GDPR Compliant Occupancy Sensors UK — Privacy-First Guide 2026

Meet Butlr

Discover what spatial intelligence can do for you.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Occupancy sensors are increasingly used in UK workplaces, retail, transport hubs and smart buildings to improve space utilisation, energy efficiency and safety. This guide explains how to select, deploy and manage occupancy sensors in a way that aligns with UK data protection law (UK GDPR and the Data Protection Act 2018) and good privacy practice in 2026. It is practical, vendor-agnostic and includes procurement and deployment checklists you can use today.

What is an occupancy sensor — and what are the privacy risks?

An occupancy sensor detects whether people are present in a space. Sensors use different technologies:

Passive infrared (PIR) detects motion or heat changes.
Thermal sensing detects heat signatures without producing visual images.
Radar, ultrasonic and CO2 sensors infer presence via movement or air quality.
Camera-based systems use video or images to detect and count people.

Personal data: any information relating to an identifiable person. If sensor outputs can identify or be linked to a person, they are personal data under UK GDPR.

Common privacy risks:

Identifiability: camera imagery or connected metadata that can identify individuals.
Unnecessary retention: storing raw sensor data longer than needed.
Sensitive inferences: deriving health or behaviour insights that are special category data.
Insufficient transparency: failing to inform people that sensing is happening.
Weak vendor controls: processors lacking contractual and technical safeguards.

UK legal framework in brief

Key points to know:

UK GDPR (post‑Brexit) and the Data Protection Act 2018 govern personal data processing in the UK.
The Information Commissioner’s Office (ICO) provides guidance on privacy-preserving technologies and DPIAs (Data Protection Impact Assessments).
Lawful basis: identify a lawful basis for processing personal data (e.g., legitimate interests, contract, legal obligation, or consent where appropriate).
Special category data: health and biometric data require additional safeguards and lawful conditions.

DPIA: a Data Protection Impact Assessment is a risk assessment required when processing is likely to result in high risk to individuals’ rights and freedoms (for example, systematic monitoring of public areas).

Privacy-first principles for occupancy sensing

Apply these principles when choosing and operating sensors:

Data minimisation: collect only what you need (e.g., counts, not images).
Purpose limitation: state clear, specific purposes and avoid secondary uses.
Edge processing: process raw sensor data locally and only export aggregated results.
Anonymisation where possible: ensure exported data cannot identify individuals.
Retention limits: keep processed data only for the time needed, then securely delete.
Transparency: inform people through notices and signage about sensing and purposes.
Accountability: document decisions, conduct DPIAs, and keep records of processing.
Vendor controls: use contracts that specify security, audit rights and subprocessors.

Anonymisation vs pseudonymisation: anonymisation irreversibly removes identifiers so data no longer relates to an identifiable person (falls outside GDPR). Pseudonymisation replaces identifiers but data can still be re-linked and remains personal data.

Technical features that support GDPR compliance

When evaluating sensor technologies, prioritise features that reduce privacy risk:

Camera-free sensing: avoids capture of images or video that could identify people.
Thermal sensing: detects heat signatures rather than visual likenesses; lower identifiability when implemented correctly.
On-device (edge) processing: converts raw signals into aggregated metrics on the device, limiting data export.
Aggregation and smoothing: report counts or occupancy levels rather than individual tracks.
No persistent identifiers: avoid MAC address monitoring or unique device IDs tied to individuals.
Strong encryption: encrypt data at rest and in transit if any raw or aggregated data leaves the device.
Access controls and audit logs: manage who can view or export data and keep logs.
Configurable retention and deletion: allow administrators to set and enforce retention periods.
Transparency controls: support for signage and privacy notices, and the ability to disable sensing quickly.

