UK GDPR, implemented through the Data Protection Act 2018, applies to every accounting firm in the UK, regardless of size. If you process personal data about clients, employees, or any other individuals, you have legal obligations around how you collect, store, use, and delete that data.

Non-compliance carries real consequences: ICO fines of up to £17.5 million or 4% of global annual turnover (whichever is higher for serious breaches), reputational damage, and, for regulated practitioners, potential implications for your practising certificate. This guide sets out what UK GDPR requires of accounting firms and what you need to do in practice.

Lawful basis for processing client data

Every time you process personal data, you need a lawful basis for doing so. UK GDPR sets out six lawful bases; the most relevant for accounting firms are:

  • Contract: processing is necessary to perform a contract with the individual. This covers processing client personal data to prepare their tax return, payroll, or accounts.
  • Legal obligation: processing is required to comply with a legal obligation. This covers retaining records as required by HMRC or the Companies Act, and processing payroll data under RTI requirements.
  • Legitimate interests: processing is necessary for your legitimate interests, provided those interests are not overridden by the individual's rights. This may apply to certain marketing activities or client relationship management, but requires a legitimate interests assessment (LIA).
  • Consent: the individual has given clear, specific, freely given, and informed consent. Consent is rarely the right basis for core accounting services; contract or legal obligation is usually more appropriate. However, it may apply to optional communications such as newsletters.

You must identify the lawful basis before processing begins, document it, and be able to explain it to clients or the ICO if asked. You cannot swap lawful bases after the fact.

Privacy notices and transparency

UK GDPR requires you to give individuals clear information about how you process their personal data, typically through a privacy notice. Your privacy notice must cover:

  • Your firm's name and contact details
  • Your Data Protection Officer's details (if you have one)
  • What personal data you collect and why
  • The lawful basis for each type of processing
  • How long you retain data
  • Whether you share data with third parties (including cloud software providers, HMRC, and Companies House)
  • Individual rights under UK GDPR (see subject access requests below)
  • The right to complain to the ICO

Provide the privacy notice at the point of engagement, typically alongside your engagement letter or terms of business. Publish a version on your website. Review and update it whenever your processing activities change.

Data retention periods for accounting records

UK GDPR requires you to keep personal data only for as long as necessary. For accounting firms, this must be balanced against legal retention requirements set by HMRC and company law:

  • HMRC records (self-assessment): individuals must keep records for at least 22 months from the end of the tax year the return relates to. For business records (sole traders, partnerships), this extends to five years from the 31 January filing deadline.
  • HMRC records (company accounts): companies must keep records for six years from the end of the accounting period.
  • Companies Act 2006: private companies must retain accounting records for six years from the date they were made; public companies for ten years.
  • VAT records: must be kept for six years (or ten years if you use the VAT MOSS scheme).
  • Payroll records: HMRC requires payroll records to be kept for three years from the end of the tax year to which they relate, though many practices keep them for six years to align with other retention periods.

After the applicable retention period, personal data should be securely deleted or anonymised. Document your retention schedule in writing and apply it consistently. Retaining data indefinitely "just in case" is not compliant with UK GDPR.

Subject access requests

Under UK GDPR, individuals have the right to request a copy of all personal data you hold about them. This is called a subject access request (SAR). Key points for accounting firms:

  • You must respond within one calendar month of receiving the request.
  • You cannot charge a fee in most circumstances.
  • You must provide the data in a commonly used electronic format if the request was made electronically.
  • You may extend the deadline by two further months if the request is complex or you have received multiple requests from the same individual, but you must notify the individual within the first month.
  • You can refuse a request that is manifestly unfounded or excessive, but you must be able to justify this and tell the individual they can complain to the ICO.

Be aware that a SAR may come from a client, a former client, an employee, or any other individual. Have a process in place for receiving, logging, and responding to SARs. Failing to respond within the deadline is a breach of UK GDPR.

Individuals also have the right to erasure ("right to be forgotten") in certain circumstances, the right to rectification of inaccurate data, and the right to restrict processing. Your privacy notice should explain all of these rights.

Data breach notification

A personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes:

  • Ransomware encrypting client files
  • An email sent to the wrong recipient containing client personal data
  • A laptop or USB drive containing unencrypted client data being stolen or lost
  • An unauthorised person gaining access to your practice management system

If a breach is likely to result in a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware of it. The ICO's online reporting tool is available at ico.org.uk. If the breach is likely to result in a high risk to individuals, you must also notify the affected individuals directly, without undue delay.

Not all breaches need to be reported to the ICO: if the breach is unlikely to result in a risk to individuals (for example, you briefly lost an encrypted laptop that was immediately recovered), you do not need to report but must document your reasoning. Keep a breach log recording all incidents, their impact assessment, and the actions taken, even where no notification was required.

DPO requirements and legitimate interests

Data Protection Officer

Most accounting firms are not required to appoint a Data Protection Officer (DPO). A DPO is mandatory only where processing is carried out by a public authority, where core activities require large-scale systematic monitoring of individuals, or where core activities involve large-scale processing of special category data (such as health data).

Client financial data is generally not special category data. However, if your firm handles employee health data in the context of payroll or sick pay, or processes data on behalf of healthcare clients at scale, you should take advice on whether a DPO is required.

Even without a mandatory DPO, it is good practice to designate a named individual within your firm who is responsible for data protection compliance, keeps policies up to date, and acts as the point of contact for ICO enquiries and SARs.

Legitimate interests assessment

If you rely on legitimate interests as your lawful basis, you must carry out a legitimate interests assessment. This is a three-part test: identify the legitimate interest, demonstrate the processing is necessary, and balance your interests against the individual's rights and reasonable expectations. Document the assessment and review it if your processing activities change. The ICO has a template LIA on its website.

Practical steps for sole practitioners and small firms

UK GDPR applies to sole practitioners just as it does to large networks. However, the ICO recognises that compliance should be proportionate to the scale and nature of processing. For a sole practitioner with a small client base, the following minimum steps are recommended:

  1. Register with the ICO as a data controller and pay the annual fee. Check whether you qualify for an exemption at ico.org.uk.
  2. Write a simple privacy notice and send it to clients with your engagement letter. A one-page document covering the points above is sufficient for most small practices.
  3. Map your data flows: write down what personal data you hold, where it is stored (which software, which devices), how long you keep it, and who you share it with. A simple spreadsheet is fine.
  4. Document your lawful bases for the main types of processing your firm carries out.
  5. Implement appropriate security measures: at minimum, full-disk encryption, MFA on all key systems, and a secure method of sharing documents with clients.
  6. Create a retention and deletion schedule aligned with HMRC and Companies Act requirements.
  7. Know what to do in a breach: have the ICO's contact details and reporting process noted somewhere accessible so you can act within the 72-hour window.

The ICO's SME web hub at ico.org.uk provides free resources specifically for small organisations. ICAEW and ACCA also publish data protection guidance tailored to accounting practices, which is worth reviewing alongside this guide.