Custodia-Admin

Posted on Mar 27 • Originally published at app.custodia-privacy.com

GDPR for Accountants: Client Data, Cloud Software, and Compliance Obligations

#gdpr #privacy #finance #compliance

Accountants and bookkeepers sit at the intersection of two of the most privacy-sensitive domains: personal finances and business operations. You hold tax returns, payroll records, bank statements, health-related expenses, and information about domestic arrangements, business disputes, and personal debt. For most of your clients, you know more about their financial lives than anyone except perhaps their spouse.

And yet, formal GDPR compliance in small accounting practices is rare. Most practices rely on legacy file-sharing habits — emailing unencrypted spreadsheets, storing files in shared cloud folders, using whatever accounting software the client prefers — without having mapped their data flows, signed the right agreements, or documented their legal basis for processing.

This guide covers what GDPR means for accounting practices in the UK (with strong applicability across the EU), what your obligations are, and what a practical compliance programme looks like for a small firm.

What Data Do Accountants Actually Hold?

Before you can comply with GDPR, you need to know what personal data you process. For most accounting practices, this includes:

Client personal data:

Full name, address, date of birth, National Insurance number
Tax returns (Self Assessment, Corporation Tax, VAT returns)
Bank account details and transaction records
Income sources, including rental income, investment income, and benefits
Business ownership structures and director information
Information about domestic arrangements relevant to tax (e.g., marriage, civil partnership, separation)

Employee and payroll data:

Names, addresses, National Insurance numbers, and dates of birth
Bank account details for salary payments
Salary, benefits, and bonus information
P60s, P45s, P11Ds
Statutory sick pay, maternity/paternity pay records
In some cases: health information relevant to statutory pay calculations

Third-party data:

Information about clients' suppliers, customers, and employees that appears in bookkeeping records
Beneficial owner information submitted to Companies House

Prospective client data:

Enquiry emails, meeting notes, and due diligence information collected before engagement

This data is not only voluminous — it is also highly sensitive. Financial data can reveal health problems, relationship breakdowns, gambling habits, religious donations, and political affiliations. In the wrong hands, it enables identity theft, fraud, and blackmail. This is why GDPR compliance is not a box-ticking exercise for accountants — it is a fundamental professional obligation.

Lawful Basis for Processing

GDPR requires that every act of processing personal data has a lawful basis. For accountants, the relevant bases are:

Contract (Article 6(1)(b)): Processing is necessary for the performance of a contract with the data subject. This covers the core work you do for individual clients — preparing their tax returns, managing their bookkeeping, running their payroll.

Legal obligation (Article 6(1)(c)): Processing is necessary to comply with a legal obligation. This covers submitting returns to HMRC, filing with Companies House, responding to HMRC enquiries, and complying with anti-money laundering (AML) regulations, which require you to collect and retain identity documents.

Legitimate interests (Article 6(1)(f)): Processing is necessary for your legitimate interests, unless overridden by the data subject's rights. This may apply to marketing communications with existing clients, maintaining business records, and fraud prevention.

For most of your client work, contract and legal obligation are the cleanest bases. You should document which basis applies to each category of processing in your Records of Processing Activities (RoPA).

Payroll Data and Special Category Processing

Payroll data sometimes crosses into special category territory under Article 9 of GDPR. Special category data includes data concerning health, and certain statutory pay calculations — particularly statutory sick pay (SSP) and statutory maternity/paternity pay (SMP/SPP) — require you to process health-related information.

Where you process special category data, you need both a lawful basis under Article 6 and a separate condition under Article 9. For payroll processing, the most relevant conditions are:

Article 9(2)(b): Processing necessary for employment law obligations
Article 9(2)(h): Processing for medical diagnosis or health and social care (less commonly applicable to accountants directly)

In practice, most payroll bureaus process this data under the employment law exception. Ensure your privacy notice covers this, and ensure your payroll software vendor has signed a Data Processing Agreement (DPA) with you.

Cloud Accounting Software as Data Processors

The shift to cloud accounting — Xero, QuickBooks Online, Sage, FreeAgent, IRIS, and others — means that most practices now rely on third-party software to store and process client data. Under GDPR, these vendors are data processors, and you are the data controller.

This matters because GDPR Article 28 requires a written Data Processing Agreement (DPA) between you and every processor. A DPA must include:

The subject matter, duration, and nature of the processing
The type of personal data and categories of data subjects
Your instructions to the processor
The processor's obligations (security measures, subprocessing restrictions, breach notification, assistance with DSARs)

Most major cloud accounting platforms now provide standard DPAs. Here is what you need to know:

Xero: Provides a DPA as part of its terms of service. Xero is headquartered in New Zealand (an adequate country) but processes data in AWS infrastructure, including in the EU/UK. Check their current data residency documentation.

