A data breach at an accounting practice is a serious event with regulatory, professional, and commercial consequences. Under UK GDPR, you have 72 hours to notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals ā€” and client financial data almost always meets that threshold.

Having a clear, practised breach response plan means you can act quickly and correctly when a breach occurs, rather than losing precious time deciding what to do first.

Defining a data breach

Under UK GDPR, a personal data breach is any security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In accounting practice contexts, this includes:

  • A ransomware attack that encrypts client files.
  • A phishing attack that gives an attacker access to email with client correspondence and attachments.
  • An employee sending a client's financial information to the wrong email address.
  • A laptop containing client data being lost or stolen.
  • Unauthorised access to cloud accounting software (for example, through compromised credentials).
  • A third-party supplier (cloud software, document capture tool) suffering a breach that exposes data you had uploaded.

Not every breach requires ICO notification. If the breach is unlikely to result in a risk to individuals ā€” for example, a laptop is lost but the data was encrypted and the device is password-protected ā€” notification may not be required. The assessment of risk to individuals must be made promptly and documented.

The 72-hour clock

The 72-hour notification clock starts from when you become "aware" of the breach. ICAEW and ICO guidance suggests that awareness means when you have reasonable certainty that a breach has occurred ā€” not the moment you first suspect something may be wrong, but once you have conducted sufficient initial investigation to confirm a breach has taken place.

In practice, this means you should begin investigating any suspected breach immediately and not wait for certainty before beginning your response. If investigation will take more than a few hours, it is better to notify the ICO of an ongoing investigation and update the notification as more information becomes available than to wait for complete information and miss the 72-hour window.

The ICO accepts initial notifications that note the investigation is ongoing; you can provide additional information as it becomes available.

Step-by-step breach response

Step 1: Contain

As soon as a breach is suspected or confirmed, act to prevent it from spreading or worsening:

  • If an account has been compromised, change the password immediately and enable MFA if not already active.
  • If a device is actively being accessed by an attacker, disconnect it from the network (but do not turn it off ā€” evidence may be preserved in memory).
  • Revoke API tokens or third-party access if a supplier or integration is suspected to be the source.
  • If ransomware is active, isolate affected systems from the network to prevent spread.

Document what was done, when, and by whom.

Step 2: Assess

Determine what happened, what data is involved, and who is affected:

  • What personal data was involved? (Names, financial records, NI numbers, payroll data, tax records, correspondence?)
  • Whose data was involved? (Which clients, how many individuals?)
  • What is the likely impact on the individuals affected? (Risk of identity fraud, financial loss, reputational damage?)
  • Who caused the breach? (Internal, external attacker, supplier?)
  • Is the breach ongoing, or has it been contained?

This assessment determines: whether ICO notification is required, whether client notification is required, and the severity of the regulatory exposure.

Step 3: Notify the ICO (if required)

If the breach is likely to result in a risk to the rights and freedoms of individuals, notify the ICO within 72 hours of becoming aware. The notification is made through the ICO's online reporting tool.

The notification should include:

  • A description of the nature of the breach (including categories and approximate number of individuals affected).
  • Contact details for the Data Protection Officer or relevant contact.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach.

If you do not have all the information within 72 hours, submit an initial notification with what you know and confirm that further information will follow.

Step 4: Notify affected individuals (if required)

If the breach is likely to result in a high risk to the rights and freedoms of individuals ā€” for example, if there is a serious risk of identity fraud, financial loss, or other significant harm ā€” you must notify the affected individuals directly without undue delay.

The notification should explain: what happened, what data was involved, the likely consequences, and what you are doing to address the breach and mitigate its effects.

For accounting practices, client notification following a breach of financial data is almost always appropriate even if not strictly required under GDPR, because clients need to take protective action (monitoring credit reports, alerting their banks, changing passwords) and because transparency maintains professional trust.

Step 5: Remediate

Once the immediate breach is contained and notifications made, address the underlying vulnerability:

  • Patch the software or system that was exploited.
  • Strengthen access controls (enforce MFA, review user permissions).
  • Conduct staff training if the breach resulted from human error (phishing click, misdirected email).
  • Review and update contracts with any third-party suppliers involved.
  • Conduct a post-incident review and update your breach response plan.

