UK GDPR – Data processor or data controller?

This helpsheet has been issued by ICAEW’s Technical Advisory Service to help ICAEW members to make their own assessment whether they act as a data processor or data controller under the UK General Data Protection Regulation (UK GDPR). This helpsheet is not intended to provide comprehensive advice and you should refer to additional sources of information where appropriate, including legal advice if necessary. Detailed guidance is also available from the Information Commissioner’s Office (ICO).

Members may also wish to refer to the following related helpsheets:

• UK GDPR – Lawful basis for processing
• UK GDPR – Communicating safely with clients
• UK GDPR – Data breaches

In its guidance, the ICO considers that accountants, along with other professional service firms, will generally be considered to be data controllers.

There are currently differences in opinion held by some firms who have sought their own legal advice, specific to their circumstances. This helpsheet is no substitute for such advice and does not aim to restrict the opinion of any firm. Instead, the aim of this helpsheet is to inform firms about the expectation of the regulator, in order to assist the firm in arriving at their own assessment.

Where there is doubt, firms are advised to seek independent legal advice on their own position.

The UK GDPR defines a data processor and a data controller as follows:

• ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The ICO has produced guidance on the difference between data controllers and processors.

Decisions that only data controllers can make

It is data controllers rather than data processors that decide:

• To collect personal data in the first place;
• The lawful basis for doing so;
• What types of personal data to collect;
• The purpose or purposes the data are to be used for;
• Which individuals to collect data about;
• Whether to disclose the data, and if so, to whom;
• What to tell individuals about the processing;
• How to respond to requests made in line with individual’s rights; and
• How long to retain the data or whether to make non-routine amendments to the data.

Role of accountants

Accountants should consider their role and responsibility in relation to processing personal data for each processing activity. If they determine the purposes and means of the processing of personal data, then they are a controller. An organisation cannot be both data controller and processor for the same data processing activity; it must be one or the other. This must be decided on a case by case basis.

There can be a tendency (highlighted in the ICO’s guidance issued under the Data Protection Act 1998) for the ‘main’ data controller organisation to deem its sub-contractor, professional adviser or consultant to be its data processor. Sometimes this can be written into a contract. However, the fact that an organisation contracts or employs another organisation to provide a service to it does not mean that the other organisation becomes its data processor in every case. Whether an organisation is a data controller or data processor will depend on their role and responsibilities in relation to the processing. The client may not have sole data controller responsibility even though they initiated the work.

Professional obligations

Accountants and similar providers of professional services work are specifically highlighted in the ICO’s guidance as working under a range of professional obligations which oblige them to take responsibility for the personal data they process, including, for example, the need to report (where appropriate) to the authorities without acting on the client’s instructions. In that context, the accountant would be acting as a data controller.

One such professional obligation is imposed by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. When acting as auditors, external accountants, insolvency practitioners or tax advisers, in certain circumstances, there is an obligation to make a Suspicious Activity Report to the National Crime Agency (further guidance can be found in section 6 of the CCAB Anti-money laundering guidance for the accountancy sector). Such reports contain personal data and would certainly be made without the authority of the data subject or the client. As a result the firm would not be processing data on behalf of the controller in this context. In processing data that is subject to the firm’s assessment as to whether or not there is any need for a Suspicious Activity Report to the National Crime Agency, the firm is, according to the ICO’s guidance, acting as a data controller. The firm is determining the purposes and means of the processing of the personal data and is therefore acting as a controller.

There may be work carried out by a firm which is not subject to a range of professional obligations and for which therefore the firm may be a data processor. For example, this might be the case for assignments that do not contain any financial data, such as a practitioner marking examination papers under instructions from an examining body. The name of the candidate and their exam mark would be personal data – but the practitioner would not be making decisions about the use of the data (such as whether or not any anti-money laundering reporting was required - as this would not be applicable) nor any of the other decisions that would result in the firm being a data controller.

For services provided by accountancy firms, the ICO expects the accountancy firm to be a data controller where the firm determines the purpose and means of processing personal data. The ICO accountancy example demonstrates that additional professional obligations (such as the ICAEW Code of Ethics or Anti-Money Laundering Regulations) result in an assessment that the firm is a data controller - even for activities that one might otherwise describe as processing.

The ICO is the regulator for data protection in the UK and has its own website and helpline.

ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Technical Advisory Service on +44 (0)1908 248 250 or via webchat.