4 min read

Writen by Zlatko Delev

Posted on: July 27, 2021

GDPR Regulations for CCTV , Photography and Video equipment and drones.


In general, CCTV is directed at viewing and/or recording the activities of individuals. Therefore, most uses of CCTV by organisations or businesses will be covered by the DPA. The ICO has also issued a code of practice that provides recommendations on the use of CCTV systems to help organisations comply with the DPA.

CCTV systems which make use of wireless communication links (eg, transmitting images between cameras and a receiver) should ensure that these signals are encrypted to prevent interception.

CCTV systems which can transmit images over the internet (eg, to allow viewing from a remote location) should ensure that these signals are encrypted to prevent interception and also require some form of authentication for access (eg, a username and secure password).

The devices used to store CCTV images are also a common target during a break-in (eg, to remove potential evidence of the crime). In the first instance, organisations should consider the physical security of the storage device such as whether it is kept in a locked room. Newer systems may allow for recordings to be stored in an encrypted format which will prevent unauthorised access in the event of loss or theft, and which could be considered in addition to a range of appropriate access controls.

In responding to subject access requests or other disclosures, data controllers should consider an appropriate format of the data to be disclosed, and appropriate security controls. During procurement, the capability of the device or prospective system to export data securely to third parties should also be considered.

Photography and Video equipment

Use of digital photography and video recording can provide a permanent record of an event for a range of different purposes. Consumer devices rarely contain the ability to encrypt images stored on the device. As a result there is a risk of unauthorised access if the device, or a removable memory card, is lost or stolen.

When encryption is not a reasonable option, it is important to consider the measures a data controller can take to ensure that the risk is reduced to a tolerable level. For example, transferring images from the camera to a secure location and securely deleting them from the memory card as soon as is practical.

It may also be possible to consider using an alternative device such as a smart-phone or tablet which does offer an encrypted file system and encryption of their memory cards. However, care should be taken that the device does not automatically upload images to a remote cloud service or social network and that the method used to transfer the images from the device does not present a further security risk (eg transfer as an email attachment).


Another emerging technology is the use of Unmanned Aerial Systems (UAS) also known as RPAS and drones. A common feature of UAS is the ability to record video footage.

Where images or other personal data are transmitted from the vehicle back to the pilot (eg a live feed of video footage over Wi-Fi to a smartphone app) then the data should be appropriately protected against interception by using an encrypted wireless communication link. Using an encrypted wireless communication link may also give some protection against potential hijacking of the vehicle.

Where images or other personal data are stored on the vehicle (eg an on-board memory card) then the data should be appropriately protected in the event of loss or theft (eg following a crash). The data can be appropriately protected using encryption.

Additional legal requirements or best practice will include flying RPAS within line of sight, retaining a log of usage, copying data to a secure location and securely destroying data on the device as soon as practical.

The data controller must also consider the security of footage once transferred from the device for longer-term storage.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

ISO 27001 Controls: A Comprehensive Step-by-Step Guide

Organisations in today's world filled with technology require a good information security setup and

Comparing Information Security Frameworks and Data Protection Frameworks

With cyber threats evolving at an unprecedented rate and regulations tightening globally, understan

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy