How to Comply with UK CCTV Surveillance Laws in 2026
Selling hidden cameras into the UK is legal, but the moment a customer switches one on in a workplace or shared building, UK data protection law kicks in. The ICO issued 28 monetary penalty notices in 2025, the highest annual total since UK GDPR came into force. New rules from the Data (Use and Access) Act 2025 add extra paperwork from June 2026.
This guide explains what UK hidden camera sellers, installers, and resellers need to know. It is not legal advice, but it will help you ask the right questions and avoid the compliance mistakes that trigger ICO investigations.
What Laws Govern CCTV Use in the UK in 2026?
UK surveillance law is a three-layer stack, and each layer has practical consequences for camera operators.
The Data Protection Act 2018 and UK GDPR form the base, the Surveillance Camera Code of Practice sets best-practice principles, and the Data (Use and Access) Act 2025 updates procedural rules.

The ICO’s CCTV guidance makes clear that any footage capturing identifiable individuals counts as personal data. That means every rule that applies to names, addresses, and emails also applies to video clips.
The Surveillance Camera Code of Practice sets 12 guiding principles. It binds police and local authorities directly, but the ICO expects private organisations to follow it as best practice. The Data (Use and Access) Act 2025 amends parts of UK GDPR and the DPA 2018, changing how subject access requests and complaints are handled.
| Legal Layer | Kluczowe wymagania | Who It Affects |
|---|---|---|
| UK GDPR + DPA 2018 | Lawful basis, storage limits, security | All CCTV operators |
| Surveillance Camera Code | 12 guiding principles | Expected best practice for all |
| Data (Use and Access) Act 2025 | Updated DSAR and complaint rules | All operators from mid-2026 |
Key Takeaway: Three laws overlap, and the operator must satisfy all of them.
What Is the Data (Use and Access) Act 2025?
The Data (Use and Access) Act 2025 received Royal Assent in June 2025 and is now in force, with some provisions taking effect in stages.
It updates UK data protection rules to create a “stop the clock” rule for subject access requests and a mandatory complaints-handling duty.

For CCTV operators, the most relevant change is the “stop the clock” provision. Under UK GDPR, a data subject access request must normally be answered within one calendar month. The new Act pauses that clock while the operator waits for information needed to locate the footage, such as the date, time, or camera location.
From 19 June 2026, organisations must also have a documented process for handling complaints about data processing, including CCTV. The ICO recommends setting that process up now. Hidden camera sellers should prepare a short complaints-handling template they can share with buyers.
| Change | Effective Date | What It Means for CCTV |
|---|---|---|
| Royal Assent | June 2025 | Act becomes law |
| Stop-the-clock DSARs | In force | Clock pauses while waiting for locating details |
| Complaints handling duty | 19 June 2026 | Documented process required |
Key Takeaway: The Act refines procedures; it does not replace UK GDPR.
Do UK Businesses Need a Camera Register?
Yes. The ICO expects every CCTV operator to know exactly what surveillance equipment it runs and why.
A camera register is a written record of each camera’s location, purpose, field of view, retention period, and responsible person.

The register is not optional paperwork. It is one of the first things the ICO checks during an investigation. A paper logbook from the installer is not enough if it has not been updated since installation day. The register must reflect what is actually in place and be updated whenever cameras are added, moved, or decommissioned.
For each camera, the register should record the physical location, purpose, field of view, whether audio is enabled, retention period, and named data controller. Audio recording is almost always disproportionate for small businesses unless there is documented justification.
| Register Field | Dlaczego to ma znaczenie |
|---|---|
| Lokalizacja | Proves the operator knows where cameras are |
| Cel | Supports the lawful basis |
| Field of view | Shows whether public spaces are captured |
| Audio enabled | Flags higher-risk processing |
| Retention period | Demonstrates storage limitation |
| Named controller | Identifies who is accountable |
Key Takeaway: A current camera register is a core compliance document, not a nice-to-have.
When Is a Data Protection Impact Assessment Required?
A Data Protection Impact Assessment is required before any processing that is likely to result in a high risk to individuals.
Systematic monitoring of a publicly accessible area or a workplace via CCTV usually triggers this requirement.

