GDPR for Bookkeepers: Client Financial Records, HMRC Compliance, and Data Processor Duties

Bookkeepers occupy a legally distinctive position under GDPR. Unlike accountants who sometimes act as controllers for their own client records, bookkeepers almost always act as data processors — processing personal data on behalf of their clients, who are the data controllers. This distinction is not just academic. It shapes every compliance obligation you carry, from the contracts you sign to how you report a data breach.

This guide covers the key GDPR obligations for professional bookkeepers: what personal data you handle, how to establish a lawful basis, data processing agreements with every client, cloud software and sub-processor chains, payroll data as sensitive personal data, HMRC record-keeping versus data minimisation, access controls, breach reporting, post-engagement data retention, AML checks, and the professional standards set by the ICB and AAT alongside GDPR.

---

Bookkeepers as Data Processors — Not Controllers

Under GDPR Article 4, a data controller determines the purposes and means of processing personal data. A data processor processes personal data on behalf of the controller.

When you maintain purchase ledgers, reconcile bank statements, process payroll, or prepare VAT returns for a client, you are processing that client's data at their direction. The client (the business you work for) is the controller. You are the processor.

This matters because:

• Article 28 requires a written Data Processing Agreement (DPA) between every controller and processor
• You must only process data according to the client's documented instructions
• You cannot use the data for any purpose beyond the bookkeeping engagement
• If a data subject (an employee, supplier, or customer) makes a rights request, you must assist your client to respond — you do not respond independently
• If you experience a breach involving client personal data, you must notify the client so they can meet their 72-hour ICO notification obligation

The only exception is where you also act as a controller in your own right — for example, when managing your own business records, marketing to prospects, or handling your own staff data.

---

Mandatory Data Processing Agreements with Every Client

Article 28 GDPR is unequivocal: you must have a written contract with every client before you process their personal data. This DPA must cover:

• The subject matter, duration, nature, and purpose of the processing
• The categories of personal data you process (payroll records, invoices, supplier data, etc.)
• The categories of data subjects whose data you process (employees, customers, suppliers)
• Your obligations as processor, including confidentiality, security, and acting only on instructions
• The conditions under which you may engage sub-processors (cloud software, payroll platforms)
• Your obligations to assist the client with data subject rights requests
• Your obligations to assist with security and breach notification
• Deletion or return of personal data at the end of the engagement

Many bookkeepers operate on informal arrangements — a verbal agreement or a simple letter of engagement that covers the bookkeeping services but says nothing about data protection. Under GDPR, this is a compliance failure affecting both you and your client.

If you do not have signed DPAs with every client for whom you process personal data, this is the most urgent gap to address. The ICO's website provides guidance on Article 28 requirements, and template DPAs are available — but they require customisation to reflect your actual processing activities.

---

What Personal Data Bookkeepers Handle

The volume and sensitivity of personal data in routine bookkeeping work is easily underestimated. Bookkeepers regularly handle:

Employee and payroll data:

• Full names, addresses, dates of birth, National Insurance numbers
• Tax codes, salary amounts, pension contributions
• Bank account details for BACS payroll payments
• Statutory sick pay records, maternity/paternity pay
• P60s, P45s, employee expense claims

Supplier and subcontractor data:

• Business names and individual names of sole traders
• Bank account details for supplier payments
• VAT registration numbers
• Addresses and contact details

Customer and sales data:

• Customer names and addresses on invoices
• Payment terms and outstanding balances
• For consumer-facing businesses: individual customer financial details

Director and shareholder data:

• Personal drawings from the business
• Director loan account details

Much of this data relates to identified or identifiable living individuals — that is, it is personal data under GDPR Article 4(1). The fact that it appears in financial records does not make it exempt from data protection law.

---

Payroll Data as Sensitive Personal Data

Payroll records deserve particular attention. While salary amounts and bank details are not categorised as special category data under GDPR Article 9, they are highly sensitive and attract correspondingly high breach risk.

