Under the GDPR you need a reason, or basis for using surveillance cameras. To help you decide, take a look at the options below:
||Perhaps not the best one to rely on, as how can you prove that someone has consented to be filmed. Have they signed anything to say so?
||If you contract out your CCTV to a third-party monitoring service, then this could be what you rely on.
||For some industries like financial services there are regulatory requirements that require CCTV. If this applies to you then this would be your basis.
||This applies if you're using footage to protect life. This would apply to restricted areas which are potentially dangerous, for example edge of train station platforms, near to wild animals or close to machinery.
||To use this as a basis filming has to be in the public interest, to exercise official authority or a basis in the law for the surveillance.
This is a broad category which could include: security of a building, safety of employees, preventing crime, monitoring for health & safety or to improve productivity.
Public sector organisations many not be able to use this as a justification.
More on legitimate interest
If you're planning on using legitimate interest as your justification, then you have to demonstrate that you've balanced individual freedom against your interest. If there's a less intrusive way of achieving your goal then you won't be able to use legitimate interest.
For example, if you're planning on using legitimate interest as a justification for the use of surveillance to prevent misconduct in a business, you need to make your employees aware of this before the system is used.
For sensitive areas like a changing room or bathroom, you'd need a strong justification and additional security measures. For example, the feed from a sensitive area could only be viewed from a secure room and viewed only if there has been an incident.
If you're still unsure of which basis to rely on the ICO have also created a tool for determining this:
ICO lawful basis guidance tool