Under UK GDPR Article 35, the DPIA must explain what is being recorded, why it is necessary, whether surveillance is proportionate, the privacy risks, and the measures used to reduce those risks. Those measures might include restricted access, signage, short retention periods, and encryption.
The DPIA should be completed before the cameras are switched on. If cameras monitor employee areas, additional obligations apply. Employees must be informed through their contract or a written notice, and covert monitoring of employees is only lawful in limited circumstances.
| DPIA Element | What to Document |
|---|---|
| Cel | Why the camera is needed |
| Proportionality | Whether less intrusive options were considered |
| Privacy risks | Risks to employees, customers, and passers-by |
| Mitigations | Signage, access controls, retention limits |
| Consultation | Whether affected people were consulted |
Key Takeaway: Complete the DPIA before the cameras start recording.
What Must CCTV Signage Include?
A generic “CCTV in operation” sticker is not enough under UK rules.
Compliant signage must tell people who is recording them, why, and how they can get more information.

The Surveillance Camera Code of Practice and UK GDPR both require that individuals are informed before they enter a monitored area. The sign should include the controller’s identity, purpose, contact details, and a reference to the full CCTV policy. For example: “CCTV operated by [Business Name] for crime prevention. Questions? Call [number] or see our policy at [URL].”
Signs must be placed at every entry point, clearly visible before someone enters the camera’s field of view. Hidden cameras used in a business context still require signage if they capture identifiable individuals.
| Signage Requirement | Przykład |
|---|---|
| Controller identity | Business name or trading name |
| Cel | “For the prevention and detection of crime” |
| Contact details | Phone, email, or postal address |
| More information | Policy URL or reception reference |
Key Takeaway: Signs must name the controller, state the purpose, and provide contact details.
How Long Can UK Businesses Keep CCTV Footage?
There is no fixed legal maximum, but footage must not be kept longer than necessary for its stated purpose.
The ICO’s general position is that 30 days is appropriate for most routine business CCTV.

The storage limitation principle under UK GDPR means every business must set and enforce a retention schedule. Keeping footage longer than the stated period requires documented justification, such as an ongoing investigation or legal proceedings. Once the retention period expires, footage must be securely deleted.
“We forgot to delete it” is not a lawful basis for extended retention. A written policy should define retention periods per camera, assign someone to enforce deletion, and log deletions. Hidden camera sellers should remind buyers that whether footage sits on SD card or cloud, the operator is responsible for deleting it on schedule.
| Footage Type | Typical Retention |
|---|---|
| Routine security footage | 30 dni |
| Incident-related footage | Duration of investigation or claim |
| Footage subject to DSAR | Until request is fulfilled |
Key Takeaway: Set a retention period per camera and enforce deletion on schedule.
How Should Businesses Handle Subject Access Requests?
Anyone captured on CCTV has the right to request a copy of the footage that shows them.
The operator has one calendar month to respond, starting from the date the request is received.

When fulfilling a DSAR, the operator must provide the footage free of charge unless the request is manifestly unfounded or excessive. They must redact or blur other identifiable individuals before sharing. If the footage has already been deleted under the retention policy, the operator should explain this clearly.
The Data (Use and Access) Act 2025 introduces the “stop the clock” rule. If the requester supplies vague details, the operator can ask for date, time, and camera location. While waiting, the one-month deadline is paused. Sellers can add value by giving buyers a simple DSAR response checklist.
| DSAR Step | Działanie |
|---|---|
| Receive request | Note the date received |
| Verify identity | Confirm the requester is the person filmed |
| Locate footage | Use date, time, and camera location |
| Redact others | Blur or mask other identifiable people |
| Respond | Within one calendar month, or paused if details missing |
Key Takeaway: DSARs must be answered within one month, with other people redacted.
What Are the ICO Registration Fees for CCTV Operators?
Most UK organisations processing personal data, including through CCTV, must pay the annual ICO data protection fee.
The fee depends on the size of the organisation.

