CCTV for Hotels: Guest Privacy, the Law and Getting It Right

Hotels have a surveillance problem most businesses don't. They need some of the most comprehensive CCTV coverage of any commercial property. Lobbies, corridors, lifts, bars, restaurants, car parks, back of house. While hosting hundreds of guests who, quite reasonably, expect privacy. Get the balance wrong in either direction and it costs you. Blind spots leave you exposed to theft, liability and incidents you can't investigate. Cameras in the wrong place leave you exposed to complaints, regulatory action and reputational damage.

Here's how UK hotels stay on the right side of both.

Do hotels have to comply with UK GDPR for CCTV?

Yes. The moment your cameras capture identifiable people which they will, your hotel is a data controller under UK GDPR and the Data Protection Act 2018. That brings obligations a domestic CCTV user doesn't face, and the bar is higher for a business handling the public at scale.

In practice, most hotels must:

• Pay the ICO data protection fee as a registered data controller. The fee is banded by organisation size. Check the current amount on the ICO website.
• Display clear signage telling people CCTV is in operation, who runs it, why, and how to get in touch.
• Have a lawful basis for the surveillance, usually legitimate interests — and be able to justify it.
• Document the system, and for a large or intrusive installation, carry out a Data Protection Impact Assessment (DPIA).

None of this is a reason not to install CCTV. It's a reason to install it deliberately.

Where hotel CCTV can and can't go

This is where most of the risk sits. The principle is simple: cameras belong in shared and operational spaces, never where a guest or member of staff has a heightened expectation of privacy.

Cameras are appropriate in:

• Lobbies, reception and public lounges
• Corridors, lifts and stairwells, including on guest floors
• Bars, restaurants and event spaces
• Car parks, entrances, exits, delivery and service areas
• Back-of-house: kitchens, plant rooms, storage and offices

Cameras are not appropriate in:

• Guest bedrooms : never, under any circumstances
• Bathrooms and toilets
• Spa treatment rooms, changing areas and pool changing facilities
• Anywhere a reasonable person would expect to be unobserved

The grey area is guest-floor corridors. These can be covered, they're shared space but the camera should capture the corridor, not the sightline into a room as the door opens. Position matters.

What the law expects once the cameras are up

Coverage is only half of compliance. Running the system lawfully means:

• Retention with a reason. Keep footage only as long as you genuinely need it. Many hotels settle around 30 days, but there's no fixed legal period, you should be able to justify whatever you choose, and delete on schedule.
• Handling subject access requests. A guest or staff member can ask for footage of themselves. You generally have one month to respond, and you must redact other people who appear.
• Caution with audio. Recording sound is far more intrusive than image alone and much harder to justify. Most hotels should leave it off.
• Extra care monitoring staff. Employees have privacy rights too. Tell them where cameras are and why, and factor staff into your DPIA.

If any of this is unfamiliar, that's the signal to get your installer and your data protection lead in the same room before specifying hardware and not after.

Full coverage without the privacy breach: how it's actually done

Comprehensive coverage and guest privacy aren't in conflict if the system is designed properly from the survey stage. The job is to cover every shared and operational space with no blind spots, while keeping cameras out of private areas entirely and discreet everywhere else.

We did exactly this at The Londoner, the 350-room hotel on Leicester Square owned by Edwardian Hotels London. The brief was 560 cameras covering every public area, corridor, bar, restaurant, the wellness floor and back of house with no coverage of anywhere guests expect to be private, and cameras discreet enough that they disappeared into each space's design. The result is complete situational coverage that doesn't intrude on the guest experience, backed by a video management system that lets the team find any incident in seconds rather than scrubbing through hours of footage.

That's the standard to aim for: not "cameras everywhere," but the right cameras in the right places, specified around both coverage and privacy.

Discretion is part of the guest experience

There's a commercial point underneath the compliance one. In hospitality, visible, clumsy security undermines the product. A camera that's right for a service corridor looks wrong in a five-star bar. Good hotel CCTV is specified with the interior in mind, housing, placement and form factor chosen so the system protects the property without announcing itself to every guest who walks past.

Getting hotel CCTV specified properly

If you operate a hotel in London or the surrounding counties, the safest route is a system designed around your specific property coverage, privacy and guest experience together by a team that has done it in operational hotels before.

That's what we do. See our hotel security and network systems page for the full picture, or book a free site survey and we'll produce a camera schedule mapped to your property including where cameras shouldn't go.

For the wider rules that apply to any business running CCTV, not just hotels, see our guide to CCTV compliance for UK businesses.

This article is general guidance on UK data protection practice, not legal advice. Check current ICO guidance or speak to your data protection adviser about your specific setup.