GDPR for Accountancy Firms: Client Data, HMRC, and Professional Obligations

The Dual Controller/Processor Problem

Most accountancy practices wear two hats simultaneously, and the distinction matters enormously under GDPR.

When you process data about your own clients — onboarding them, managing your relationship with them, maintaining your CRM — you are a data controller. You decide why and how their personal data is processed. You need a lawful basis, a privacy notice, and processes for handling data subject rights requests.

When you process data on behalf of payroll or bookkeeping clients — running payroll for their employees, maintaining their purchase ledger, filing VAT returns — you are a data processor. The employer is the controller; you are acting under their instructions. GDPR Article 28 requires a written Data Processing Agreement (DPA) between you and each such client. Without a DPA, both parties are technically non-compliant.

The practical implication: a mid-size firm providing audit, tax, payroll, and bookkeeping services needs to maintain both controller and processor compliance frameworks, and must be clear about which hat it is wearing at any given time.

---

Types of Data You Process

Accountancy data is inherently personal, even when it relates to businesses. The categories typically include:

• Personal tax returns (Self Assessment): Income, capital gains, pension contributions, rental income, benefits in kind, property ownership — the full picture of an individual's financial life
• Payroll records: Salary, NI numbers, tax codes, bank account details, pension contributions, statutory leave payments, sickness records
• Company financial data with personal elements: Director loan accounts, personal guarantees on company debt, shareholder dividend payments, related party transactions
• Bank statements: Presented for bookkeeping or audit purposes, containing personal transaction histories
• Pension contribution records: Workplace pension enrolment data, contribution rates, employee pension correspondence
• Expense claims: Often containing receipts with personal location and purchase data
• Benefits in kind data: Company cars, private medical, loans — all personally identifiable

Much of this is financial data, which while not explicitly a special category under GDPR Article 9, is sensitive enough that the ICO expects it to be handled with heightened care. Some payroll data — sickness records, for instance — is special category data requiring explicit consent or a specific Schedule 1 condition under the UK Data Protection Act 2018.

---

AML/KYC: Identity Documents and Beneficial Ownership

The Money Laundering Regulations 2017 (MLR17) require accountancy firms providing certain regulated services — audit, tax advice, trust and company services, bookkeeping — to conduct Customer Due Diligence (CDD) on clients. This means collecting:

• Government-issued photo ID (passport, driving licence)
• Proof of address
• Source of funds information for higher-risk clients
• Beneficial ownership information for corporate clients (the natural persons who ultimately own or control them)

This creates an immediate tension with GDPR's data minimisation principle. GDPR says collect only what you need for a specified purpose; AML law says collect extensive personal information and keep it for at least five years after the business relationship ends.

The resolution: legal obligation (Article 6(1)(c)) is the lawful basis for AML/KYC data collection. You are not processing this data because clients have consented — you are processing it because you are legally required to. This means:

• You cannot rely on this data for other purposes (marketing, for instance)
• You cannot delete it at the client's request before the AML retention period expires
• Your privacy notice must clearly disclose the AML legal basis and the mandatory retention period
• Employees who handle CDD data need specific AML training, which dovetails with GDPR training requirements

For beneficial ownership data — the UBO information you collect about the humans behind corporate clients — you are processing data about individuals who have not directly engaged with your firm. Your privacy notice must explain how third parties' data is used, and you should have a mechanism to inform them of their data subject rights (or document why direct notification is disproportionate).

---

HMRC Mandatory Reporting: When Legal Obligation Overrides Confidentiality

Accountants have a professional duty of client confidentiality. GDPR does not override this — in fact, GDPR's legitimate interest and legal obligation bases can support maintaining confidentiality as a processing activity. But certain mandatory disclosures to HMRC are required regardless of client consent:

• RTI (Real Time Information) payroll submissions: Every pay run generates an FPS (Full Payment Submission) to HMRC containing employee personal data — name, NI number, pay, deductions
• Self Assessment returns: Filed on behalf of clients, transmitting personal financial data to HMRC
• VAT returns: While primarily business data, they can contain personal information for sole traders
• HMRC information notices: When HMRC issues a formal information notice under Schedule 36 Finance Act 2008, compliance is legally mandatory

For all of these, legal obligation (Article 6(1)(c)) is your lawful basis. Clients cannot prevent you from making legally required disclosures by withdrawing consent — because consent is not the basis in the first place. Your client privacy notice should be explicit that mandatory regulatory reporting will occur regardless of personal data preferences.

