What does GDPR-compliant CCTV mean for UK councils?

Regulatory stack a council must satisfy

• UK GDPR + Data Protection Act 2018 — lawful basis, transparency, minimisation, integrity.
• Surveillance Camera Code of Practice (2013, updated 2021) — twelve guiding principles for public-space surveillance.
• Protection of Freedoms Act 2012 — establishes the Surveillance Camera Commissioner role.
• ICO video surveillance guidance — operational detail on signage, retention, SARs.
• Human Rights Act 1998 — Article 8 right to private life applies to overt and covert surveillance.

What deployment readiness looks like

1. DPIA per scheme — risks assessed before commissioning, not after. 2. Public signage — controller identified, purpose stated, contact for SARs. 3. Retention — default 28-31 days; longer only with documented justification. 4. Access controls — role-based, named users, MFA on admin accounts. 5. Audit logging — every export, view, and configuration change recorded. 6. Subject access process — 30-day response window, redaction workflow. 7. Data sharing protocols — explicit MOUs with police and partner agencies.

VMukti Cloud VMS compliance features

• DPIA templates aligned to ICO format
• Per-camera retention policies enforced at the storage layer
• AES-256 encryption at rest, TLS in transit
• Role-based access with MFA support
• Tamper-evident audit logging exportable to council records
• Built-in redaction tools for SAR responses (face / number-plate blurring)

Common compliance gaps councils hit

Excessive retention, missing DPIAs for new cameras added to an existing scheme, lack of signage, unrestricted access for partner agencies, and no documented procedure for purging footage when retention expires. A modern cloud VMS removes most of these by enforcing controls in the platform rather than relying on procedure.