ICAEW.com works better with JavaScript enabled.

Data Protection

Data Protection legislation in the UK will change when the General Data Protection Regulation (GDPR) comes into force in 2018. The GDPR will be applicable to any organisation that may store or process personal information irrespective of their size.

The Data Protection Act 1998 (DPA)

The Data Protection Act 1998 is the current legislation. It came into force on 1 March 2000 and established the rules on how companies and organisations should process personal data. Personal data is information that identifies living individuals such as their name, date of birth and address. It covers paper and electronic records.

Forthcoming changes : the General Data Protection Regulation and Data Protection Bill

On 25 May 2018 the General Data Protection Regulation (GDPR) will come into force. A new Data Protection Bill is also expected at around the same time. Until then the DPA will still be the relevant legislation so as well as continuing to ensure compliance with it, members and member firms are advised to start preparing for the GDPR sooner rather than later.

General Data Protection Regulations (GDPR)

Detailed guidance on how to implement the GDPR is not yet available from the Information Commissioner’s Office (ICO). It is expected to be available late 2017/early 2018. ICAEW will publish its own guidance for members in late 2017 in the form of updated technical releases and helpsheets. In the meantime, visit our dedicated GDPR web page for background information as well as the latest updates on the implementation of GDPR.

The ICO website has the following guidance that are good starting points for anyone wishing to understand the GDPR and its implications for their organisation:

EU-US Privacy Shield

The EU–US Privacy Shield replaced "Safe Harbor" in July 2016. Read the background information and find out the latest updates.

ICAEW guidance on the Data Protection Act

Please note: all the following technical releases and helpsheets will be updated and/or withdrawn to reflect the impact of the GDPR and the Data Protection Bill on members and member firms.

Technical release

TECH 05/14BL Data protection - handling information provided by clients 

This release is a guide to the specific issues faced by professional accountants in practice and practising firms when handling personal data (client data) provided by clients. The guidance should not be relied on by practitioners outside the UK as requirements elsewhere may vary. 

It supersedes TECH 07/04 ("The implications of the Data Protection Act for major practice streams") which has been withdrawn with immediate effect. 

Helpsheet 17 on data protection 

The Data protection helpsheet is complementary to TECH 05/14BL "Data protection - handling information provided by clients". 

The helpsheet concentrates primarily on "firm data" but also relates to client data where the firm acts as controller or joint controller in relation to that data. Firm data is personal data held by a firm in relation to its own management, such as details about its employees and affairs generally, including marketing databases. 

The implication of the Data Protection Act for major practice streams

This technical release provides guidance for practitioners on undertaking various types of practice activity while continuing to comply with the provisions of the Act.

Registration of accountancy practices

Almost all accountancy firms should be registered with the Information Commissioner's Office (ICO) as data controllers. Sole practitioners or firms which are not registered should consider their position without delay, or risk enforcement action by the ICO. For further guidance visit the ICO's website. You can also find out about the changes that will be introduced following the implementation of the GDPR.