GDPR and CCTV in the UK: rules for businesses and homeowners

A practical guide to UK GDPR and CCTV — when the rules apply, what businesses must do, when the household exemption protects homeowners, and what the Fairhurst v Woodard case means for smart doorbells.

CCTV captures images of identifiable people, and that makes the footage personal data. As soon as personal data is being processed, UK GDPR and the Data Protection Act 2018 apply — unless one of a narrow set of exemptions covers the situation.

For businesses, the rules are clear and consistent. For homeowners, the situation is more nuanced: a household exemption can apply, but it's easier to lose than most people realise. This guide covers both contexts and where the line sits.

Does GDPR apply to CCTV?

In almost every business setting, yes. If a camera captures recognisable people — staff, customers, contractors, members of the public — the operator is a data controller processing personal data, and UK GDPR applies. The same is true for any technology that captures images or audio: traditional fixed CCTV, automatic number plate recognition (ANPR) systems, body-worn cameras, dash cams in fleet vehicles, drones, and smart doorbells.

There is one important carve-out, sometimes called the "household exemption" under Article 2(2)(c) of the UK GDPR. The regulation does not apply to processing carried out "by a natural person in the course of a purely personal or household activity". For domestic CCTV that records only the homeowner's own property — driveway, garden, the front of the house — the exemption usually applies and GDPR does not.

The household exemption is conditional, not absolute. The moment a domestic camera captures shared space, neighbours' property, the pavement, or a public road, the exemption falls away. From that point, the homeowner is treated as a data controller for everything the camera records.

CCTV requirements for businesses

Any organisation operating CCTV needs to identify a lawful basis for processing under Article 6 of the UK GDPR. For most security applications, that basis is legitimate interests — preventing crime, protecting staff and property, deterring antisocial behaviour. The lawful basis must be supported by a documented assessment that the processing is necessary and proportionate to the purpose.

Several specific obligations follow:

Signage

People need to be told they are being recorded. Visible signs at the entrance to a monitored area should identify the operator, the purpose, and a contact point for queries. The signs are part of meeting the right to be informed under Articles 13 and 14.

Data Protection Impact Assessment

A DPIA under Article 35 is required where CCTV is likely to result in high risk to people's rights and freedoms. Large-scale or systematic monitoring of publicly accessible areas — including most retail and hospitality CCTV — falls into that category.

Retention

Footage should be kept for no longer than is necessary for the stated purpose. Most business CCTV operates on a 7- to 31-day automatic overwrite cycle, with longer retention only for footage relevant to a specific incident.

Access control

Only authorised people should be able to view recorded footage. Live monitoring should be limited to those who need it. The ICO expects access to be logged.

Security

Footage must be stored securely — password-protected recording systems, encrypted storage where appropriate, physical security for any recorders on premises.

Special category data

If the system uses facial recognition or other biometric identification, it processes special category data under Article 9. This requires a separate Article 9 condition, additional safeguards under Schedule 1 of the Data Protection Act 2018, and almost always a DPIA.

The data protection fee

Operating CCTV usually triggers the obligation to pay the ICO's data protection fee, which depends on the size of the organisation.

CCTV that crosses property boundaries — for example, a shop's camera that captures the public street outside — requires extra care. The lawful basis assessment should consider whether the wider field of view is genuinely necessary, or whether the camera could be repositioned or have a privacy mask applied to limit intrusion.

Public bodies have an additional layer of regulation under the Protection of Freedoms Act 2012, which created the Surveillance Camera Code of Practice. The Biometrics and Surveillance Camera Commissioner (BSCC) oversees compliance with the Code in England and Wales. The Code's twelve guiding principles are persuasive rather than binding for private operators, but they reflect what the ICO would expect to see in a well-run system.

Domestic CCTV and the household exemption

For homeowners, the household exemption is the deciding factor. If your cameras record only your own property, GDPR does not apply, and you are not a data controller. You don't need to register with the ICO, you don't need a lawful basis, you don't need a privacy notice. Personal-use CCTV stays personal.

The exemption falls away if cameras capture beyond the property line. This includes:

• A neighbour's garden, drive, or windows.
• A shared space — a communal car park, a shared driveway, a building entrance.
• A public space — the pavement, the road, a passageway.

Once the exemption is lost, every part of GDPR applies. The homeowner becomes a data controller, with all the obligations that brings, and the ICO can investigate complaints and take enforcement action.

In practice, most domestic CCTV captures some shared or public space. A camera covering your front door usually catches the pavement; a camera on the side of the house may capture the next-door garden; a smart doorbell typically records the street. The ICO's published guidance for homeowners reflects this reality and recommends:

• Position cameras to minimise capture of areas outside your property.
• Use privacy masks or zones where the camera software supports them.
• Be transparent with neighbours about the system you have installed.
• Delete recordings as soon as you no longer need them.
• Be prepared to provide footage to anyone who asks for a copy of recordings featuring them.

