Access & CCTV · Design Guide

CCTV for SA Businesses — PoE, NVR, Cloud or Hybrid?

Most SA CCTV systems fail the one job they exist for: to help you prosecute. This guide is the design playbook 1ICT uses so your footage stands up in court — and survives load-shedding, theft of the recorder, and POPIA scrutiny.

11 min read Updated July 2026

Design for prosecution — not decoration

Cameras that look impressive but produce unusable footage are worse than no cameras: they create false confidence and legal exposure. The design test is simple: can the footage identify a person (not just detect movement), does it survive theft of the recorder, and does it stand up under POPIA scrutiny?

  • Every entry and exit is covered at head-height with an identification-grade shot.
  • Every till, reception desk and cash-handling point is covered.
  • Every stock room, IT room and comms cabinet has its own camera.
  • Parking-gate cameras include LPR (licence plate recognition).
  • No camera is placed where it captures private spaces (bathrooms, changerooms).

Camera choice by location

  • Entry / reception: 4 MP fixed lens, mounted 2.1–2.4m, with IR to 30m. Face at head-height, not top of hat.
  • Corridors: 4 MP fixed at each end, so anyone walking is captured front and back.
  • Open-plan offices: 6 MP wide-angle from the corner. One camera should not have to cover 200m² — add another.
  • Parking & perimeter: 4–8 MP bullet with true 60m IR, weatherproof housing, PoE+ powered.
  • LPR gate: dedicated LPR camera at a fixed angle and distance, with its own IR illuminator — never rely on a general camera to do LPR.
  • Warehouse: 4 MP domes with 360° or fisheye for wide coverage, supplemented by fixed cameras at aisle ends.
  • Retail till: 4 MP fixed, capturing hands + face + till display in one frame. This is the money shot.

NVR, storage & retention

  • NVR sizing: match channel count (support at least 25% growth), throughput (both incoming stream Mbps and outgoing playback), and drive bays (enterprise-grade drives, not desktop).
  • Drives: Seagate SkyHawk or WD Purple only. Regular desktop drives fail within 12 months of 24/7 write load.
  • RAID: RAID 5 or 6 for anything above 4 drives — a single failure must not lose footage.
  • Retention: 30 days for offices, 60 days for hospitality, 90 days for retail, longer for regulated environments — always driven by risk and POPIA purpose statement.
  • Off-site backup: motion-triggered events pushed to cloud daily. If the NVR is stolen, the footage of the theft is already in the cloud.

PoE, VLAN & bandwidth

  • Dedicated CCTV VLAN. Never share the business LAN. A camera vulnerability must not compromise the office.
  • PoE+ switches sized for the total wattage of every camera plus 30% headroom. Managed switches only.
  • Bandwidth: a 4 MP H.265 camera streams ~4 Mbps peak. A 12-camera system needs ~50 Mbps of internal switching + WAN only for cloud offload.
  • UPS: every NVR + PoE switch on a UPS sized for 4+ hours. Without power, you have nothing.

Cloud vs on-prem vs hybrid

  • Pure on-prem is cheap and bandwidth-friendly, but the NVR is the single point of failure — if it's stolen, footage is gone.
  • Pure cloud (Verkada, Eagle Eye, Rhombus) is beautiful and secure, but each camera continuously uploads at 1–4 Mbps — bandwidth cost dominates on 8+ cameras.
  • Hybrid (recommended for most SA SMEs): on-prem NVR does 24/7 continuous recording; cloud captures motion events and critical zones. Best of both worlds; survives theft; fits SA fibre reality.

POPIA & signage — the compliance bit that keeps you out of court

  • Lawful basis for CCTV is usually legitimate interest (crime prevention, evidence for prosecution). Document it in a CCTV Policy.
  • Signage at every entrance: "CCTV in operation — footage retained for [N] days — contact [DIO] for access requests."
  • Retention: defined in writing, enforced automatically by the NVR, not left to manual purge.
  • Access control on footage: only named individuals can view live or historical. Every access logged.
  • Data-subject access requests: a documented process to search, extract and provide the requester with footage of themselves — within POPIA's 30-day timeline.
  • PAIA manual must list CCTV footage as a record.

Frequently asked questions

How many cameras do we need?

Coverage-driven, not budget-driven. Every entry/exit, every till/reception, every stock room, every parking gate. A typical SA SME office needs 6–14 cameras; a retail branch 10–24; a warehouse 20–60.

PoE or wireless cameras?

PoE. Always, if the wall can be chased. Wireless (Wi-Fi) cameras drop frames, saturate the AP, and die on load-shedding. Reserve wireless for temporary sites or heritage buildings that genuinely cannot take cable.

Cloud NVR or on-prem NVR?

Hybrid wins. On-prem NVR for 24/7 continuous recording (bandwidth-friendly, cheap storage) + cloud backup of motion-triggered events (survives theft of the on-prem NVR). Pure cloud is expensive on SA fibre; pure on-prem is a single point of failure.

How much storage do we need?

Rule of thumb: 4 MP camera at 15 fps H.265 uses ~35 GB/day continuous. For 12 cameras × 30 days retention: ~13 TB. Add 30% headroom. POPIA does not prescribe a retention period — but 30 days is the industry norm for offices, 90 days for retail.

Does POPIA affect our CCTV?

Yes. CCTV footage of identifiable people is personal information. You need: a lawful basis (usually legitimate interest for security), clear signage at every entrance, a defined retention period, restricted access to footage, and a documented process for data-subject access requests.

Which camera brand should we use?

For SA SMEs: Hikvision or Dahua for value + features, Uniview for a middle ground, Axis for enterprise/critical infrastructure. Avoid no-name brands — spare parts, firmware updates and warranty support disappear within 18 months.

Want a CCTV design for your site?

1ICT runs free 60-minute site surveys across Gauteng — you get a camera-by-camera drawing, storage calc, and rand-priced quote.