GDPR for accountants in the UK: ICAEW, ACCA & AML

UK accountancy practices process unusually sensitive personal data — tax filings, payroll, source-of-funds evidence, business and personal bank statements, director ID — and they operate under several overlapping regulators. Getting GDPR right means understanding the interactions between the UK GDPR, the Data Protection Act 2018, the Money Laundering Regulations 2017, your professional body's Code of Ethics and (for audit work) the Financial Reporting Council's standards.

This guide covers the data protection obligations specific to UK accountants in practice, what to display on your website, and how to reconcile MLR retention with the right to erasure.

---

The regulatory landscape

UK accountants in practice sit under several supervisors at once:

• ICO (Information Commissioner's Office) — supervises data protection
• HMRC Money Laundering Supervision — default AML supervisor unless you are a member of a Professional Body Supervisor (PBS)
• Professional Body Supervisors — ICAEW, ACCA, AAT, CIOT, ICAS, Chartered Accountants Ireland (CAI), ATT, AIA, IAB and others listed in Schedule 1 to the MLR 2017
• FRC (Financial Reporting Council) — audit and assurance standards for registered audit firms
• HMRC as tax authority — accountancy practices act as agents of clients in dealings with HMRC

Unlike solicitors (single SRA regulator for England and Wales) accountancy in the UK is not a legally reserved profession: anyone can call themselves an "accountant". What is regulated is the activity — audit, insolvency, tax advice for credit institutions, AML-supervised work. If you operate as a non-PBS-supervised accountancy service provider you must register with HMRC for AML supervision before taking on a single client.

---

Client data flows

A typical practice handles:

• Personal income data (self-assessment, P60s, dividend statements)
• Business bank statements and accounting records
• Payroll data (employee names, NI numbers, pay rates, pension contributions, salary-sacrifice arrangements)
• VAT records and Making Tax Digital (MTD) submissions
• Source-of-funds evidence for AML customer due diligence
• Director and PSC (Persons with Significant Control) ID documents

Some of this is special-category data under UK GDPR Article 9 — for example, salary-sacrifice arrangements based on health, religious-pension contributions, or maternity-pay records on payroll. The DPA 2018 Schedule 1 conditions you rely on must be documented in an appropriate-policy document where the processing is based on Article 9(2)(b) (employment law) or Article 9(2)(g) (substantial public interest).

Provide a privacy notice at the start of every engagement, covering what you collect, why, who else will see it (HMRC, Companies House, payroll bureau, cloud-accounting platform, AML database) and how long you retain it.

---

Lawful basis

For most accountancy work the lawful basis is:

• Article 6(1)(b) — contract for the engagement itself (preparing accounts, filing returns, payroll runs)
• Article 6(1)(c) — legal obligation for AML customer due diligence, tax filings, statutory accounts, payroll RTI submissions to HMRC
• Article 9(2)(b) or (g) for any special-category data in payroll
• Article 6(1)(f) — legitimate interests for marketing to existing clients (subject to PECR Reg 22 for electronic marketing — see the legitimate interests for UK marketing framework)

ICAEW's data protection guidance for member firms walks through these bases in the accountancy context and is the starting point for any ICAEW-supervised practice writing a privacy notice or DPIA. ACCA, AAT and CIOT publish equivalent practice guidance for their members.

---

AML retention vs the right to erasure

This is the GDPR-AML tension that catches practices out most often:

Under Regulation 40 of the Money Laundering Regulations 2017, you must retain customer due diligence records for 5 years from the end of the business relationship or completion of the transaction. After that period:

• Personal data obtained specifically for MLR purposes must be deleted under Regulation 40(5), unless another lawful basis applies (consent, ongoing legal proceedings, or another statutory obligation)
• You must not retain MLR records for more than 10 years in total

The right to erasure under UK GDPR Article 17 is therefore overridden during the 5-year MLR window. A client who terminates the engagement and then asks you to delete everything cannot have their CDD file deleted before the 5-year period elapses. Document this carve-out clearly in your privacy notice.

Tax records have their own retention rules (typically 6 years for businesses, longer for some matters), and audit working papers have their own under ISA 230. The MLR 5-year clock is independent from these and runs from the end of the relationship, not from the date the document was created.

---

Cloud accounting platforms

Xero, QuickBooks Online, FreeAgent, Sage Business Cloud and similar SaaS platforms are Article 28 processors when your practice uses them on behalf of a client. Each platform's terms of service incorporate a Data Processing Agreement (DPA) — review and accept it once per platform, and keep a copy.

Practical points:

• International transfers. Xero hosts production data in AWS regions including the US; QuickBooks Online is hosted by Intuit in the US. Transfers from the UK rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the UK-US Data Bridge for vendors who have certified under the EU-US Data Privacy Framework with the UK extension.
• Sub-processors. Each cloud-accounting vendor maintains a sub-processor list (typically AWS, Azure, Stripe, email providers, support tools). Check it before engaging the platform.
• Access control. Use role-based permissions and remove access promptly when a staff member leaves. Multi-factor authentication on every login is now baseline.
• Client data export. Confirm in writing how you will return or delete client data on termination of the practice's engagement with the vendor.

