AI CCTV, facial recognition & GDPR in the UK (2025): what’s compliant for private sites?

What “AI CCTV” actually means

The term AI CCTV covers a wide spectrum — from simple motion analytics to complex biometric facial recognition. Most systems marketed as “AI” in 2025 rely on one or more of the following:

– Object detection / motion analytics (detects people or vehicles, not identities)
– Behaviour analysis (loitering, line-crossing, zone intrusion)
– Facial recognition (identifies or verifies individuals)
– License-plate recognition (ANPR)
– Crowd-density analytics or PPE detection

Not all AI systems are equal under the law — analytics may be lawful with safeguards, but biometric recognition triggers strict GDPR obligations.

The UK position in 2025: biometrics, consent & legitimate interest

The UK GDPR (post-Brexit version) treats biometric data that can uniquely identify a person as special-category personal data.
That means it’s subject to extra conditions — you must have both:

A lawful basis under Article 6 (e.g., legitimate interest, contract, legal obligation), and
An additional condition under Article 9(2) (e.g., explicit consent, substantial public interest).

For private sites (e.g., offices, warehouses, retail, residential blocks), explicit consent is rarely practical for visitors. Therefore, most operators rely on analytics-only AI — avoiding identity recognition altogether.

In practice (2025):
– Facial recognition for general access control or visitor management remains high-risk and often non-compliant.
– Analytics such as line-crossing, loitering, or object detection can be compliant if data is anonymised and retention controlled.
– The ICO (Information Commissioner’s Office) expects a Data Protection Impact Assessment (DPIA) before deployment.

DPIA checklist for private sites

A compliant system begins with a clear purpose statement and necessity test.
Before installation, complete a Data Protection Impact Assessment (DPIA) covering:

– Purpose & lawful basis for processing
– Necessity and proportionality (is there a less intrusive way?)
– Categories of data processed (video, biometric, metadata)
– Data retention period and deletion schedule
– Access control and audit logging
– Third-party processor agreements
– Signage, subject access, and opt-out mechanisms

If your CCTV system includes biometric matching, consult a legal advisor or Data Protection Officer before activation.

Checklist Area	What’s Required	Typical Owner
DPIA	Complete before installation; define purpose, lawful basis, risk mitigations.	Data Protection Officer / Site Manager
Signage	Visible, plain-language notice naming controller and purpose.	Facilities / Security Lead
Retention Policy	30–31 days standard; longer only with incident justification.	Security / Compliance Team
Access Control	Named accounts, audit trail of who exported footage.	IT / System Admin
Subject Access	Respond to SARs within 30 days; redact other individuals before release.	Data Protection Officer

Checklist aligned with ICO guidance and UK GDPR as of 2025.

Safer alternatives (analytics, not biometrics)

If your goal is deterrence, incident verification, or crowd management, non-biometric AI analytics are usually sufficient.

Examples of compliant use-cases:
– Line-crossing or motion alerts to dispatch security patrols
– Queue-length or occupancy tracking (anonymous counts only)
– PPE-compliance detection on construction sites
– Abandoned-object alerts or restricted-area breaches

When to escalate to manned guarding:
– Persistent false positives or unverified alerts
– Areas requiring judgement, discretion, or human intervention
– Sites with public access or safeguarding considerations

Blended approach: Combine smart analytics for efficiency with on-site SIA-licensed officers for response and verification — the safest operational model in 2025.

Signage, retention, and access requests

Under UK GDPR and the Surveillance Camera Code of Practice, operators must:

– Display clear signage stating CCTV is in operation and who controls the data
– Retain footage only as long as necessary (typically 30–31 days unless under investigation)
– Provide a mechanism for Subject Access Requests (SARs)
– Log who accessed or exported data and why
– Use secure, access-controlled storage with limited admin rights

Poor retention discipline and unlogged exports are frequent causes of enforcement action.
If your provider offers “cloud AI CCTV,” verify the hosting region (UK/EU) and encryption standards.

When you should absolutely consult legal

– Facial recognition for access control or HR time-tracking
– Automated decision-making that affects individuals (e.g., auto-banning)
– Shared camera networks or multi-tenant systems
– Large-scale monitoring of public areas
– Any scenario involving minors, schools, or healthcare settings

Even with compliant hardware, use-case determines legality.
A short legal review before rollout costs far less than remediation or ICO action later.

Blended model: cameras + on-site supervision

The most defensible setups combine:

– AI analytics for proactive alerts and evidence
– Manned presence for verification, escalation, and client interaction
– GDPR-compliant documentation (DPIA, privacy notice, training records)

This model aligns with both UK GDPR and the ICO’s Accountability Framework — ensuring human oversight remains central.