What are the GDPR requirements for CCTV on UK commercial property?

UK commercial CCTV operators are data controllers under UK GDPR and must follow the ICO surveillance code. Six requirements apply: a documented lawful purpose (e.g. crime prevention, staff safety), clear signage at every entrance and recorded zone, a documented retention schedule (typically 30 days for commercial), a Data Protection Impact Assessment for higher-risk deployments, a subject-access-request process so individuals can request footage of themselves, and storage that meets UK data residency expectations (on-premise local encrypted NVR, not overseas cloud). Flextec Limited supplies every commercial install with the documentation pack a DPO or ICO inspector can drop straight into the file.

Where commercial operators most often slip

Cameras pointing at private spaces (neighbouring property, residential windows). Missing or faded signage. No documented retention period. No subject-access-request process. Cloud storage on overseas servers without checked transfer safeguards. Each is flagged at Flextec survey and addressed at install.

Commercial CCTV details · Why Flextec for Hull CCTV · Request a survey.

By Sam Davis, Founder — 40+ years combined Yorkshire commercial security experience. Read more about Sam.