However, payroll processing frequently touches data that is special category:

• Statutory sick pay calculations may reveal health conditions
• Disability-related adjustments to pay or hours
• Religious or cultural observances that affect working patterns or pay (e.g., Ramadan adjustments, religious holidays)
• Maternity/paternity pay records that disclose pregnancy or family status

Special category data requires an explicit lawful basis under Article 9 in addition to a standard Article 6 basis. For payroll, the most relevant Article 9 basis is typically Article 9(2)(b) — processing necessary for carrying out obligations in the field of employment law. Your client, as controller, must identify and document this basis. You, as processor, must process it only in accordance with their instructions and your DPA.

---

Lawful Basis for Processing Financial Records

As a processor, you are not required to identify the lawful basis — that is the controller's (your client's) responsibility. However, you should understand the basis your clients rely on so you can process data appropriately and assist with rights requests.

For most bookkeeping activities, the relevant lawful bases are:

• Article 6(1)(b) — Contract performance: Processing payroll, paying suppliers, and maintaining records necessary to perform the employment contract or business contract
• Article 6(1)(c) — Legal obligation: HMRC reporting (RTI submissions, VAT returns, corporation tax filings) and HMRC record-keeping requirements are legal obligations that provide a clear lawful basis
• Article 6(1)(f) — Legitimate interests: Financial management, fraud prevention, and credit control may be supported by legitimate interests, though this requires a documented Legitimate Interests Assessment

Understanding which basis applies helps you respond correctly when a data subject exercises rights. For example, if an employee submits a Subject Access Request for their payroll records, and those records are processed under Article 6(1)(b) (contractual necessity), the right to erasure generally does not apply while the employment relationship continues and statutory retention periods are running.

---

HMRC Record-Keeping Requirements vs GDPR Data Minimisation

One of the most common areas of confusion for bookkeepers is the apparent tension between HMRC's record-keeping requirements and GDPR's data minimisation and storage limitation principles.

HMRC requires businesses to retain:

• VAT records: 6 years
• PAYE records: 3 years after the end of the tax year (though longer periods are commonly recommended for employment tribunal risk)
• Company records and accounts: Generally 6 years from the end of the accounting period
• Self-assessment records (sole traders and partnerships): 5 years after the 31 January filing deadline

These HMRC obligations provide the lawful basis — legal obligation under Article 6(1)(c) — for retaining financial records for the required period. GDPR's data minimisation principle does not require you to delete data that you are legally required to keep.

However, GDPR's storage limitation principle does apply once the legal retention period expires. Data that HMRC no longer requires you to keep should be deleted, unless there is another legitimate reason to retain it (ongoing litigation, for example).

In practice, bookkeepers should:

• Document their data retention schedule, with retention periods mapped to specific legal obligations
• Apply automatic or scheduled deletion processes when retention periods expire
• Not retain records "just in case" beyond the period supported by a legal basis
• Distinguish between records they hold as a processor (to be returned or deleted at the client's instruction) and records they hold as a controller in their own right (their own business records)

---

Cloud Bookkeeping Software and Sub-Processor Obligations

The major cloud bookkeeping platforms — QuickBooks Online, Xero, FreeAgent, Sage Business Cloud, and KashFlow — are your sub-processors when you use them to process client personal data. Under Article 28(4) GDPR, you must:

• Obtain prior written authorisation from each client before using a sub-processor
• Have a DPA in place with each sub-processor that imposes the same data protection obligations you carry
• Remain fully liable to your client if the sub-processor fails to meet its data protection obligations

In practice:

1. Disclose your cloud software to each client — your DPA should list the sub-processors you use and give the client the opportunity to object
2. Execute the vendor's DPA — Xero, QuickBooks, FreeAgent, and Sage all offer data processing agreements. You must actually sign them, not just assume they exist
3. Check where data is stored — some bookkeeping platforms store data outside the UK/EEA. Post-Brexit, transfers from the UK to EEA countries are permitted under adequacy regulations, but transfers to the US or other third countries require additional safeguards (Standard Contractual Clauses or equivalent). Check your platform's data residency settings

If a client refuses consent to use a specific platform, you either need to offer an alternative or accept that you cannot serve them using your preferred software.

