The ICO exists to empower you through information.

This checklist is for users of limited CCTV systems monitoring small premises, such as retail or other small business properties. It outlines the core data protection considerations for the use of such systems.

In addition, the Biometrics and Surveillance Camera Commissioner (BSCC) also offers a buyers’ toolkit which assists small and medium enterprises that are thinking about using surveillance systems.

This CCTV system and the images produced by it are controlled by:


who is responsible for how the system is used under the UK GDPR and Data Protection Act 2018.

We (…………………………) have considered the need for using CCTV and have decided it is necessary for the prevention and detection of crime and for protecting the safety of individuals, or the security of premises. We will not use the system for any incompatible purposes and we conduct regular reviews of our use of CCTV to ensure that it is still necessary and proportionate.

  Checked (Date) By Date of next review

If our system is processing footage of identifiable individuals and is processing personal data, we have registered as a controller and submitted a relevant data protection fee to the Information Commissioner’s Office (ICO). We have also recorded the next renewal date.

There is a named individual who is responsible for the operation of the system.      
Prior to processing we have clearly defined the problem we are trying to address. We regularly review our decision to use a surveillance system.      
We have identified and documented an appropriate lawful basis for using the system, taking into consideration Article(s) 6, 9 and 10 of the UK GDPR and relevant Schedules of the DPA 2018.      
Our system produces clear images which we can easily disclose to authorised third parties. For example when law enforcement bodies (usually the police) require access to investigate a crime.      
We have positioned cameras in a way to avoid any unintentional capture of private land or individuals not visiting the premises.      
There are visible signs showing that CCTV is in operation. Contact details are displayed on the sign(s) if it is not obvious who is responsible for the system.      
We securely store images from this system for a defined period and only a limited number of authorised individuals may have access to them.      
Our organisation knows how to respond to individuals making requests for copies of their own images, or for images to be erased or restricted. If unsure the controller knows to seek advice and guidance from the Information Commissioner’s Office (ICO) as soon as a request is made.      

Please keep this checklist in a safe place until the date of the next review.