---

Practice-management tools and client portals

Practice-Ignition / Ignition, Karbon, AccountancyManager, Senta and equivalent tools are all processors and require DPAs. Client portals materially reduce email-based document-exchange risk: sending bank statements and ID documents over plain email is a recurring source of incidents for accountancy practices.

If you use Microsoft 365 or Google Workspace as your primary mail platform, each provides UK GDPR DPAs and supplementary measures documentation — but you should configure retention, eDiscovery and data loss prevention deliberately rather than relying on defaults.

---

HMRC Making Tax Digital data

MTD-compatible software is a processor whenever it submits a return on a client's behalf. MTD for VAT has been mandatory since April 2022 for all VAT-registered businesses regardless of turnover. MTD for Income Tax Self Assessment (MTD for ITSA) is phased in from April 2026 for sole traders and landlords with qualifying income above £50,000, extending to those above £30,000 from April 2027, with the £20,000 threshold expected from April 2028.

If your practice acts as an agent and submits MTD updates, confirm that your MTD-compatible software vendor (and any bridging software you use to file from spreadsheets) has a current DPA and a documented sub-processor list.

---

Your practice website

Required on the site:

• Company details under the Companies (Trading Disclosures) Regulations 2008 — company name, registered office, country of registration, company number if you trade as a limited company or LLP. Sole practitioners trading under a business name must display the proprietor's name and a UK service address under the Companies Act 2006 Part 41 / Business Names rules. See company website trading disclosures.
• AML supervisor name — HMRC or your PBS (ICAEW, ACCA, AAT, CIOT etc.)
• Professional body badge — most firms display the ICAEW, ACCA or AAT logo; verify your firm meets the body's brand and disciplinary status requirements before using it
• Privacy notice explaining client, payroll, AML and website-visitor data flows, lawful bases, retention periods, and how to complain to the ICO
• Cookie banner compliant with PECR and the ICO's enforcement standard — accept and reject must be equally prominent on the first layer; see cookie banner rules under the ICO
• ICO data protection fee paid (display is not legally required, but the registration is)

Common gap on practice websites: Calendly / Acuity booking widgets, HubSpot or ActiveCampaign forms, LinkedIn Insight Tag, Google Analytics, and Meta-pixel retargeting often fire before consent. A free website compliance check will surface this.

---

ICO data protection fee

Most accountancy practices fall into Tier 1 (micro: turnover ≤ £632,000 or ≤ 10 staff) or Tier 2 (small/medium: turnover ≤ £36m or ≤ 250 staff). The small-business exemption from registration does not apply because accountants process personal data for profit and routinely process special-category data on payroll.

A practice trading as a sole practitioner is still required to register if it processes personal data outside the narrow domestic-purposes exemption — which it always does, the moment it takes on a paying client.

---

Breach procedure

If a personal data breach occurs (lost laptop, misdirected email, ransomware on the file server, unauthorised access to a client portal, compromised cloud-accounting login):

1. Triage within 72 hours. UK GDPR Article 33 requires notification to the ICO within 72 hours of becoming aware unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Use the ICO breach self-assessment to decide.
2. Notify affected individuals (Article 34) if the breach is likely to result in a high risk to their rights — for example, exposure of bank account details or source-of-funds documents.
3. Internal log. Maintain a breach register even for breaches you do not notify. The ICO will ask for it if it ever investigates.
4. Professional body reporting. ICAEW members must consider whether the breach triggers the fitness/probity reporting requirements in the ICAEW Code of Ethics; ACCA members are subject to the Professional Conduct in Relation to Defaults and analogous regulations. Check your PBS's current rulebook.
5. AML supervisor. A breach involving CDD records may also trigger a notification to your AML supervisor.

---

Practical checklist for UK accountancy practices

---

Check your practice website

Free website compliance check →

A TYW scan checks your privacy notice, cookie banner configuration, Companies House disclosures, embedded booking and CRM widgets, and trackers loaded before consent — in 60 seconds, no signup. For other professional-services context see GDPR for UK solicitors and the wider GDPR compliance for UK businesses guide.

---

Sources

• Money Laundering Regulations 2017, Regulation 40 — legislation.gov.uk
• Money Laundering Regulations: registration for accountancy service providers — HMRC
• ICAEW data protection guidance — Institute of Chartered Accountants in England and Wales
• ICAEW Code of Ethics — ICAEW
• ACCA Rulebook — Association of Chartered Certified Accountants
• AAT Code of Professional Ethics — Association of Accounting Technicians
• Making Tax Digital for Income Tax — HMRC
• Companies (Trading Disclosures) Regulations 2008 — legislation.gov.uk

---

This is technical analysis, not legal advice. Consult your Professional Body Supervisor (ICAEW, ACCA, AAT, CIOT or other), your MLRO, and a data protection specialist for advice specific to your practice.