Law & Powers

GDPR for Security Guards: Body Cams, Notebooks and Data Rights

10 min read· Updated 2026-07-07· Free · No signup

Every incident report, CCTV clip and body-cam recording is personal data under the UK GDPR. The law does not stop you doing your job — it requires that you do it in a way you could defend to the ICO.

Key takeaways

  • Personal data must have a lawful basis for processing.
  • Body-worn cameras need signage, policy and retention limits.
  • Subject Access Requests must be handled within one month.
  • Notebooks are records; treat them as such.

Lawful basis in security

'Legitimate interest' underpins most site-security processing, balanced against the individual's rights. Some categories (health, criminality) need extra conditions.

Body-worn video specifics

Announce recording where practicable, follow the Surveillance Camera Code of Practice, purge footage on the retention schedule (30 days is common), and log any evidence extraction.

Handling a Subject Access Request

Route to the Data Protection Officer or manager immediately. Do not try to answer it yourself. Preserve any potentially responsive footage the moment the request is made.

Quick checklist

  • Body-worn video policy read and understood
  • Retention schedule known
  • SAR escalation route known
  • Notebooks stored securely, not left in vehicles

Common mistakes

  • Copying footage to a personal device.
  • Leaving the notebook on the passenger seat.

Frequently asked questions

Do I need to tell someone I'm filming them?+

Best practice is to inform them; signage is expected. Covert recording is legally very narrow.

How long can footage be kept?+

Only as long as necessary for the stated purpose. 30 days is a common baseline; longer only with a defensible reason.

Related guides