The new GDPR legislation encouraged all businesses to review their data collection, processing and storage which makes it an ideal time to review your security system data handling. Reviewing this will help you to ensure that any data you collect is being used and stored appropriately.


There are some key principles that the government require from commercial CCTV system controllers. You must have the correct signage, provide footage to the authorities promptly if they ask for it and be able to provide footage of an individual within 40 days if they personally ask for it. You should only keep images or footage for as long as is necessary.

Most companies have previously relied on implied consent for monitoring employees through their security systems for example CCTV and access control. When you consider the GDPR consent requirement, many companies will need to review their policies, processing, storage, encryption and deletion period. It is advisable to address this within your privacy policy or formulate a separate CCTV policy and staff training plan.

It might seem unlikely that the authorities will require CCTV footage, but it’s not uncommon that we receive this request. If the nature of the crime or investigation is sensitive, the police may require an engineer to download the footage rather than the business owner or site manager. If an engineer is required, remote assistance can be provided where the system has been networked and set up at an earlier attendance, provided that the internet connection is sufficient. In our experience, an officer may sometimes attend to download the footage themselves depending on individual force procedures and the specific instance that the footage is connected to. Site management may be able to download footage themselves for the police on some occasions. Older DVRs will require footage to be downloaded via a laptop but modern DVRs can normally download footage directly onto a memory stick.

Any company processing data should already have an ICO registration, but did you know that you should register commercial CCTV systems directly with the ICO?  The ICO provide extensive resources for data protection management and although it’s not always compulsory you can also register residential systems with the ICO. For residential systems this is a requirement if your cameras view beyond your boundary.

CCTV Signage

A good starting point for reviewing your CCTV in line with GDPR is to ensure you have correct and accurate CCTV signage. This is essential in any commercial environment where CCTV is being used.

CCTV signage should;

– provide the name of the system controller.

– provide a contact phone number for the system controller.

– detail the purpose of the CCTV e.g. public safety.

– be clear and prominent.

– be positioned in the premises entrance and throughout the premises, especially if cameras are not themselves prominent.

– be extended to your premises perimeter if your camera positions capture images outside of your boundary.

If you would like to purchase compliant signage for your CCTV system please contact us by clicking here or calling 01702 528850.

Covert CCTV

Covert CCTV is a little bit more complicated. Covert CCTV is less common than Hollywood would have you think, but there is still a requirement in some situations. If you have a requirement for a covert CCTV installation then then a full risk assessment would need to be undertaken to determine if there are sufficient grounds for criminal activity or malpractice in the area that coverage is required in and in that telling the public or workforce could prevent the investigation or signifantly prejudice the workforce to intervene in the prevention of said crime or malpractice. The responsibility for this risk assessment, the time frame of use of covert cctv and the final decision on installation would fall down to the most senior management. Covert cameras can only be used as a means to assist an investigation.

Without appropriate legal advice, in most instances its best to leave covert surveillance in realms of fiction.

Access and Intruder Alarms

For companies who monitor their employees movements through access systems and the features within an intruder alarm, you should consider factors such as what purpose is the data collected for, how you will store and process the data, how long you will keep it and deletion on employees leaving the company. This should be addressed within your privacy policy.