Procurement checklist — what to ask vendors

Use this checklist when evaluating suppliers or issuing an RFP:

Does the solution use camera-free sensing (e.g., thermal, radar) or video?
Where is raw data stored and processed — on edge devices, on-premises servers, or cloud?
What raw data is retained, and for how long? Can retention be configured?
Can the device provide only aggregated, anonymised outputs?
Are there technical measures to prevent re-identification?
What encryption and network security standards are used?
Who is the data controller and who is the processor? Is there a standard DPA (Data Processing Agreement)?
Does the vendor support DPIA documentation or provide risk assessments?
What subprocessors or cloud providers are involved, and where are they located?
Does the vendor provide audit logs, access controls, and SOC/ISO certifications?
How are firmware updates and security patches delivered?
Can the system be disabled quickly in a specific area if needed?

Deployment steps — good governance and practical actions

Follow these steps for a GDPR-aligned rollout:

Establish roles and responsibilities: designate a data controller and ensure processors are contractually bound.
Conduct a DPIA: document risks, mitigation measures and residual risk. The ICO offers guidance on when DPIAs are required.
Choose a privacy-first technology: prioritise camera-free, edge-processing devices with configurable retention.
Update privacy notices: publish clear, accessible information about sensing purposes, lawful basis and contact details.
Signage and employee communication: place simple signs at building entrances and communicate internally about the technology and its purpose.
Configure retention and aggregation: set minimal retention and aggregate outputs before export.
Secure the system: enforce encryption, access controls, and regular patching.
Monitor and audit: review logs, access patterns and DPIA outcomes regularly.
Provide opt-out mechanisms if feasible: where lawful basis is consent or for specific requests, implement reasonable opt-out routes.
Train relevant staff: ensure facilities, IT and security teams understand privacy controls and incident procedures.

Handling sensitive cases — health and behavioural inferences

Sensors can sometimes generate inferences that touch on sensitive information (special category data) such as health. Steps to manage these risks:

Avoid designs that infer health status unless there is a clear, lawful basis and strict safeguards.
If processing might produce sensitive inferences, consult legal counsel and the ICO guidance early.
Apply additional safeguards: minimise data, restrict access, and use strict retention and deletion policies.
Consider explicit consent only where practical and meaningful; consent may not always be the best lawful basis for employment or public spaces.

Vendor spotlight — Butlr’s privacy-first positioning

Butlr is an AI company specialising in privacy-first people sensing and spatial intelligence for buildings. Their core offering is a thermal, camera-free sensing platform designed to provide aggregated occupancy and movement insights without traditional video imagery.

For details about Butlr’s technology and compliance approach, see their website: https://butlr.com

When engaging any vendor, request documentation about their privacy features, DPIA support, and data processing agreements. Confirm contract clauses that meet your organisation’s compliance and security requirements.

Conclusion — pragmatic privacy-first occupancy sensing

GDPR-compliant occupancy sensing in the UK is achievable by combining the right technology choices with strong governance and transparent communication. Prioritise camera-free, edge-processed solutions that output aggregated, anonymised metrics; conduct DPIAs; set clear retention and access rules; and contractually bind vendors to data protection obligations. These steps reduce risk, build trust with building users, and unlock the operational benefits of occupancy intelligence without compromising privacy.

Practical tips for facilities and IT teams

Start small: pilot in a low-risk area to validate privacy and technical controls before full rollout.
Document everything: keep records of processing activities, DPIA results and decisions.
Keep stakeholders informed: security, legal, HR and facilities should be aligned on purpose and controls.
Review periodically: reassess the DPIA and retention rules as use cases evolve.
Plan for incidents: have a response plan for data breaches or unauthorised access.

When to seek legal or regulator advice

If sensors capture identifiable images, store biometric data, or create profiles.
If you envisage health inferences or other special category processing.
If you plan to combine sensor data with other datasets (e.g., access logs) that may increase identifiability.
When in doubt, consult your data protection officer (DPO) or external legal counsel and consider contacting the ICO for guidance.

For more information on privacy-first sensing platforms and vendor-specific capabilities, review Butlr’s offering at https://butlr.com and consult ICO guidance on DPIAs and privacy by design.

GDPR Compliant Occupancy Sensors UK: Privacy-First Guide 2026