Lexerus

Blog

CCTV and UK GDPR: a practical guide for retailers

Blog/Privacy·14 Feb 2026

When retailers ask us about GDPR compliance, the conversation usually starts with the same question: *does adding AI to my cameras change my obligations?*

The short answer is: it can, depending on what the AI does. Here's the practical breakdown.

Your existing CCTV obligations

If you're already running CCTV in a retail environment, you're already a data controller under UK GDPR. Your baseline obligations are:

- A valid lawful basis for processing (usually legitimate interests) - Visible signage informing people CCTV is in operation - ICO registration (required if you're processing personal data as a controller) - A retention policy — you can't keep footage indefinitely - The ability to respond to subject access requests

These don't change when you add Lexerus. We act as your data processor, which means we handle video on your behalf under a Data Processing Agreement.

What AI adds to the picture

The ICO guidance on AI and automated decision-making is relevant here, but it's worth being precise. Lexerus performs *behavioural analysis* — detecting patterns of movement — not *individual identification*. We don't use facial recognition or build persistent profiles of individuals.

This distinction matters. Automated decisions that produce legal or similarly significant effects on individuals require explicit safeguards under Article 22 UK GDPR. Detecting that *someone* in a store is exhibiting suspicious behaviour, and alerting a human staff member to investigate, doesn't meet that threshold.

Where you need to be careful

Camera placement is the most common compliance risk. Cameras that capture footage beyond your premises (public pavements, neighbouring property) or in private areas (changing rooms, bathrooms) create significant liability. Lexerus cannot be used in private spaces.

If you're running a large operation — multiple sites, many cameras, large volumes of data subjects — the ICO recommends completing a Data Protection Impact Assessment (DPIA) before deployment. We can provide documentation to support this process.

The short version

Adding Lexerus to your existing CCTV: likely no new obligations beyond what you already have. Ensure your signage is up to date, your retention policy covers event clips (our default is 30 days), and you have a DPA in place with us. If in doubt, speak to your DPO or contact privacy@lexerus.com.