Commercial CCTV Monitoring and Installation: GDPR, DPIAs, Signage and Retention Explained

When commercial buyers look at CCTV, the conversation often starts in the wrong place.

It starts with camera numbers, image quality, storage days or whether remote monitoring is included. Those things matter, but they are not the first question. The first question is simpler: what is the system there to achieve, and can that purpose be justified?

The ICO says organisations using surveillance need to identify and document a lawful basis under Article 6 of the UK GDPR, and the system chosen must achieve the specific purpose for which it is being used. The information processed also needs to be adequate, relevant and limited to what is necessary. In other words, CCTV should be built around a defined problem, not installed because it feels like the default answer.

That matters even more for larger commercial sites. A CCTV system can absolutely help improve oversight, support investigations and reduce blind spots, but a poorly scoped system can also create unnecessary privacy risk, weak internal governance and footage that is not especially useful when something actually goes wrong. The ICO’s detailed CCTV guidance is aimed at large businesses in the public, private and third sectors, and it is currently under review following the Data (Use and Access) Act coming into force on 19 June 2025.

CCTV is not just a security purchase

For commercial clients, CCTV is partly a security decision and partly a governance decision.

That is because the moment a system captures identifiable individuals, the organisation moves into UK GDPR and Data Protection Act territory. GOV.UK’s guidance for commercial premises is direct on this point: businesses can use CCTV to protect property, but they must follow data protection law, put up signs, keep images only as long as needed and, in most circumstances, be able to provide images within one calendar month to people they have recorded. Businesses using CCTV also generally need to register and pay a data protection fee to the ICO unless exempt.

So the procurement brief should not be written as if this is only a technology project. It should be treated as a mix of security, compliance, operations and accountability. That usually leads to better decisions because the client is not just asking, “What cameras do we need?” but also, “Who owns this system, what is the lawful basis, who can access footage, how long is it kept and how will compliance be demonstrated later?”

Lawful basis comes before installation

One of the easiest mistakes to make is assuming the purpose of CCTV is obvious enough that it does not need to be documented. The ICO says that for any use of surveillance systems, organisations need to identify and document a lawful basis under Article 6 UK GDPR. In practice, for public-space or commercial surveillance, genuine consent is usually difficult, so the likely basis is legitimate interests, or public task for public authorities.

That does not mean every legitimate-interests argument automatically works. The use still needs to be necessary and proportionate. If a less intrusive measure would solve the same problem, that should be considered. The ICO also says buying a system simply because it is available, affordable or new is the wrong approach; decisions should be based on whether the system can provide a data-protection-compliant solution to the actual problem.

For commercial clients, that changes the tone of procurement. The brief becomes stronger when it defines the risk clearly:

• unauthorised access to a yard or loading area

• repeated after-hours trespass

• the need to review incidents at key entry points

• poor visibility in a high-footfall reception zone

• evidential support for disputes or investigations

That sort of purpose-led thinking tends to produce a better system and a more defensible one.

DPIAs are not a formality

A lot of organisations still treat a DPIA as something to think about once the system has already been selected. The ICO guidance points the other way.

For surveillance systems, the ICO says organisations must take a data-protection-by-design and default approach and carry out a Data Protection Impact Assessment where processing is likely to result in a high risk to individuals. It says this applies in most cases relating to video surveillance because of the inherent privacy risks involved. The guidance specifically includes monitoring publicly accessible places on a large scale and monitoring individuals at a workplace. A DPIA should be done before processing begins and should describe the nature, scope, context and purposes of the processing, assess necessity and proportionality, identify risks to individuals and set out mitigating measures. If high risks cannot be mitigated, prior consultation with the ICO is required.

For a commercial buyer, that means the DPIA should shape the procurement process, not trail behind it. It is where the organisation works out whether coverage is too broad, whether certain locations are too intrusive, whether audio recording is justified, whether signage will be sufficient and whether alternative controls would do the job with less impact on privacy.

That is not red tape. It is simply better planning.

Signage needs to do more than exist

Poor CCTV signage is one of the most common weak points on commercial sites. A sign at the far end of a fence or buried in a block of visitor terms is not enough.

The ICO says signs should be clearly visible and readable, explain that surveillance is in operation and include details of the organisation operating the system, the purpose for using it and how to contact the organisation. It also says an effective approach is to place signs prominently before the entrance to the system’s field of vision and reinforce this with further signs inside the area, so individuals can recognise the circumstances of the surveillance before entering the monitored zone. Publishing information on a website alone is not enough, though a layered privacy notice can support physical signage. GOV.UK also says businesses using CCTV at commercial premises must put up a sign to let people know CCTV is being used and why.

