Get MTD for Income Tax ready
80% off your first 6 months + a £25 voucher offer

Get a £25 voucher when you send your first quarterly update to HMRC through Xero by the 7 August 2026 deadline. Voucher offer ends 7 August. Terms apply

Guide

GDPR for accountants: a UK compliance guide

How to meet your UK GDPR obligations and protect client data across your practice.

Image shows a secure and private connection taking place on a device.

Written by Jotika Teli—Certified Public Accountant with 24 years of experience. Read Jotika's full bio

Published Thursday 11 June 2026

Table of contents

Key takeaways

  • UK accountants and bookkeepers are typically data controllers under UK GDPR, which means you carry direct responsibility for how client data is collected, stored, and processed.
  • The Data Use and Access Act 2025 introduced changes to legitimate interests, automated decision-making, and data subject access requests that affect how your practice handles personal data from 2026 onwards.
  • Non-compliance with UK GDPR can result in fines of up to £17.5 million or 4% of global annual turnover, alongside serious reputational damage.
  • A structured compliance approach covering data audits, staff training, breach response plans, and proper documentation can protect your practice and strengthen client trust.

What UK GDPR means for accounting practices

The General Data Protection Regulation (GDPR) shapes how every UK accounting practice handles personal data. Since 1 January 2021, the UK has operated under its own version of GDPR, retained in domestic law following Brexit. This sits alongside the Data Protection Act 2018, which supplements and tailors GDPR for the UK context.

The Information Commissioner's Office (ICO) is the UK's supervisory authority for data protection. The ICO investigates complaints, issues enforcement notices, and has the power to levy substantial fines against organisations that fall short of their obligations.

One question that often arises is whether accountants act as data controllers or data processors. In most cases, accountants and bookkeepers are data controllers. You decide why and how client data is processed, which means you hold direct accountability under UK GDPR. You're a data processor only when you handle data strictly under a client's instructions with no discretion over its use. The ICO's own guidance confirms that the controller role applies to the majority of accounting relationships.

Key GDPR obligations for accountants and bookkeepers

Your practice must meet several core obligations under UK GDPR. Getting these right protects both your firm and your clients.

Lawful basis for processing. Every piece of personal data you process needs a valid lawful basis. For most accounting work, this will be legal obligation (for example, tax reporting duties), contractual necessity, or legitimate interest. Consent is rarely the most appropriate basis for routine accounting services, though it may apply in specific situations such as marketing communications.

Data subject rights. Your clients have the right to access their personal data, request corrections, ask for erasure, and obtain copies in a portable format. You need clear processes to respond to these requests promptly. The standard response window is one calendar month.

Data retention. You can't keep client data indefinitely. Set clear retention periods based on legal requirements and business need. HMRC generally requires tax records to be kept for at least six years, but once that period expires, you should securely delete or anonymise the data.

Breach notification. If your practice suffers a personal data breach that poses a risk to individuals, you must notify the ICO within 72 hours. You also need to inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights.

Record of processing activities (ROPA). You're required to maintain a written record of all processing activities your practice carries out. This should document what data you hold, why you process it, who has access, and how long you retain it.

Data Protection Impact Assessments (DPIAs). When you introduce new technology or processes that involve high-risk processing, you should carry out a DPIA before proceeding. This applies to activities such as large-scale profiling or systematic monitoring of client behaviour.

The Data Use and Access Act 2025: what has changed

The Data Use and Access Act 2025 received Royal Assent in June 2025, with its main provisions coming into force on 5 February 2026. This legislation updates the UK's data protection framework in several areas that directly affect accounting practices.

Recognised legitimate interests. The Act introduces a list of recognised legitimate interests that no longer require a full balancing test. This simplifies the lawful basis assessment for certain routine processing activities, though you still need to document your reasoning.

Automated decision-making. The rules around automated decision-making have been updated. The previous blanket restrictions on solely automated decisions with significant effects have been replaced with a more nuanced framework. If your practice uses automated tools for credit checks or risk assessments, review these changes carefully.

Mandatory complaints procedures. By June 2026, all organisations processing personal data must have a formal complaints procedure in place. If your practice doesn't already have one, now is the time to create it. Individuals will be expected to raise complaints with you before escalating to the ICO.

Data subject access request (DSAR) clarifications. The Act clarifies that you only need to conduct reasonable and proportionate searches when responding to DSARs. This is a practical improvement for practices that receive broad or vague requests, as it provides clearer grounds for scoping your response.

For accounting practices, these changes are broadly positive. The recognised legitimate interests provision, in particular, may simplify the lawful basis assessment for routine processing such as anti-money laundering checks and tax compliance activities. Keep an eye on ICO guidance as the regulator publishes updated resources on each provision.

Penalties for GDPR non-compliance

The financial consequences of getting data protection wrong are significant. UK GDPR operates a two-tier penalty system enforced by the ICO.

  • Higher tier. For breaches of the core data processing principles or data subject rights, fines can reach up to £17.5 million or 4% of total worldwide annual turnover, whichever is higher.
  • Standard tier. For failures relating to administrative obligations such as record-keeping or breach notification, the maximum is £8.7 million or 2% of total worldwide annual turnover, whichever is higher.

Beyond fines, the reputational damage from a data breach or enforcement action can be far more costly. Clients trust you with their most sensitive financial information. A public ICO investigation or a reported breach can erode that trust quickly, leading to lost clients and difficulty attracting new ones.

Even smaller practices are not immune. The ICO has taken action against organisations of all sizes, and the principle of accountability means you must be able to demonstrate compliance, not simply claim it. The cost of getting your data protection right is far lower than the cost of getting it wrong.

7 steps to GDPR compliance for your practice

Building a compliant practice doesn't need to be overwhelming. These seven steps provide a practical framework to work through systematically.

1. Conduct a data audit

Start by mapping every category of personal data your practice holds. Identify where it comes from, where it's stored, who can access it, and how long you keep it. This gives you a clear picture of your data landscape and highlights any gaps or risks. Include data held in email, spreadsheets, and physical files alongside your accounting software.

2. Establish your lawful basis for processing

For each type of processing you identified in your audit, determine the appropriate lawful basis. Most accounting work will fall under legal obligation or contractual necessity. Document your reasoning for each category. This documentation becomes part of your ROPA and demonstrates accountability if the ICO ever asks.

3. Update privacy notices and engagement letters

Your privacy notice should clearly explain what data you collect, why you process it, how long you keep it, and who you share it with. Review your engagement letters to make sure they reflect your data processing activities accurately. Use plain language your clients can understand. If you share data with third-party software providers or outsourced services, name them or describe the categories of recipients.

4. Implement technical security measures

Put appropriate safeguards in place to protect client data. At a minimum, this should include multi-factor authentication (MFA) on all systems, encryption for data at rest and in transit, and role-based access controls so staff only see the data they need. Review your security setup regularly, particularly when you adopt new tools or change your working practices.

5. Create a breach response plan

Have a documented plan ready before a breach happens. Your plan should cover how to identify and contain a breach, assess its severity, notify the ICO within 72 hours if required, and communicate with affected individuals. Assign clear roles so everyone in your team knows what to do. Test the plan periodically with a tabletop exercise.

6. Train your staff

Your team is your first line of defence against data breaches. Provide regular training on data protection responsibilities, phishing awareness, and secure data handling. Make sure new staff receive training during onboarding and that everyone completes refresher sessions at least annually.

Tailor the training to your practice's specific risks. Staff who handle client onboarding need to understand consent and privacy notices. Those managing digital records need to know about secure storage and access controls. Keep records of all training delivered, including dates, attendees, and topics covered.

7. Document everything

The accountability principle means you must be able to prove your compliance, not just practise it. Maintain your ROPA, keep records of DPIAs, log any breaches (even those you don't report to the ICO) and retain evidence of staff training. This documentation protects your practice if you face a complaint or investigation.

Set a regular review schedule for your documentation. At minimum, revisit your ROPA and privacy notices annually, or whenever you change your services, adopt new software, or start working with new types of client data.

How GDPR intersects with Making Tax Digital

Making Tax Digital (MTD) is changing how practices handle tax data, and this has direct implications for GDPR compliance. MTD for VAT is already in place. MTD for Income Tax Self Assessment (MTD ITSA) will require quarterly digital submissions, which means more frequent transfers of personal and financial data between your practice, your clients, and HMRC.

Each data exchange is a GDPR touchpoint. More frequent submissions mean more opportunities for data to be intercepted, misdirected, or accessed without authorisation. This makes secure data transfer channels essential. Avoid sending client data by email wherever possible. Use encrypted file-sharing tools or client portals instead.

Cloud accounting software can help you manage both compliance streams in one place. Digital record-keeping for MTD aligns well with GDPR's accountability requirements, since your data is already structured, searchable, and auditable. The key is to make sure your MTD workflows don't introduce new data protection risks.

Think about how you currently collect client records for quarterly submissions. If clients are emailing spreadsheets or sending documents through unsecured channels, each transfer is a potential vulnerability. Establishing secure, consistent data collection processes now will serve both your MTD and GDPR obligations as submission frequencies increase.

How Xero supports GDPR compliance in your practice

Xero provides several built-in features that can help your practice meet its data protection obligations. These tools don't guarantee compliance on their own, but they provide a strong technical foundation to build on.

Security features. Xero includes multi-factor authentication as standard, adding an extra layer of protection beyond passwords. Data encryption protects information both in transit and at rest. Role-based access controls let you restrict who on your team can view or edit specific client data.

Cloud-based storage. Xero's cloud infrastructure means client data is stored securely with redundancy across multiple data centres. This supports your business continuity planning and reduces the risk of data loss from local hardware failure or theft.

Practice management tools.Xero HQ gives you a centralised view of your client portfolio, helping you track compliance tasks and manage client communications in one place. Xero Practice Manager supports workflow management and job tracking, while Xero Tax streamlines your tax compliance processes. Together, these tools can help reduce the manual handling of sensitive data across disconnected systems.

Using a connected platform also makes it easier to respond to data subject access requests. When client data sits in one system rather than scattered across email, spreadsheets, and local drives, you can locate and retrieve it far more efficiently within the one-month response window.

Strengthen your practice with Xero

GDPR compliance is an ongoing commitment, not a one-off project. By building data protection into your everyday workflows, you protect your clients, your reputation, and your practice.

Xero's partner programme gives you access to the tools, training, and support you need to run a secure, efficient, and compliant practice. Whether you're strengthening your security setup or streamlining how you manage client data, the right platform makes the process simpler. Join the partner programme to get started.

FAQs on GDPR for accountants

Here are answers to some frequently asked questions about GDPR for accountants.

Is an accountant a data controller or data processor under GDPR?

The practical implication of your controller status is how it affects your relationships with third-party providers. If you use cloud accounting software or outsource payroll, those providers act as your data processors. You need written data processing agreements with each one, setting out exactly how they can handle your clients' data, what security measures they must maintain, and what happens to the data when the contract ends.

How long can accountants keep client data under GDPR?

Different categories of client data carry different retention requirements. Tax records follow HMRC's six-year rule, but other data types such as client correspondence, engagement letters, and working papers may have shorter or longer retention periods depending on their purpose. Create a retention schedule that maps each data category to its specific legal or business justification, and build regular deletion reviews into your practice calendar so expired data doesn't accumulate unnoticed.

Do accounting firms need a data protection officer?

Most small to mid-sized accounting practices are not legally required to appoint a data protection officer (DPO). The requirement applies mainly to public authorities or organisations whose core activities involve large-scale systematic monitoring or processing of special category data. However, designating someone in your practice to oversee data protection is still good practice, even if a formal DPO appointment isn't mandatory.

What should you do if your practice suffers a data breach?

Not every breach needs reporting to the ICO. A breach is notifiable only if it poses a risk to individuals' rights and freedoms, such as exposed bank details or tax records. Low-risk incidents, like a misdirected email caught and recalled immediately, still need logging internally but don't require ICO notification. If a third-party software provider's systems are compromised, they must inform you as the controller, and you're then responsible for assessing whether ICO notification is needed.

How does the Data Use and Access Act 2025 affect accountants?

The most immediate action item is the mandatory complaints procedure deadline of June 2026. If your practice doesn't already have a formal process for clients to raise data protection concerns, you need one in place before that date. This includes providing an electronic complaints form, acknowledging complaints within 30 days, and responding without undue delay. Individuals will be expected to use your complaints process before escalating to the ICO, so having a clear, accessible procedure can help you resolve issues before they become regulatory matters.

Disclaimer

Xero does not provide accounting, tax, business or legal advice. This guide has been provided for information purposes only. You should consult your own professional advisors for advice directly relating to your business or before taking action in relation to any of the content provided.

Become a Xero partner

Join the Xero community of accountants and bookkeepers. Collaborate with your peers, support your clients and boost your practice.