Where suspicious activity reports (SARs) are filed under the Proceeds of Crime Act 2002, there is an additional complication: you typically cannot tell the client you have filed a SAR (tipping off offences), which means you cannot fulfil the normal transparency obligations under GDPR. The tipping-off prohibition takes legal precedence — document this carefully in your compliance records.

---

Cloud Accounting Software as Data Processors

The shift to cloud accounting — Xero, QuickBooks, Sage, FreeAgent, Dext, AutoEntry — means client data now flows through third-party platforms. Under GDPR, each of these platforms is a sub-processor if you are acting as processor for your payroll or bookkeeping clients, or a data processor if you are using them to manage your own client data.

The requirements:

1. Data Processing Agreements: Each platform must have a DPA with you. Most major platforms (Xero, QuickBooks, Sage) publish DPA terms in their terms of service. Review and accept these formally — do not assume they apply automatically.

2. Sub-processor disclosure: If you have a DPA with a bookkeeping client, you must disclose your sub-processors (including the cloud platform) to that client. Your DPA template should include a sub-processor list or a mechanism for notifying clients when sub-processors change.

3. Data location: Check where each platform stores UK client data. Post-Brexit, UK GDPR applies, and transfers outside the UK require appropriate safeguards (adequacy decisions or International Data Transfer Agreements). Most major platforms have UK or EU hosting options — verify this for each tool in your stack.

4. Access controls: Who in your firm can access which client data on these platforms? Implement role-based access so staff only see the data they need for their specific work.

---

Payroll Bureaus: The Processor Relationship

If you operate a payroll bureau — processing payroll for multiple employer clients — you are a processor for each of those employers. This means:

• A signed DPA with every payroll client — this is not optional under GDPR Article 28
• Processing only on documented instructions — if a client asks you to do something with employee data that seems outside normal payroll processing, document the instruction before proceeding
• Security obligations — payroll data (especially NI numbers, bank details, and salary information) requires strong access controls, encrypted transmission, and secure storage
• Breach notification to the controller — if there is a data breach affecting employee payroll data, you must notify your client promptly so they can fulfil their 72-hour notification obligation to the ICO. Your DPA should specify notification timescales — in practice, immediate notification is advisable
• Assistance with data subject rights — if an employee contacts their employer with a DSAR or erasure request, and you hold some of the relevant data, you must assist your client in responding within the 30-day deadline

One frequently overlooked issue: payroll bureaus often handle sickness and statutory leave data — SSP, SMP, SPP. This overlaps with special category health data under GDPR Article 9. Make sure your lawful basis for processing (employment law compliance and legal obligation) is documented, and that access to sickness records is strictly limited.

---

Client Portal Security and Document Exchange

The days of emailing unencrypted spreadsheets are not over in practice, but they should be. Sending personal tax data or payroll files over unencrypted email creates real GDPR risk — particularly for high-value targets like accountancy firms.

Best practice for client document exchange:

• Use a secure client portal (Senta, Karbon, TaxCalc Client Hub, or similar) with authenticated access for document upload and download
• Avoid email attachments for personal financial data — if you must use email, encrypt attachments and send passwords via a separate channel
• Access controls: Clients should only be able to access their own documents. Multi-client firms should audit portal permissions regularly
• Audit trails: Maintain logs of who accessed which documents and when — useful for demonstrating compliance and investigating incidents
• Two-factor authentication: Enable for all staff and ideally for clients accessing portals

Document your security measures in a Record of Processing Activities (ROPA). The ICO expects appropriate technical and organisational measures — a ROPA entry with no security measures documented is a compliance gap.

---

Marketing to Business Contacts Under PECR

Many accountancy firms market to existing clients, former clients, and business prospects. The rules depend on who you are contacting and how:

Existing clients: Under GDPR legitimate interest, you can generally send relevant updates and service information to existing clients who have not opted out. Your privacy notice should describe this and include an easy opt-out mechanism.

Business contacts (B2B email): Under PECR (Privacy and Electronic Communications Regulations), marketing emails to corporate email addresses (e.g., person@company.com) have more flexibility than consumer marketing — you can contact businesses without prior consent if you have a legitimate reason. However, if individuals have opted out, you must respect that regardless.

