Accountants and bookkeepers sit at the intersection of some of the most sensitive personal data imaginable. Bank statements, payroll records, tax returns, sick pay details, child benefit claims, pension contributions — the data flowing through a typical accounting practice touches nearly every area of a client's financial and personal life.
That makes GDPR compliance for accounting and bookkeeping firms both critically important and genuinely complex. You're not just handling names and email addresses. You're handling data that can reveal health conditions, family circumstances, debt situations, and income levels — and you're legally required to keep much of it for years after the client relationship ends.
This guide gives you a practical framework for compliant data handling in an accounting or bookkeeping practice.
Why Accounting Data Is High-Risk Personal Data
Most businesses think of personal data as names, email addresses, and phone numbers. Accountants deal with something far more sensitive.
Financial details are personal data under GDPR — bank account numbers, credit card details, loan information, mortgage statements, overdraft records.
Health data processed for sick pay is special category data under Article 9 of GDPR, attracting the highest level of protection. If you process sick notes, statutory sick pay calculations, or medical certificates as part of your payroll work, you're handling special category data.
Payroll records contain a dense concentration of personal information: salary, tax codes, National Insurance numbers, pension contributions, student loan deductions, child support attachments of earnings, maternity and paternity pay.
Family and personal circumstances frequently surface in tax and accounts work — childcare costs, maintenance payments, inheritance, property ownership, family business structures.
Lawful Basis for Processing Client Financial Data
For accounting and bookkeeping firms, two lawful bases do most of the heavy lifting.
Contract (Article 6(1)(b)) covers processing necessary to fulfil your engagement with the client. Preparing their accounts, running their payroll, completing their tax return — all covered.
Legal obligation (Article 6(1)(c)) covers processing required by law — Companies Act reporting, HMRC filing obligations, anti-money laundering regulations under the Money Laundering Regulations 2017.
You generally cannot rely on consent as your primary lawful basis for processing client data. Consent must be freely given, and the power imbalance in a professional services relationship means genuine consent is difficult to establish.
The GDPR Retention Tension: Why You Can't Just Delete Everything
GDPR's storage limitation principle says you should keep personal data only "for no longer than is necessary." But legal obligations are a legitimate context for retention.
In the UK, HMRC expects businesses to retain tax records for at least six years from the end of the accounting period. Under the Companies Act, company records must be kept for at least six years (private companies) or twelve years (public companies). Under anti-money laundering regulations, you're required to retain client due diligence records for five years after the end of the client relationship.
These legal retention requirements override GDPR's deletion expectations. Document this explicitly in your privacy notice and engagement letter.
When the legal retention period expires, you must actually delete or securely destroy the data.
Cloud Accounting Software as Data Processors
When you use Xero, QuickBooks, Sage, FreeAgent, or similar platforms, the software provider is acting as your data processor under GDPR. GDPR Article 28 requires a Data Processing Agreement (DPA) with every data processor.
- Xero has a Data Processing Addendum within its Terms of Service
- QuickBooks (Intuit) provides a DPA through its compliance documentation
- Sage includes data processing terms in its subscription agreements
- FreeAgent provides GDPR-compliant terms including data processing commitments
Don't assume signing up automatically puts a compliant DPA in place — check you've actually reviewed and accepted these terms.
Sharing Data with HMRC and Other Authorities
Sharing data with HMRC as part of your legal filing obligations is covered by the legal obligation lawful basis. Article 6(1)(c) explicitly covers disclosures required by law.
The key principle is proportionality: share only what is required for the specific filing or inquiry, and no more.
For Suspicious Activity Reports: you are legally prohibited from tipping off the client that a SAR has been filed. ICO guidance confirms that the tipping-off prohibition takes precedence — you are not required to disclose a SAR filing in response to a subject access request.
Client Data Security Requirements
GDPR requires "appropriate technical and organisational measures" to protect personal data.
Technical measures:
- Encrypted storage for all client files, including backups
- Multi-factor authentication for cloud accounting software and email
- Encrypted email or a secure file-sharing portal for sensitive documents
- Antivirus and endpoint protection on all devices
- Regular software updates and patch management
Organisational measures:
- Clear desk and clear screen policies
- Access controls limited to those who need client data
- A documented data breach response procedure
- Staff training on data protection and phishing awareness
- Secure destruction of physical documents (cross-cut shredding)
What Your Engagement Letter and Privacy Notice Must Cover
Article 13 requires you to provide specific information when you collect personal data.
Your privacy notice must include:
- Who you are and your contact details
- What personal data you collect and why
- The lawful basis for each type of processing
- How long you retain each category of data (and why)
- Who you share data with (HMRC, software providers, subcontractors)
- Client and employee data subject rights
- How to make a complaint to the ICO
Your engagement letter should reference:
- The privacy notice (by link or appended copy)
- Named cloud platforms used to process client data
- Your retention policy and what happens to data when the engagement ends
Employee Payroll Data as Special Category Data
Health data processed in payroll — sick notes, SSP calculations, fit notes from GPs, long-term absence records — is special category data under Article 9, attracting the highest level of protection.
For employment-related health data, the typical Article 9 conditions are:
- Article 9(2)(b): Processing necessary for employment law obligations (SSP is legally mandated)
- Article 9(2)(h): Processing for occupational health purposes
Payroll staff processing sick pay data should be under confidentiality obligations, and access should be limited to those who need it.
Handling Ex-Client Deletion Requests
Under Article 17, individuals have a right to erasure — but it's not absolute. You can refuse deletion where you have a legal obligation to retain the data.
Your response should:
- Acknowledge the request within 30 days
- Explain which data you're retaining and why (citing the specific legal obligation)
- Confirm deletion of data not covered by the retention obligation
- Provide information about the client's right to complain to the ICO
GDPR Compliance Checklist for Accounting Firms
Lawful basis and documentation
- [ ] Lawful basis documented for each category of client data processing
- [ ] Article 9 conditions documented for any health data processed in payroll
- [ ] Record of Processing Activities maintained
Client documentation
- [ ] Privacy notice meets all Article 13 requirements
- [ ] Engagement letter references data processing and privacy notice
- [ ] Retention periods documented and communicated
Data processors
- [ ] DPA in place with Xero, QuickBooks, Sage, FreeAgent (as applicable)
- [ ] DPA in place with any other tools that process client data
Security
- [ ] MFA enabled on all cloud platforms
- [ ] Encrypted storage for client files
- [ ] Breach response procedure documented
- [ ] Staff trained on data protection basics
Retention and deletion
- [ ] Retention schedule aligned with HMRC and Companies Act requirements
- [ ] Process for deleting data when retention periods expire
- [ ] Procedure for handling data subject requests (including deletion refusals)
Next Steps
A practical first step: audit what your practice website is actually doing with visitor data. Cookie trackers, contact form data, and analytics tools are often configured in ways that don't meet GDPR standards.
Scan your website free at Custodia — no signup required, results in 60 seconds.
This post provides general information about GDPR as it applies to accounting and bookkeeping practices. It does not constitute legal advice. Consult a qualified data protection solicitor or your professional body for advice specific to your situation.
Top comments (0)