ICAEW.com works better with JavaScript enabled.

Data Protection

Data Protection legislation in the UK will change when the General Data Protection Regulation (GDPR) comes into force in 2018. The GDPR will be applicable to any organisation that may store or process personal information irrespective of their size.

The Data Protection Act 1998 (DPA)

The Data Protection Act 1998 is the current legislation. It came into force on 1 March 2000 and established the rules on how companies and organisations should process personal data. Personal data is information that identifies living individuals such as their name, date of birth and address. It covers paper and electronic records.

Forthcoming changes: the General Data Protection Regulation and Data Protection Bill

On 25 May 2018 the General Data Protection Regulation (GDPR) will come into force. A new Data Protection Act is also expected at around the same time. The Data Protection Bill is currently going through Parliament. Until then the DPA will still be the relevant legislation so as well as continuing to ensure compliance with it, members and member firms are advised to start preparing for the GDPR sooner rather than later.

General Data Protection Regulation (GDPR)

Complete guidance on all aspects of the GDPR and how to implement it is not yet available from the Information Commissioner’s Office (ICO). It is expected to be available in 2018. ICAEW will then publish its own guidance for members in late 2017 in the form of updated technical releases and helpsheets. In the meantime, we have issued the following FAQs:Read our FAQs:

These will be updated as we receive more guidance from the ICO. We will also be issuing tailored guidance for ICAEW members in due course.

We also recommend that members should visit our dedicated GDPR web page for more detailed background information as well as the latest updates on the implementation of GDPR from the ICO.

The ICO website has issued the following guides that are good starting points for anyone wishing to understand the GDPR and the changes it is introducing:

EU-US Privacy Shield

The EU–US Privacy Shield replaced "Safe Harbor" in July 2016. Read the background information and find out the latest updates.

ICAEW guidance on the Data Protection Act

Please note: all the following technical releases and helpsheets will be updated and/or withdrawn in 2018 to reflect the impact of the GDPR and the new Data Protection Act (when it comes into force) on members and member firms.

Technical release

TECH 05/14BL Data protection - handling information provided by clients 

This release is a guide to the specific issues faced by professional accountants in practice and practising firms when handling personal data (client data) provided by clients. The guidance should not be relied on by practitioners outside the UK as requirements elsewhere may vary. 

It supersedes TECH 07/04 ("The implications of the Data Protection Act for major practice streams") which has been withdrawn with immediate effect. 

Helpsheet 17 on data protection 

The Data protection helpsheet is complementary to TECH 05/14BL "Data protection - handling information provided by clients". 

The helpsheet concentrates primarily on "firm data" but also relates to client data where the firm acts as controller or joint controller in relation to that data. Firm data is personal data held by a firm in relation to its own management, such as details about its employees and affairs generally, including marketing databases. 

The implication of the Data Protection Act for major practice streams

This technical release provides guidance for practitioners on undertaking various types of practice activity while continuing to comply with the provisions of the Act.

Registration of accountancy practices

Almost all accountancy firms should be registered with the Information Commissioner's Office (ICO) as data controllers. Sole practitioners or firms which are not registered should consider their position without delay, or risk enforcement action by the ICO. For further guidance visit the ICO's website. You can also find out about the changes that will be introduced following the implementation of the GDPR.

Updated January 2018