From a practical point of view, that means signage should be part of deployment planning, not an afterthought at handover.

Retention is purpose-led, not storage-led

Retention is where a lot of systems quietly drift out of compliance. A recorder can store footage for months, so footage ends up being kept for months. That is not the same thing as having a justified retention period.

The ICO says the UK GDPR and the Data Protection Act 2018 do not set a fixed minimum or maximum retention period for surveillance systems. Instead, the organisation’s purpose should determine what retention period is necessary. It also says data should not be kept for longer than needed, that retention should be the shortest period required for the purpose and that it should not be set merely by the storage capacity of the system or because the footage might one day be useful. The organisation should document its retention policy, make sure it is understood by operators and have secure deletion measures in place.

For commercial clients, that usually means asking harder questions during procurement:

• What is the actual retention requirement for this site?

• Is it driven by incident patterns, claims, investigations or contractual needs?

• Who can preserve footage when there is an active investigation?

• Is deletion automated and auditable?

• Can relevant footage be retrieved quickly without losing date and time information?

Those are the questions that separate a CCTV system that merely records from one that is genuinely usable.

Monitoring is only valuable if it produces oversight

Remote monitoring sounds reassuring, but buyers should be clear on what it is supposed to achieve.

Is the aim live intervention, escalation, evidence gathering, audit support, perimeter review or after-hours visibility? Without that clarity, monitoring can become expensive background activity rather than a defined operational control.

There is also a standards angle worth checking. GOV.UK’s recommended standards page lists relevant standards for CCTV installers, maintainers, control rooms and private monitoring companies. For example, it points to BS EN 62676-4 for selection, planning, installation, commissioning, maintaining and testing of CCTV systems, BS7958 for the management and operation of CCTV systems and BS8418 for detector-activated CCTV design, operation and remote monitoring. It also lists standards relevant to private monitoring centres, including BS8591 and BS5979.

A commercial client does not need to become a technical specialist overnight, but it is worth checking whether the proposed solution is being designed, operated and monitored with recognised standards in mind.

What commercial buyers should check before signing off

Before appointing a supplier or approving a rollout, it is worth pressure-testing the proposal against a simple set of questions:

1. What is the exact purpose of the system?

If the purpose is vague, the design usually is too.

2. What is the lawful basis?

The ICO says this should be identified and documented before deployment.

3. Is a DPIA required?

In many commercial surveillance scenarios, the answer will be yes, especially where the system monitors workplace activity or publicly accessible areas at scale.

4. Is the coverage necessary and proportionate?

More cameras do not automatically mean better control.

5. Is the signage actually fit for purpose?

It should be visible, readable and placed before people enter the monitored area.

6. What is the retention period and why?

If the answer is “because the system allows it,” the retention logic is weak.

7. Who can access footage and under what rules?

Access, retrieval, redaction and disclosure all need clear ownership. The ICO says access should be restricted to authorised individuals and footage should be retrievable efficiently within relevant statutory timescales.

8. Is the proposal aligned with recognised standards?

That matters for both operational quality and procurement assurance.

Final thought

The most useful way to think about CCTV is this: it is not just there to watch a site, it is there to support better decisions.

That only happens when the system is tied to a clear purpose, supported by the right governance and designed with privacy, evidence and operational reality in mind. Get that right, and CCTV becomes a genuinely valuable control. Get it wrong, and it becomes an expensive source of footage with unclear ownership and too many unanswered questions.

FAQ

Do commercial premises always need a DPIA for CCTV?

Not always, but the ICO says a DPIA is legally required where processing is likely to result in a high risk to individuals, and that this applies in most cases relating to video surveillance because of the inherent privacy risks involved. This includes monitoring publicly accessible places on a large scale and monitoring individuals at a workplace.

Is there a fixed legal CCTV retention period in the UK?

No. The ICO says there is no fixed minimum or maximum retention period for surveillance systems. Retention should be based on the purpose of the processing and should be the shortest period necessary for that purpose.

What should CCTV signs include?

The ICO says signs should explain that surveillance is in operation and include the organisation operating the system, the purpose for using it and contact details. GOV.UK also says signs must let people know CCTV is being used and why.

Does commercial CCTV usually require an ICO fee?

In many cases, yes. GOV.UK says businesses using CCTV must register with the ICO and pay a data protection fee unless exempt, and the ICO repeats that controllers using surveillance systems that process personal data are required to register and pay unless exempt or already covered.