QuickBooks (Intuit): Provides a DPA. Data may be processed in the US; Intuit relies on Standard Contractual Clauses (SCCs) for UK-to-US transfers.

Sage: UK-headquartered; provides a DPA. Sage Business Cloud data is processed within the UK and EU.

FreeAgent: UK-based, now part of NatWest Group. Provides a DPA. Data processed in the UK.

IRIS: UK-based. DPA available. Check specific products as IRIS has a complex portfolio.

Action required: Log into each platform's settings or legal section, locate the DPA, and either countersign it or confirm that it is incorporated by reference into your contract. Keep a record of when you accepted each DPA.

Sharing Data with HMRC, Companies House, and Other Statutory Bodies

Accountants routinely transmit client data to statutory bodies. Under GDPR, this is lawful because it falls under Article 6(1)(c) — processing necessary for compliance with a legal obligation. You do not need client consent to submit their Self Assessment return to HMRC; the legal basis is statutory.

However, you should still:

Inform clients in your privacy notice that their data will be shared with HMRC, Companies House, the Pensions Regulator, and other relevant bodies
Use secure submission channels — HMRC's Government Gateway and agent services account use encrypted connections
Avoid emailing sensitive data to HMRC or statutory bodies — use official portals wherever possible

For AML purposes, you may also be required to submit Suspicious Activity Reports (SARs) to the National Crime Agency (NCA). GDPR contains an exemption that permits you to withhold information about a SAR from the data subject where disclosure could prejudice crime prevention (Schedule 2, Part 1, Paragraph 2 of the UK Data Protection Act 2018).

The Retention Problem: Professional Rules vs GDPR Minimisation

GDPR's storage limitation principle says you should keep personal data no longer than necessary for the purpose. Professional body rules and HMRC requirements say you should keep records for specific minimum periods. These can appear to conflict.

In practice, they do not — GDPR explicitly permits longer retention where required by law or professional regulation. The relevant retention periods for UK accountants are:

Record Type	Minimum Retention Period
Self Assessment records (individuals)	5 years after 31 January filing deadline
Company tax records	6 years from end of accounting period
VAT records	6 years (10 years for VAT MOSS)
Payroll records	3 years after the end of the tax year
AML / KYC records	5 years after end of client relationship
Companies Act accounting records	3 years (private companies), 6 years (public companies)
ICAEW/ACCA working papers	7 years (recommended)

GDPR is satisfied when retention is driven by one of these legitimate bases. However, you should:

Not retain data beyond the applicable period — once you are no longer legally or professionally required to keep something, delete it
Have a documented retention policy — this demonstrates accountability under GDPR
Apply the policy to all storage locations — email archives, cloud drives, local backups, and physical files

The real-world failure mode is indefinite retention by default. Many practices have client files going back 20 years with no deletion process. That is a GDPR violation waiting to become a data breach.

Client File Retention and Professional Body Rules

ICAEW, ACCA, CIOT, and other professional bodies set their own guidance on working paper retention, which typically recommends 7 years. This is a legitimate basis for extended retention under GDPR, but it must be documented.

When a client relationship ends, you should:

Identify what data you hold and where
Determine which records you are required to retain (and for how long)
Delete or securely destroy records that are no longer needed
Provide the client with copies of their own documents if requested

Clients have a right to access their personal data (Subject Access Request / SAR) even after the engagement ends. If a former client requests their data, you must respond within one month. Note that working papers produced by your firm for your own purposes (e.g., audit files) may not be disclosable under SAR if they are exempt as legal professional privilege — but seek advice on a case-by-case basis.

Email, File Sharing, and Data Security

Email is the most common vector for data breaches in accounting practices. Unencrypted attachments containing tax returns, payroll files, and bank statements are sent routinely to clients and their advisers — and frequently to the wrong recipient.

