UK GDPR (the UK's post-Brexit version of the EU General Data Protection Regulation) applies to every accounting firm that processes personal data ā€” which means every accounting firm in the UK. As data controllers processing client financial records, payroll data, and personal identifiers, accounting practices have specific obligations that go beyond what many smaller firms have implemented.

This guide covers the core GDPR requirements that apply to UK accounting practices, the most common compliance gaps, and practical steps to address them.

Your role as a data controller

An accounting firm is a data controller ā€” it determines the purposes and means of processing personal data. This role carries the primary compliance burden under UK GDPR. The firm (not the software providers, not the cloud services, not the clients) is responsible for ensuring that all personal data processing meets the legal requirements.

As a data controller, your obligations include:

  • Having a lawful basis for every type of personal data processing you undertake.
  • Providing privacy notices to data subjects explaining how their data is processed.
  • Maintaining a Record of Processing Activities (ROPA).
  • Entering into Data Processing Agreements with any third parties (data processors) that process personal data on your behalf.
  • Implementing appropriate technical and organisational security measures.
  • Handling data subject rights requests (access, erasure, rectification, restriction).
  • Notifying the ICO and affected individuals of qualifying personal data breaches.

These obligations apply regardless of practice size. The ICO does not exempt smaller businesses from UK GDPR compliance.

Lawful basis for processing

Every processing activity must have a lawful basis. For accounting firms, the most relevant bases are:

Contract: processing necessary for the performance of a contract with the data subject. If you are engaged to prepare a client's self assessment tax return, processing their income data is necessary to perform that contract.

Legal obligation: processing necessary for compliance with a legal obligation. Anti-money laundering checks (client due diligence, PEP and sanctions screening) are required by the Money Laundering Regulations 2017 ā€” you have a legal obligation to conduct them.

Legitimate interests: processing necessary for the legitimate interests of the firm or a third party, unless those interests are overridden by the data subject's interests or fundamental rights. Maintaining client records after the engagement ends (for the statutory retention period) and sending marketing to former clients are examples where legitimate interests may apply.

Consent: freely given, specific, informed, unambiguous consent. Consent is the weakest lawful basis and should not be used where another basis applies ā€” it can be withdrawn at any time.

Document the lawful basis for each processing activity in your ROPA. If you cannot identify a clear lawful basis, you should not be conducting the processing.

Privacy notices

Your privacy notice (or privacy policy) must inform clients how you use their personal data. It must be provided at or before the point of data collection ā€” in practice, this means including a link to your privacy notice in your engagement letter and on your website.

A compliant privacy notice for an accounting firm must include:

  • The identity and contact details of the data controller (the firm).
  • The categories of personal data collected.
  • The purposes of processing and the lawful basis for each purpose.
  • Who the data is shared with (including third-party processors and HMRC).
  • How long the data is retained.
  • The data subject's rights under UK GDPR.
  • The right to complain to the ICO.
  • Whether data is transferred outside the UK and the safeguards in place.
  • Contact details for making rights requests.

Review your privacy notice now. If it was written before 2020, it almost certainly needs updating ā€” particularly to reflect cloud software use, AI tool use, and any changes to your data sharing arrangements.

Record of processing activities

The ROPA is a documented record of all your data processing activities. It is required for organisations with 250 or more employees or processing activities that: are not occasional, involve special category data, or could result in a risk to the rights and freedoms of individuals.

In practice, the ICO recommends all data controllers maintain a ROPA as part of demonstrating accountability. For accounting firms processing financial data, tax records, and payroll information, maintaining a ROPA is clearly best practice even if not strictly mandatory by size.

Your ROPA should record for each processing activity:

  • Name and contact details of the controller.
  • Purpose of processing.
  • Categories of data subjects.
  • Categories of personal data.
  • Categories of recipients (including processors).
  • Transfers to third countries.
  • Retention periods.
  • Security measures.

Many accounting firms are missing the ROPA entirely or have a document that has not been updated to reflect current software use (particularly AI tools and cloud integrations added in recent years).

Data Processing Agreements

Any third party that processes personal data on your behalf ā€” cloud accounting software, payroll software, document capture tools, practice management platforms, AI writing tools ā€” is a data processor. Under UK GDPR, every processor relationship must be governed by a written Data Processing Agreement (DPA).

