How will the GDPR affect CCTV and workplace monitoring?

Personal data refers to anything that can identify an individual, not just written information. This includes CCTV and employee monitoring, which will typically be considered high-risk activities under the EU General Data Protection Regulation (GDPR).


Justifying surveillance

Employers are entitled to monitor employee activity, but they need a lawful basis to do it and they need to communicate the monitoring to employees.

Many companies currently rely on implied consent to justify monitoring, but the GDPR’s consent requirements mean other legal grounds should be sought where possible. The most appropriate grounds will probably be legitimate interests or legal obligations.

In a code of practice guide, the Information Commissioner’s Office (ICO) recommends that organisations carry out a data protection impact assessment (DPIA) to assess the extent to which monitoring is required, where it is required and at what times. It also outlines a number of things you should bear in mind if you plan to monitor your employees:

  • Data must be used and kept only to fulfil its original purpose. For instance, if the purpose of holding data is to identify individuals engaged in criminal activity, the footage should be of sufficient quality to do so and be available to the police should they request to view it.
  • CCTV recordings and other logs must be stored securely and encrypted wherever possible.
  • Individuals have the right to request a copy of any CCTV footage in which they are in focus and/or clearly identifiable. If the request is valid and permissible, the organisation must supply the individual with that footage within 30 days of the validation. The same is true of other kinds of data relating to employee monitoring.


Prepare for the GDPR

If you want to learn more about your obligations under the GDPR, you should register for our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course.

The Regulation strengthens many compliance requirements, and introduces much stricter penalties for companies that don’t meet them. Any organisation that fails to comply with the GDPR faces a fine of up to €20 million or 4% of its annual global turnover – whichever is greater.

Our Foundation-level training course provides a comprehensive introduction to the GDPR and helps you understand the implications and legal requirements for all organisations affected by the Regulation.

Find out more about our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course >>

Subscribe to our weekly newsletter


  1. Laura Moir 6th February 2018
    • Luke Irwin 7th February 2018
      • Andy Mellor 6th April 2018
        • Niall McCreanor 25th April 2018
  2. alsec 5th April 2018
  3. Tmoney 6th April 2018
  4. Dan 10th April 2018
    • Niall McCreanor 25th April 2018
  5. Deb 2nd August 2018

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.