Secure file sharing means exchanging documents with clients through channels that protect the confidentiality of the information in transit and at rest, require proper authentication, and provide an audit trail. For accounting firms handling tax records, payroll files, bank statements, and personal financial information, using insecure methods — unencrypted email attachments, consumer file-sharing services, or USB drives — creates GDPR risk and professional liability exposure.
This guide covers the secure file sharing options available to UK accounting practices, how to choose between them, and how to transition clients away from insecure methods.
Why insecure file sharing is a real risk
Email is not encrypted end-to-end by default. An email containing a client's tax return, payroll file, or bank statements travels through multiple servers between sender and recipient. If any of those servers or the network connection between them is compromised, the content of the email and its attachments is accessible in plain text.
Consumer file-sharing services (Dropbox free tier, Google Drive personal, WeTransfer free) do not provide the security controls or data processing agreements required for GDPR-compliant personal data processing. Many do not encrypt files at rest with keys the customer controls, and their data retention and deletion practices may not align with your obligations.
USB drives containing client data are frequently lost. Unencrypted USB drives with sensitive client data are a particularly common source of ICO breach investigations against professional firms.
The risk is not hypothetical. The ICO has taken enforcement action against professional services firms following data breaches caused by unencrypted email attachments, insecure file sharing services, and lost USB drives.
Secure file sharing options for accounting practices
Client portals (purpose-built accounting solutions)
Client portals integrated into practice management platforms are the most secure and most professional file sharing solution for accounting firms:
TaxDome: encrypted client portal with access controls, document request workflows, e-signature, and a full audit trail. Files are accessible only to the specific client and their authorised practice contacts. Data Processing Agreement available.
Karbon: document management and sharing within the Karbon practice management platform. Files shared through Karbon's client portal are encrypted and access-controlled.
Glide: UK-developed client portal focused on document sharing and e-signature. Clean, professional interface for clients; secure by design for accounting practice use.
Iris SmartPortal / PortalDocs: client portal options within the Iris practice management ecosystem.
The advantages of purpose-built portals are: designed for accounting firm workflows, client-facing interface is professional and branded, documents are organised by client, and the platform handles GDPR compliance for the file storage and transmission.
Business-grade cloud storage
Business-tier versions of mainstream cloud storage services provide appropriate security controls for accounting document sharing:
Microsoft SharePoint / OneDrive for Business: for practices on Microsoft 365, SharePoint provides encrypted, access-controlled document sharing with a compliant DPA (the Microsoft Data Processing Agreement). Sharing via a SharePoint link requires the recipient to authenticate before accessing the file. OneDrive for Business is covered by the same terms.
Google Drive for Workspace: for practices on Google Workspace, Drive for Workspace provides business-grade encrypted storage covered by the Google Workspace DPA. Sharing can be configured to require Google account authentication.
Dropbox Business: Dropbox Business (not the free or personal tier) provides appropriate security controls and a GDPR-compliant DPA for business use.
The key distinction in every case: the consumer/free tier is not appropriate for client financial data; the business tier provides the necessary security controls and DPA.
Encrypted email extensions
For practices that want to use email but with end-to-end encryption for sensitive attachments, email encryption tools add a security layer:
Microsoft 365 Message Encryption (OME): available within Microsoft 365, OME encrypts email and attachments so that only the intended recipient (who must authenticate through a Microsoft account or a one-time passcode) can open the encrypted message. The recipient does not need to be on Microsoft 365.
Virtru: an email encryption add-on compatible with Gmail and Microsoft 365, designed to be user-friendly with no recipient setup required. Files are encrypted and can be revoked after sending.
These tools are useful for ad hoc encrypted transmission but are less efficient for ongoing document exchange than a purpose-built portal.
Secure file transfer (SFTP / MFT)
For practices with technical resources and high-volume file transfer requirements, SFTP (Secure File Transfer Protocol) or managed file transfer (MFT) solutions provide highly secure file transmission. These are more complex to set up and typically require technical knowledge to operate — they are more suited to larger practices or those with IT support.
What not to use
Unencrypted email attachments: do not send sensitive client financial documents (tax returns, payroll files, bank statements, personal financial data) as unencrypted email attachments. This applies to both sending to clients and receiving from clients.