The DPA must specify:

  • The subject matter and duration of the processing.
  • The nature and purpose.
  • The type of personal data and categories of data subjects.
  • The obligations and rights of the controller.

Conduct an audit of your software and service providers to identify which have a DPA in place, which need one, and which may not be able to provide one (and should therefore not be used for personal data processing).

Common gaps: AI writing tools (particularly consumer-tier tools without business accounts), productivity and collaboration tools, and specialist accountancy tools that have been added recently without formal procurement due diligence. For more on managing AI tools and technology for UK accountants safely within your GDPR obligations, see our AI and Tech hub.

Data retention and deletion

You must not keep personal data for longer than necessary for the purpose for which it was collected. For accounting firms, this requires balancing professional retention obligations (HMRC recommends keeping business records for six years from the accounting period; Companies House requires statutory records for six years; anti-money laundering regulations require client due diligence records for five years) against the data minimisation principle.

Define a retention schedule for each category of client data. When the retention period expires, delete or anonymise the data promptly. This applies to paper records as well as electronic records, and to data held in all locations ā€” accounting software, email, document storage, cloud backup.

Data subject rights

UK GDPR gives individuals rights over their personal data. The most commonly exercised rights in accounting practice contexts are:

Right of access: an individual can request a copy of all personal data you hold about them and information about how it is processed. You must respond within one month. This is particularly relevant for former clients requesting their complete records, or for individuals who are the subject of a data breach notification.

Right to erasure: an individual can request deletion of their personal data in certain circumstances. This right is not absolute ā€” it does not apply where processing is necessary for legal compliance (your AML records must be retained for five years regardless of a deletion request) or for the establishment, exercise, or defence of legal claims.

Right to rectification: an individual can request correction of inaccurate personal data.

Right to restrict processing: an individual can request that you restrict processing of their data in certain circumstances.

Train your staff to recognise data subject rights requests and to route them to the responsible person. You have one month to respond, starting from receipt of the request.

Key takeaways

  • UK GDPR applies to every accounting firm ā€” firm size does not exempt practices from the requirements.
  • Document the lawful basis for each processing activity in your ROPA ā€” processing without a clear lawful basis is non-compliant.
  • Every third-party processor (cloud software, AI tools, payroll software, document capture) must have a signed Data Processing Agreement before you process client personal data through their systems.
  • Maintain a ROPA that reflects your actual current software use ā€” the most common gap is failure to include AI tools and cloud integrations added in recent years.
  • Define and enforce a data retention schedule; personal data must not be kept longer than necessary for the purpose for which it was collected.

Frequently asked questions

Is a sole trader accounting firm subject to UK GDPR?

Yes. UK GDPR applies to all data controllers that process personal data, regardless of size. A sole practitioner who processes client tax records, payroll data, and personal identifiers is a data controller and must comply with the full UK GDPR framework.

Does UK GDPR apply differently to my practice post-Brexit?

The UK applied the EU GDPR in domestic law as the UK GDPR, which came into force on 1 January 2021. The UK GDPR is essentially identical to the EU GDPR with some modifications to reflect the UK's post-Brexit status. For UK-based accounting practices with clients only in the UK, the UK GDPR is the applicable law. Practices with EEA clients or data flows to the EEA may also need to consider EU GDPR compliance.

Do I need to register with the ICO?

Most UK businesses that process personal data must register with the ICO as a data controller, at a cost of Ā£40 to Ā£60 per year depending on organisation size. There are limited exemptions. An accounting firm that processes client data for professional purposes is unlikely to qualify for an exemption. Check your registration status on the ICO's registration self-assessment tool.

What is the maximum fine for GDPR non-compliance?

The ICO can issue fines of up to Ā£17.5 million or 4% of global annual turnover (whichever is higher) for serious infringements of the UK GDPR. For most small accounting practices, the ICO is more likely to issue a warning, undertaking, or smaller penalty for a first substantive breach. Repeat violations or deliberately non-compliant behaviour attract more significant enforcement action.

How do I handle a client who wants all their data deleted when they leave?

A right to erasure request from a departing client must be assessed against the specific circumstances. You are not required to delete data where retention is necessary to comply with a legal obligation (AML records for five years, tax records for six years) or to establish or defend legal claims. Explain to the client which data you must retain and why, delete any data that does not fall within a legitimate retention basis, and document your response and the basis for it.