The Fairhurst v Woodard case

The leading UK authority on domestic CCTV is Fairhurst v Woodard (Oxford County Court, 2021). The dispute arose between two neighbours in Oxfordshire after Mr Woodard installed multiple cameras around his property, including a Ring smart doorbell. Dr Fairhurst, the neighbour, claimed harassment, nuisance, and breach of data protection law.

The court found that several of Mr Woodard's cameras captured images and audio well beyond his property — including the claimant's gate, garden, and parking spaces. The judge held that this took the cameras outside the household exemption and brought Mr Woodard within scope of UK GDPR and the Data Protection Act 2018.

Two findings have proved particularly influential. First, the court took issue with the audio capture range of the Ring doorbell, holding that audio recording of conversations beyond a property boundary was disproportionate to the stated security purpose. Second, the court found that Mr Woodard had misled his neighbour about what the cameras recorded — a breach of the transparency requirement under Article 5(1)(a). Damages of more than £100,000 were awarded across the various heads of claim.

The case did not outlaw smart doorbells. It confirmed that the household exemption is fact-specific and that audio recording deserves particular care. Anyone installing a video doorbell or external camera in a domestic setting should:

• Check what the camera actually records — both video and audio range.
• Adjust the field of view to focus on the owner's property where possible.
• Disable audio recording unless there is a clear reason to keep it on.
• Be honest with neighbours about the camera's capabilities.

The judgment is widely cited in subsequent ICO complaints and is the practical benchmark for how the household exemption is applied in disputes.

Body-worn cameras and dash cams

Body-worn video (BWV) used by businesses — door staff, security guards, delivery couriers — falls squarely within UK GDPR. The same requirements apply as for fixed CCTV: a lawful basis, signage where possible, a clear retention policy, secure storage, and a DPIA where the use creates high risk to individuals.

Domestic dash cams sit in the same category as domestic CCTV. If the dash cam captures only what the driver could see anyway, the household exemption typically applies. If footage is shared online — uploaded to social media or sent to insurers in identifiable form — the processing usually goes beyond personal or household activity and GDPR applies.

Subject access requests for CCTV footage

Anyone who appears on CCTV footage has a right of access under Article 15 of the UK GDPR. They can ask the operator for a copy of footage featuring them, and the operator must respond within one month.

Two practical points often catch operators out. First, footage of other people must be redacted before release — usually by blurring faces or pixelating identifiable features. Second, the standard one-month deadline applies, but the request itself only relates to footage the operator still holds. If the retention cycle has already overwritten the relevant recording, the operator can say so.

Operators should keep a written record of every subject access request, the search performed, and the response given.

Retention periods for CCTV footage

UK GDPR does not set fixed retention periods. The principle of storage limitation requires the operator to keep footage for no longer than necessary for the stated purpose. For most business CCTV, that translates to 7 to 31 days on an automatic overwrite cycle, with longer retention only for footage relevant to an active incident, investigation, or insurance claim.

The retention period should be documented in the operator's policy and reviewed periodically. There is no GDPR-mandated maximum, but the longer footage is held without a clear reason, the harder it is to defend if challenged.

For more on retention generally, see our GDPR data retention guide. For broader scope questions about who GDPR applies to, see our scope guide.

Frequently asked questions

Can my neighbour's CCTV record my property?

If their camera captures your garden, your windows, or you in shared spaces, they are likely outside the household exemption and processing your personal data. They need a lawful basis and must be transparent. If you object, you can raise it with them directly, and if that fails, complain to the ICO.

Do I need a sign for home CCTV?

If your camera records only your own property, no — the household exemption applies. If it captures beyond the boundary, yes. Signs identifying the operator and purpose are part of meeting the right to be informed.

Can I record audio on CCTV?

You can, but audio is particularly intrusive. The Fairhurst v Woodard case found that audio recording beyond a property boundary was disproportionate to a security purpose. Audio should be disabled by default and turned on only where you have a clear, documented reason.

How long can I keep CCTV footage?

For no longer than necessary. Most business systems operate on a 7- to 31-day overwrite cycle. Retain individual recordings longer only where they relate to a specific incident or claim.

Can someone request CCTV footage of themselves?

Yes — anyone who appears on footage can make a subject access request. You have one month to respond and must redact other people from the footage before release.

Do I need to register CCTV with the ICO?

There is no separate "CCTV register". Operating CCTV usually triggers the obligation to pay the ICO's data protection fee, which is separate from any registration in the older sense.