Custodia's compliance tools can help you identify data flows between your bookkeeping practice's website and third-party platforms — useful for understanding what information is being shared and with whom before it even reaches your accounting software.

---

Secure Transmission of Client Files

Emailing payroll files, expense reports, or bank statements to clients (or receiving them from clients) is a routine part of bookkeeping work — and one of the most common causes of personal data breaches in professional services.

Standard email is not a secure channel for sensitive financial personal data. Best practice includes:

• Using encrypted email (S/MIME or PGP) or a secure file-sharing platform (ShareFile, SharePoint with appropriate permissions, or a purpose-built document portal)
• Never sending NI numbers, payroll data, or bank details in the body of an unencrypted email
• Using password-protected files for attachments containing personal data, with passwords sent via a separate channel (SMS or phone call, not the same email thread)
• Avoiding free consumer file-sharing services (personal Google Drive, Dropbox free tier) for business personal data — these lack the audit trails and security controls required under Article 32

For sole practitioner bookkeepers, the bar for secure transmission is the same as for larger firms. The ICO does not apply a small-business exemption to transmission security requirements.

---

Access Controls and Encryption

Article 32 GDPR requires appropriate technical and organisational measures to protect personal data. For bookkeepers, this means:

• Encryption at rest: Laptops and external drives containing client financial records must be encrypted. BitLocker (Windows) or FileVault (Mac) are free and adequate
• Strong authentication: Use unique, strong passwords for every system, supported by a password manager. Enable multi-factor authentication on cloud bookkeeping platforms, email, and any system storing client personal data
• Access controls: Limit who in your practice can access which client files. Each client's data should be segregated from others — not stored in a single shared folder accessible to all staff
• Physical security: Paper records containing personal data (payroll summaries, bank statements) must be stored securely, not left on desks or in unlocked filing cabinets
• Screen privacy: When working in public spaces (coffee shops, client offices), use a privacy screen filter to prevent shoulder surfing of client financial records

For sole practitioner bookkeepers working from home, the security obligations still apply. A home office with a locked filing cabinet and an encrypted laptop is the minimum standard.

---

Data Breach Reporting: The Chain from Bookkeeper to Client to ICO

Data breach notification for bookkeepers follows a chain of obligations:

1. You (the processor) must notify your client (the controller) without undue delay upon becoming aware of a breach
2. Your client (the controller) must notify the ICO within 72 hours if the breach poses a risk to individuals
3. Your client must also notify affected individuals (employees, customers, suppliers) without undue delay if the breach is likely to result in high risk to them

Your obligation to notify the client promptly is therefore critical — if your delay causes the client to miss the 72-hour ICO window, this compounds the compliance failure. "Without undue delay" for a processor is generally interpreted as hours, not days.

Common breach scenarios for bookkeepers:

• Emailing payroll data to the wrong recipient
• Losing a laptop or USB drive containing client files
• Ransomware attack on your practice's systems
• Unauthorised access to your cloud bookkeeping platform due to a compromised password
• Accidentally sharing one client's data with another

Document every incident in a breach register, even those that do not reach the threshold for ICO notification. The ICO may ask to see your register during an investigation, and a record of incidents that were assessed and not reported (with a documented rationale) is evidence of a functioning compliance process.

---

Retaining Client Records After the Engagement Ends

When a bookkeeping engagement ends — the client moves to another bookkeeper, sells their business, or ceases trading — you face a data retention decision. Your obligations:

• Return or delete client personal data in accordance with your DPA. Your DPA should specify what happens to client data at the end of the engagement. The client may request return of all files; they may agree to you deleting them; or they may ask you to retain them for a defined period
• Apply HMRC retention periods — records that you hold in your own right (for example, your own tax records that reference client transactions) must be retained for the legally required period
• Do not retain client data indefinitely as a general practice. "We keep all client records forever" is not compliant unless there is a documented legal basis for the retention period

Practically, this means having an off-boarding process for every client engagement that includes data handling — returning files via secure transfer, confirming deletion of data from cloud platforms, and documenting what was done and when.

