Guide

GDPR Compliance Checklist for UK Accountants

Accountancy practices handle significant amounts of personal financial data — payroll records, tax returns, bank statements, personal details. Our document management GDPR compliance guide covers the general requirements. This checklist is specific to accountancy.

The Accountancy Compliance Context

Accountants face a dual compliance obligation: HMRC records retention requirements (typically 6 years) AND GDPR storage limitation (don't keep personal data longer than necessary). These are sometimes in tension — you must keep HMRC records for 6 years, but you must also not retain personal data beyond what's necessary. The resolution: your retention schedule should specify retention periods that satisfy both obligations, with HMRC minimums as the floor.

GDPR Compliance Checklist — Accountancy Practices

Client engagement and privacy

  • ☐ Privacy notice provided to all clients at engagement
  • ☐ Privacy notice covers: data collected, purposes, third-party sharing, retention, rights
  • ☐ Engagement letter references data protection obligations
  • ☐ Marketing emails: opt-in consent obtained, records kept
  • ☐ Client referrals: data shared only with client's knowledge/consent

Document retention and disposal

  • ☐ Written retention schedule covering all document types
  • ☐ HMRC-required records kept for minimum 6 years (5 years for self-assessment)
  • ☐ Records not kept beyond retention period without documented business reason
  • ☐ Secure disposal process — shredding or certified digital deletion
  • ☐ Destruction records maintained
  • ☐ Former client files: retention clock starts from end of engagement

Data security and access

  • ☐ Client documents accessible only to staff working on that client
  • ☐ Client portal used for document exchange (not email attachments)
  • ☐ MFA enabled for all staff accessing client data
  • ☐ Audit log active — who accessed which client file, when
  • ☐ External sharing reviewed — no anonymous share links for client documents
  • ☐ Laptops and devices encrypted
  • ☐ Clear desk policy for client documents

Third-party data sharing

  • ☐ Data sharing with HMRC: covered by legal obligation (no additional consent needed)
  • ☐ Data sharing with software providers (Xero, Sage, etc.): Data Processing Agreement in place
  • ☐ Cloud document storage: Data Processing Agreement with provider, data residency confirmed
  • ☐ Outsourced payroll or bookkeeping: Data Processing Agreement in place
  • ☐ Sub-contractors: treated as data processors, appropriate agreements in place

Subject access requests and individual rights

  • ☐ SAR process documented
  • ☐ Can respond to SAR within 30 days — all client data searchable
  • ☐ Right to erasure process: can delete data on request where no legal obligation to retain
  • ☐ Right to portability: can export client data in a usable format on request

Staff and internal data

  • ☐ Employee privacy notice in place
  • ☐ Staff personnel files: retention 6 years after employment ends
  • ☐ CCTV in office: privacy notice displayed, footage retention limited to 31 days
  • ☐ Staff trained on GDPR and data protection annually
  • ☐ Training records maintained

The Role of Your Document System

Several items on this checklist require technology to be practical: client-by-client access controls, comprehensive audit logging, secure client portal for document exchange, automated retention scheduling. A DMS or well-configured SharePoint with a client portal addresses all of these. A shared file server with email document exchange does not.

Find an accountancy DMS with GDPR features

Client portals, retention scheduling, and audit trails built in.

Best DMS for Accountants →Compare DMS Systems →