GDPR Article 32 requires appropriate technical and organisational security measures. For an accounting practice, this means:

Email security:

Use TLS-encrypted email (most modern providers do this by default)
Consider enforced encryption for attachments containing sensitive data (e.g., S/MIME or secure portal delivery)
Implement email filtering to prevent accidental outbound disclosure
Train staff never to send bulk payroll files in unencrypted attachments

File sharing:

Use a client portal rather than consumer cloud storage (Google Drive shared links, Dropbox links) where possible
If you use SharePoint, OneDrive, or Google Workspace, ensure you have signed DPAs with Microsoft or Google and that your sharing settings are appropriate
Avoid personal email accounts for client work

Access controls:

Ensure client files are accessible only to staff who need them
Use role-based access controls in your practice management software
Revoke access promptly when staff leave

Device security:

Encrypt laptops and mobile devices
Enforce strong passwords and multi-factor authentication
Have a remote wipe capability for lost devices

Data Breaches in Accounting: A Prime Target

Accounting practices are a high-value ransomware target. You hold financial data on dozens or hundreds of clients, you often have direct access to their accounting systems, and — historically — small practices have had poor cybersecurity hygiene.

Under GDPR, a personal data breach must be reported to the ICO within 72 hours if it is likely to result in a risk to individuals' rights and freedoms. For accounting breaches, this threshold is almost always met — financial data breaches carry serious fraud and identity theft risks.

You must also notify affected individuals “without undue delay” where the breach is likely to result in a high risk to their rights and freedoms. A ransomware attack that encrypts client files and exfiltrates data almost certainly meets this threshold.

Practical steps:

Have an incident response plan documented before a breach occurs
Know who your ICO contact point is and how to submit a breach report (via the ICO's online portal)
Have offline backups that cannot be reached by ransomware (the 3-2-1 rule: three copies, two different media, one offsite)
Consider cyber insurance — specialist policies for professional services are now widely available
Test your backups regularly; a backup you have never restored is not a backup

The ICO has issued enforcement action against accounting firms following ransomware attacks where the firm lacked adequate security measures. The fines may be modest by corporate standards, but the reputational damage — and the cost of notifying clients — can be significant.

Practical GDPR Compliance Checklist for Small Accounting Practices

Use this checklist to identify gaps and prioritise your compliance work:

Governance and documentation

[ ] Appoint a named person responsible for data protection in the practice
[ ] Maintain a Records of Processing Activities (RoPA) document covering all categories of client data you process
[ ] Document your lawful basis for each processing activity
[ ] Have a written data retention and deletion policy, aligned with professional body guidance and HMRC requirements

Privacy notices

[ ] Publish a privacy notice on your website covering what data you collect, why, how long you keep it, and your legal bases
[ ] Provide a client-facing privacy notice at the point of engagement (or incorporate it into your engagement letter)
[ ] Ensure payroll clients are informed that you process employee data on their behalf

Data Processing Agreements

[ ] Sign (or confirm acceptance of) DPAs with all cloud accounting software providers: Xero, QuickBooks, Sage, FreeAgent, IRIS, etc.
[ ] Sign DPAs with your practice management software provider
[ ] Sign DPAs with any payroll software or bureau you use
[ ] Sign DPAs with cloud storage providers (Microsoft, Google, Dropbox)

Security

[ ] Encrypt all laptops and mobile devices used for client work
[ ] Use MFA on all cloud services (email, accounting software, practice management)
[ ] Use a client portal rather than unencrypted email attachments for sensitive documents
[ ] Maintain offline backups of client data
[ ] Have a documented incident response plan

Data subject rights

[ ] Have a process for handling Subject Access Requests (SARs) within 30 days
[ ] Be able to provide clients with copies of their personal data on request
[ ] Have a process for deleting client data when retention periods expire

Breach readiness

[ ] Know how to report a breach to the ICO within 72 hours (via https://ico.org.uk/make-a-complaint/data-security-report/)
[ ] Have a template for notifying affected clients following a breach
[ ] Have cyber insurance in place

Getting Started

For most small accounting practices, the biggest compliance gaps are:

Unsigned DPAs with cloud software vendors
No documented retention policy (and data retained indefinitely)
Insecure email practices — sending sensitive attachments unencrypted
No privacy notice for clients (separate from the website privacy policy)
No incident response plan

Start with the DPAs — they are the easiest to fix and the most commonly missing. Then document your retention policy, update your client privacy notice, and address your email security.

If you want to understand what data your practice's website is currently collecting and disclosing, run a free scan at https://app.custodia-privacy.com/scan. It takes 60 seconds and gives you a clear picture of your website's current data practices — a useful starting point for your broader GDPR programme.

This post provides general information about GDPR and data protection obligations for accounting practices in the UK. It does not constitute legal advice. Requirements vary depending on your practice structure, client base, and professional body membership. Consult a qualified data protection or legal professional for advice specific to your circumstances.

DEV Community