---

AML Due Diligence and Identity Checks

Bookkeepers supervised under the Money Laundering Regulations 2017 (MLR 2017) must carry out Customer Due Diligence (CDD) on their clients. This involves collecting and verifying identity documents — passports, driving licences, proof of address — which contain personal data.

Under GDPR, this AML data:

• Has a clear lawful basis: Article 6(1)(c) — legal obligation (compliance with the MLR 2017) and, where beneficial ownership is involved, potentially Article 9(2)(g) for special category data
• Must be retained for 5 years after the end of the business relationship (MLR 2017 Regulation 40)
• Must be securely stored with access restricted to those who need it
• Cannot be used for purposes beyond AML compliance

If HMRC or your supervisory body (ICAEW, AAT, or another AML supervisor) requests AML records, you must provide them. This is a lawful disclosure under Article 6(1)(c) and does not require the client's consent.

The 5-year AML retention requirement overrides any instruction from a client to delete their identity documents early. Document this in your DPA and your practice's data retention policy.

---

Sole Practitioner Bookkeepers and GDPR Obligations

Sole practitioners sometimes assume that GDPR applies primarily to large organisations with dedicated compliance teams. This is incorrect. GDPR applies to any natural or legal person who processes personal data — including individual bookkeepers trading in their own name.

As a sole practitioner, you are:

• Required to register with the ICO as a data controller for your own business data (annual fee of £40 for small organisations — turnover under £632,000, fewer than 10 staff)
• Required to have DPAs with every client whose personal data you process
• Required to have DPAs with your own suppliers who process personal data on your behalf (payroll software you use for your own staff, your email hosting provider if it stores client communications, your practice management software)
• Responsible for implementing appropriate security measures for your practice

The ICO does not exempt sole practitioners from GDPR. Enforcement action has been taken against individual sole traders. The scale of your practice affects what's proportionate, but not whether the law applies.

---

ICB and AAT Membership and Professional Standards Alongside GDPR

The Institute of Certified Bookkeepers (ICB) and the Association of Accounting Technicians (AAT) set professional standards for bookkeepers that interact with — and in some cases reinforce — GDPR obligations.

Both bodies require members to:

• Maintain client confidentiality (which aligns with GDPR's confidentiality obligations)
• Act with integrity and avoid conflicts of interest
• Maintain professional indemnity insurance (which may cover data breach liability)
• Follow anti-money laundering regulations

ICB and AAT membership does not substitute for GDPR compliance — they are parallel obligations. But the confidentiality standards expected by your professional body are consistent with GDPR's Article 5(1)(f) integrity and confidentiality principle.

If a data breach or privacy complaint leads to an ICO investigation, a record of ICB or AAT membership and active engagement with professional standards is evidence of your professional commitment to responsible data handling. It will not prevent enforcement, but it demonstrates a culture of compliance.

---

Practical Next Steps

GDPR compliance for bookkeepers is achievable without specialist legal support if you approach it systematically:

1. Audit your client list — identify every client for whom you process personal data and confirm whether you have a signed DPA
2. Update your engagement letters — incorporate a DPA or attach one as a schedule
3. List your sub-processors — cloud bookkeeping software, payroll platforms, document storage — and confirm DPAs are in place with each
4. Document your data retention schedule — map retention periods to HMRC obligations and GDPR requirements
5. Review your security measures — laptop encryption, MFA on cloud platforms, secure file transfer practices
6. Create a breach register and incident response plan — including your client notification chain
7. Review your ICO registration — confirm you are registered and your registration reflects your current processing activities

A free scan at https://app.custodia-privacy.com/scan will identify trackers, cookies, and data flows on your bookkeeping practice's own website — a useful first step in understanding your digital compliance posture. Custodia also provides AI-powered tools for generating data processing agreements, privacy notices, and data retention policies tailored to professional services businesses.

GDPR and bookkeeping share a common principle: accurate records, properly maintained, with clear audit trails. The data protection framework asks for exactly the same rigour that good bookkeeping already demands.