ICAEW.com works better with JavaScript enabled.

Data Protection

Data protection and privacy are matters of professional concern to accountants in practice, industry or commerce.

Share your GDPR and DPA 2018 experience

We will use this to help other members

Contact us

This page is a brief introduction to the current legislation:

  • Data Protection Act 2018;
  • Data Protection (Charges and Information) Regulations 2018;
  • 2003 Privacy and Electronic Communications Regulations; and
  • Freedom of Information Act 2000.

For details on the General Data Protection Regulation (GDPR), see Our Guide to the GDPR.
For details of ICAEW’s data protection policies, please see our Privacy Notice.

Data Protection Act 2018

Data protection legislation in the UK changed when the General Data Protection Regulation (GDPR) came into force on 25 May 2018. At the same time the Data Protection Act 2018 (DPA 2018) came into force, replacing the Data Protection Act 1998 (DPA 98).

The GDPR applies to any individual and organisation trading within the EEA that may store or process personal data, irrespective of the size or function of the organisation. For more details on how the GDPR affects members see our Guide to the GDPR.

The DPA 2018 incorporates the GDPR into UK law as well as adding derogations allowed by the GDPR and new requirements covering law enforcement data and national security data.

The DPA 2018:

  • Implements the GDPR standards into UK law across all general data processing.
  • Gives exemptions from the GDPR for certain organisations undertaking the following activities: journalism, research, financial services and legal services.
  • Sets 13 as the age when children can give consent for the online processing of their personal data.
  • Gives a new right for those aged 18 years or older to have their data deleted if there are no legitimate grounds for retaining it.
  • Introduces a bespoke regime for the processing of personal data by the police, law enforcement and criminal justice agencies.
  • Provides new safeguards to enable the intelligence agencies to manage security threats.
  • Gives additional powers to the Information Commissioner including the ability to set fines in line with the GDPR (ie the higher of £17m (20m euros) or 4% of the global annual turnover for the most serious breaches).
  • As well as retaining the offences included in the DPA 98, two new offences have been added. These are:
    • intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data; and
    • altering records with the intent to prevent disclosure.

For more details on what the DPA 2018 will mean for you please see the Information Commissioner’s Office’s (ICO) guide which will be updated on a regular basis.

Data Protection (Charges and Information) Regulations 2018

The Data Protection (Charges and Information) Regulations 2018 introduced a new 3 tier fee structure for data controllers replacing the registration (notification) fee payable under the DPA 98. Under the new rules any organisation that determines the purpose for which personal data is processed (controllers) must pay a data protection fee unless they are exempt.

See details on who has to pay and how much.

Privacy and Electronic Communications Regulations (PECR)

The 2003 Privacy and Electronic Communications Regulations (PECR) sit alongside the DPA 2018 and the GDPR. It gives people specific privacy rights in relation to electronic communications with rules on marketing calls, emails, texts and faxes as well as cookies (and similar technologies). It applies to any organisation that sends electronic marketing messages (by phone, fax, email or text), uses cookies, or provides electronic communication services to the public.It is due to be revised in 2019.
See the ICO’s guides on PECR and Direct Marketing for further information on what this means for you.

Freedom of Information Act 2000 (FOIA)

Under The Freedom of Information Act 2000 public authorities are obliged to publish certain information about their activities; and members of the public are entitled to request information from public authorities. It is based on the principle that people have a right to know about the activities of public authorities, unless there is a good reason for them not to.

The FOIA designates a wide range of bodies as public authorities. The Secretary of State, however, may designate as a public authority for the purposes of the FOIA an entity that is providing, under a contract made with a public authority, a service whose provision is a function of that authority. In this case if a public authority, for example, outsources its internal audit services to a member, then the member could become subject to FOIA in respect of the outsourced (ie internal audit services in this example) service only.

Further guidance is available from the ICO.

For ICAEW guidance on the implications for members see:


If you have any questions on how the above will affect you, please contact our Technical Advisory Service.