Sole traders and partnerships: Are treated as individuals under PECR, not businesses. Their email addresses are personal data, and direct marketing requires either prior consent or the soft opt-in (they are an existing client who purchased similar services and did not opt out).

Cold outreach to prospect lists: Purchased marketing lists for accountancy prospects — business owners, finance directors — need careful PECR and GDPR analysis. The individual must have been told their data would be used for this purpose when it was collected. Many purchased lists cannot meet this standard.

LinkedIn and professional networking: Personal messaging through LinkedIn to business contacts is generally not subject to PECR's electronic marketing rules, but GDPR still applies if you are processing their contact data.

---

Data Retention: Reconciling HMRC Requirements with GDPR

The GDPR storage limitation principle says you should not keep personal data longer than necessary. HMRC's record-keeping requirements say the opposite — keep everything for at least six years (Companies Act) or longer in certain circumstances.

Applicable retention periods for accountancy data:

• HMRC tax records: HMRC recommends sole traders keep records for 5 years after the 31 January submission deadline; companies for 6 years from the end of the accounting period
• Payroll records: PAYE records must be kept for 3 years after the tax year; NI records should be retained for 6 years
• AML/KYC records: Must be retained for 5 years after the end of the business relationship (MLR17)
• Pension records: Auto-enrolment records should be kept for 6 years
• Company audit working papers: Generally 6 years under professional standards

The reconciliation: legal obligation and legal claims (Article 6(1)(c) and (f)) provide the lawful basis for retention beyond the point at which data is no longer operationally needed. Your data retention policy should document each data category, the applicable legal retention period, and what happens to data at the end of that period — ideally, secure deletion or anonymisation.

A common mistake: firms delete data at the minimum legal period without considering ongoing limitation periods for professional negligence claims (typically 6 years from the negligent act, or 15 years for latent damage). Your professional indemnity insurer and legal advisers can guide appropriate retention periods for audit and advisory work.

---

Compliance Checklist

For Sole Practitioners

• [ ] Register with the ICO as a data controller (annual fee, currently £40-£60 depending on size)
• [ ] Publish a privacy notice covering clients, employees, and prospects
• [ ] Have a written DPA in place with each payroll/bookkeeping client
• [ ] Review cloud accounting platform DPAs (Xero, QuickBooks, FreeAgent, etc.)
• [ ] Document your AML/KYC data retention policy (5 years post-relationship)
• [ ] Check that AML ID documents are stored securely and access-controlled
• [ ] Implement secure document exchange — avoid unencrypted email for tax data
• [ ] Have a process for handling data subject access requests (30-day deadline)
• [ ] Document a data breach response process (72-hour ICO notification window)
• [ ] Maintain a basic Record of Processing Activities

For Mid-Size Firms (5+ staff, multiple service lines)

Everything above, plus:

• [ ] Appoint a nominated data protection lead (DPO-equivalent, even if not formally required)
• [ ] Maintain a full ROPA covering all processing activities, including sub-processors
• [ ] Conduct a Privacy Impact Assessment (PIA) for any new service that involves significant personal data processing
• [ ] Implement role-based access controls in cloud platforms — staff access only what they need
• [ ] Staff GDPR training at onboarding and annually — include AML data handling
• [ ] Review and update all client DPAs annually or when services change
• [ ] Audit portal access permissions quarterly
• [ ] Maintain a sub-processor list and notify payroll/bookkeeping clients of changes
• [ ] Have a documented legal hold process for data subject to litigation or investigation
• [ ] Review marketing contact lists for PECR compliance before campaigns

---

Where to Start

For most accountancy practices, the highest-priority gaps are: client DPAs (particularly for payroll and bookkeeping services), a clear privacy notice that covers AML data processing, and secure document exchange infrastructure. These are the areas most likely to generate complaints or ICO attention.

For your own firm's website compliance — cookie banners, privacy policy accuracy, tracker management — run a free scan at app.custodia-privacy.com/scan. Custodia identifies trackers, cookie issues, and privacy policy gaps in under 60 seconds. It does not replace a comprehensive GDPR programme, but it closes the most visible surface-level gaps quickly — the ones your clients and regulators will notice first.

---

This guide is for informational purposes and does not constitute legal advice. Accountancy firm GDPR compliance involves jurisdiction-specific and sector-specific considerations — consult a qualified data protection adviser or solicitor for advice tailored to your circumstances.