Step 6: Document

Document everything: the timeline of events, the decisions made and their basis, the notifications sent, and the remediation steps taken. The ICO may request this documentation. Your professional indemnity or cyber insurer will need it. It is also your evidence that you responded appropriately if clients or regulators question your handling of the breach.

Internal breach response plan

Every accounting practice should have a written breach response plan that defines:

  • Who is the first point of contact when a breach is suspected (the designated Data Protection Officer or named responsible person).
  • What the initial containment steps are for the most likely breach scenarios.
  • Who approves the decision to notify the ICO.
  • Who drafts client notifications.
  • Contact details for the cyber insurer's incident response helpline.
  • Contact details for an external IT forensics or cyber incident response firm (useful to have pre-selected before you need them).
  • The ICO online reporting tool URL.

The plan should be tested at least annually ā€” a tabletop exercise where the team walks through a realistic breach scenario is sufficient for most small practices. For more on AI tools and technology for UK accountants and how to build cyber resilience into your practice operations, see our full AI and Tech hub.

Key takeaways

  • A data breach includes any unauthorised access, disclosure, or loss of personal data ā€” phishing, ransomware, lost devices, misdirected emails, and supplier breaches all qualify.
  • The 72-hour ICO notification clock starts when you become aware the breach has occurred, not when it is fully investigated ā€” begin response immediately.
  • The breach response sequence is: contain, assess, notify ICO (if required), notify individuals (if required), remediate, document.
  • Have a written breach response plan with named contacts, containment steps, and insurer contact details ā€” the time to plan is before an incident, not during one.
  • Document everything throughout the response ā€” timeline, decisions, notifications, and remediation steps ā€” as the ICO and your insurer will request this information.

Frequently asked questions

When do I have to notify clients about a data breach?

You must notify affected clients directly when the breach is likely to result in a high risk to their rights and freedoms ā€” that is, a serious risk of harm such as identity fraud, financial loss, discrimination, or significant distress. For accounting practices, a breach involving client tax records, bank details, or payroll information almost always meets this threshold. Notify clearly and promptly, explaining what happened and what clients should do to protect themselves.

What happens if I don't notify the ICO within 72 hours?

Failure to notify the ICO within 72 hours without valid justification can result in enforcement action and a fine, separate from any fine related to the underlying breach. The ICO has the power to issue fines of up to Ā£17.5 million or 4% of global annual turnover for serious breaches of UK GDPR. In practice, the ICO considers the circumstances ā€” a practice that investigated promptly but took slightly longer to notify due to the complexity of the incident is treated differently from one that knew about a breach and delayed notification to avoid regulatory scrutiny.

Should I pay a ransomware demand?

Do not pay a ransomware demand without consulting your cyber insurer and a specialist ransomware response firm. Reasons: payment does not guarantee recovery of data, paying encourages further attacks, and some ransomware payment scenarios may have sanctions implications if the attacker is subject to international sanctions. Contact your cyber insurer's incident response helpline immediately ā€” they have specialist negotiators and recovery teams and will advise on the best course of action.

Do I need to notify HMRC if client tax data is breached?

There is no specific obligation to notify HMRC of a data breach under UK GDPR. Your obligation is to notify the ICO and, where required, affected individuals. However, if the breach may have resulted in fraudulent use of client tax information ā€” for example, if an attacker may have accessed Government Gateway credentials or filed fraudulent returns ā€” you should advise affected clients to notify HMRC and take protective action on their accounts.

What is a tabletop exercise and how do I run one for my practice?

A tabletop exercise is a discussion-based simulation of a breach scenario. The practice principal or manager presents a scenario ("We have received an email from an employee saying they clicked a link in an email and their computer is now showing a ransomware message") and the team works through the response: who does what first, what decisions need to be made, who makes them, and what the process is. The discussion identifies gaps in the plan, ensures everyone knows their role, and builds confidence. A one-to-two hour tabletop exercise once a year is appropriate for most small practices.