with the data protection legislation.

Once the DPIA is done, it needs to be kept under review. It’s not simply a case of ticking the box and filing it away. The DPIA needs to be revisited on a regular basis, such as once a year or more often if changes are proposed during that 12-month period. During the review, each of the stages mentioned above would need to reconsidered in order to assess whether the CCTV / video surveillance is still fit for purpose, whether it is still needed or whether changes need to be made.  

The ICO, regulator for data protection, has worked with the Surveillance Camera Commissioner (SCC) to produce guidance in relation to the implementation of CCTV / video surveillance. It’s a good idea to adhere to this, as it will help you comply with the law.

What happens if you don’t comply?

If you don’t carry out a DPIA when you need to, you may face a fine of up to £8.6 million or 2% of global turnover, whichever is the greater. Also, if you do carry out a DPIA but it is of poor quality, as it does not address everything that it should, then you may as well not have one, as you may still be subject to a fine at this level.

That said, if the implementation of your CCTV / video surveillance gives rise to a breach of the Data Protection Principles or breaches the individuals’ rights, the ICO could impose a fine of up to £17.5 million or 4% of global turnover, whichever is the greater.


In brief, if you are considering the implementation of CCTV / video surveillance in your organisation, be sure to carry out a DPIA. If you are baffled by the requirements or need some guidance, we would be glad to assist.

If you want to know more about the use of CCTV we have two other articles on the topic, which may be of further use:

Why Does CCTV Require Compliance?

Interest, What Public Interest?

Here at DPAS, we are able to provide CCTV Audits for organisations requiring one. Should you need  additional guidance, advice or support do not hesitate to contact us:

01392 914019

Web form

Meet the Team Sandy May

by Sandy May, Head of Data Protection Consultancy

Sandy is a fully qualified and experienced Data Protection Practitioner and lawyer. She holds the BCS Practitioner Certificate in Data Protection, along with a decade’s experience in this field.

As a dedicated professional, Sandy has a detailed knowledge of not only the General Data Protection Regulation (GDPR), but other related legislation as well. This includes the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR).

Find out more on our Meet the Team page.



related posts

Get a Free Consultation