The current fee structure is:
– Tier 1: up to £52 per year for micro organisations with up to 10 staff and turnover under £632,000.
– Tier 2: up to £78 per year for SMEs with up to 250 staff and turnover under £36 million.
– Tier 3: up to £3,763 per year for large organisations.
Failure to pay the fee can result in enforcement action and a penalty notice. Sellers should remind buyers that operating CCTV without ICO registration is a common and easily avoided compliance failure. A calendar reminder for the renewal date prevents expensive problems.
| Poziom | Staff / Turnover | Annual Fee |
|---|---|---|
| Tier 1 | Up to 10 staff, turnover under £632k | £52 |
| Tier 2 | Up to 250 staff, turnover under £36m | £78 |
| Tier 3 | Larger organisations | £3,763 |
Key Takeaway: Register with the ICO and pay the annual fee before cameras go live.
What Changed for Complaints Handling in 2026?
From 19 June 2026, UK organisations must have a documented process for handling complaints about their data processing.
This includes complaints about CCTV use.

The complaints process should explain how individuals can raise concerns, how the organisation will investigate, and how long the complainant can expect to wait. The process must be written down, not just understood informally. The ICO recommends putting it in place now as good practice.
For hidden camera sellers, this is an opportunity to differentiate. Provide buyers with a short complaints-handling template they can adapt. A one-page document with contact details, timelines, and escalation steps helps SME customers meet the new requirement.
| Complaints Process Element | What to Include |
|---|---|
| How to complain | Email, phone, or postal route |
| Acknowledgement | Confirm receipt promptly |
| Śledztwo | Who reviews the complaint and how |
| Response timeline | Target date for a full reply |
| Escalation | How to escalate to the ICO if unresolved |
Key Takeaway: A written complaints process becomes mandatory from 19 June 2026.
How Can Hidden Camera Sellers Stay Compliant?
Sellers are not usually the data controller for their customers’ CCTV systems, but they can still reduce legal risk and add value.
The safest approach is to give buyers clear, accurate information and avoid making claims that encourage illegal use.

Start by including a short compliance note with every sale. It should remind the buyer that signage may be required, audio recording is high-risk, and footage must be deleted after the retention period. Link to the ICO CCTV guidance and avoid giving legal advice.
Avoid marketing language that suggests covert recording of employees, intimate spaces, or the public without consent is acceptable. Those uses are likely to breach UK GDPR and expose both buyer and seller to risk. Focus instead on legitimate use cases: theft prevention, property security, and evidence collection.
| Seller Action | Risk Reduced |
|---|---|
| Include compliance note with sale | Customer misuse |
| Link to ICO guidance | Misinformation claims |
| Avoid promoting covert employee monitoring | Legal and reputational risk |
| Recommend local SD storage | Data breach exposure |
Key Takeaway: Sellers who educate buyers build trust and reduce downstream legal risk.
Często zadawane pytania
Do I need to register with the ICO just to sell hidden cameras?
No. Registration is required when you process personal data, which happens when cameras you operate capture identifiable people. Pure sellers who do not operate cameras are not normally required to register, but should still understand the rules.
Can a UK business use a hidden camera without putting up signs?
Usually no. If the camera captures identifiable individuals in a workplace or public-access area, signage is required. Covert recording is only lawful in limited circumstances and should not be marketed as standard practice.
How long should a shop keep CCTV footage in the UK?
The ICO generally considers 30 days appropriate for routine footage. Incident-related footage can be kept for the duration of the investigation or claim, then securely deleted.
What happens if a business ignores a subject access request?
Failing to respond within one calendar month is a common trigger for ICO complaints. The ICO can issue enforcement notices and monetary penalties.
Does the Data (Use and Access) Act 2025 replace GDPR for CCTV?
No. It amends parts of UK GDPR and the Data Protection Act 2018 but does not replace them. The core obligations remain in force.
Need compliant hidden camera products for your UK customers? Contact QZT Security today for CE-certified devices and documentation that helps your buyers stay on the right side of UK surveillance law.