Consumer file-sharing services: WeTransfer free, Dropbox free/personal tier, Google Drive personal, and similar consumer services lack the GDPR-compliant DPAs required for processing client personal data.
Unencrypted USB drives: never store client financial data on an unencrypted USB drive. If USB drives are used for any purpose, use hardware-encrypted drives (BitLocker-compatible for Windows, FileVault-compatible for Mac) with a password.
Personal WhatsApp or messaging apps: WhatsApp personal, iMessage, and similar consumer messaging apps are not appropriate channels for exchanging client financial documents. WhatsApp Business has different terms but still requires assessment of GDPR compliance before use with client data.
Transitioning clients to secure file sharing
The practical challenge of secure file sharing is client adoption. Clients who have been emailing tax documents and payroll files for years will not naturally change without guidance.
Explain the reason, not just the rule: clients are more likely to cooperate when they understand why the change matters. Explain that the new approach protects their personal financial information from interception, in language appropriate to the client (not in technical GDPR jargon).
Make the alternative easy: the new method must be as close to as easy as the old method, or clients will revert. Client portals with mobile apps, one-click document request links, and simple upload interfaces remove most of the friction.
Start with new clients: building secure file sharing into the onboarding process for new clients is significantly easier than transitioning established clients. Make it the default from the start of new engagements.
Gradual transition for existing clients: for digitally capable existing clients, a short email explaining the change, why it is happening, and how to use the new system is usually sufficient. For less digitally capable clients, a brief phone walkthrough is more effective than written instructions alone.
Clear policy in engagement letters: include a clause in your engagement letter specifying the approved methods for document exchange. This sets expectations at the start of the relationship and provides a basis for enforcing the policy if clients resist.
For more on AI tools and technology for UK accountants, including how client portal automation can streamline the transition to secure document exchange, see our AI and Tech hub.
Key takeaways
- Unencrypted email attachments, consumer file-sharing services, and unencrypted USB drives are not acceptable for exchanging client financial documents — they expose client data and create GDPR and professional liability risk.
- Purpose-built client portals (TaxDome, Karbon, Glide) are the most secure and professionally appropriate solution for ongoing client document exchange.
- Business-tier versions of Microsoft SharePoint, Google Drive for Workspace, and Dropbox Business are GDPR-compliant alternatives when used with appropriate DPAs.
- Microsoft 365 Message Encryption and Virtru add end-to-end encryption to email for ad hoc secure transmission of sensitive documents.
- Transition clients by explaining the reason, making the alternative easy, and including approved document exchange methods in your engagement letter.
Frequently asked questions
Is email ever acceptable for exchanging client financial documents?
Email with business-grade end-to-end encryption (Microsoft 365 Message Encryption, Virtru) is acceptable for ad hoc secure transmission. Standard unencrypted email is not appropriate for sensitive client financial documents. For ongoing document exchange, a client portal is more practical and more secure than encrypted email.
Does my client need to create an account to use a client portal?
This varies by platform. TaxDome and Glide allow clients to access their portal without creating a full account — they authenticate via a link sent to their email. Karbon and some others may require a simple account creation. For most clients, the one-click access approach removes the most common barrier to portal adoption.
Can I use WhatsApp for sending client documents?
WhatsApp Business (not personal WhatsApp) has different terms and uses end-to-end encryption for messages. However, WhatsApp Business messages are backed up to cloud storage (Google Drive or iCloud) by default, which introduces additional data residency questions. WhatsApp Business is not purpose-designed for professional document exchange and lacks the audit trail, access controls, and document management features of a client portal. It is not recommended for client financial document exchange.
What should I do if a client insists on emailing sensitive documents?
Provide a clear, professional explanation of the security risk and the firm's data protection obligations. Most clients accept the rationale once it is explained. If a client persistently refuses to use a secure method, document their refusal and your explanation, and include a note in your engagement terms that documents transmitted by the client via unsecured email are transmitted at their own risk. Do not respond in kind by sending sensitive documents back via unencrypted email.
Are scanned paper documents acceptable for submitting to a client portal?
Yes — scanned paper documents uploaded to a client portal or secure business cloud storage are acceptable. The security protection applies to the digital transmission and storage, not to the origin format of the document. Advise clients to scan and upload rather than photograph (lower quality) or mail paper originals (slower and subject to postal interception).