This helpsheet has been issued by ICAEW’s Technical Advisory Service to help ICAEW members understand the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 in relation to lawful basis for processing. Detailed guidance is available from the Information Commissioner’s Office (ICO).

Members may also wish to refer to the following related helpsheets: 

• UK GDPR – Data processor or data controller?
• UK GDPR – Client files
• UK GDPR – Communicating safely with clients
• Production and Disclosure Orders

The UK GDPR defines processing as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Obtaining, recording or simply holding personal data would be considered processing.

The UK GDPR defines Personal data as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

ICO guidance states that personal data which has been pseudonymised (e.g. the replacement of employee names with employee numbers in a set of data) can help reduce privacy risks by making it more difficult to identify individuals, but is still personal data. Where personal data has been truly anonymised, then the anonymised data is not subject to the UK GDPR as it is no longer personal data.

Within the UK GDPR, there are six lawful bases for processing and in order to process personal data, firms must demonstrate that they fall under one of these for each processing activity. The ICO’s lawful basis interactive guidance tool can help to determine which basis is appropriate.

Consent

Consent is a very flexible lawful basis for processing, however given the UK GDPR’s high standard for consent it can be onerous to both obtain and maintain consent and therefore where there is another appropriate lawful basis for processing, consent will rarely be relied upon.

Consent under the UK GDPR requires a positive opt-in. A lack of action or pre-checked box is not acceptable. Where consent is being relied upon, there must be clear documentation of who, when and how this consent was obtained and what the individual was told at the time. This again can make reliance upon consent difficult.

Within the accountancy sector it is commonplace to send updates, news or information about other products and services offered by the firm to clients, often via email. These are not generally necessary in order to perform the contract and therefore consent may be more appropriate as the relevant lawful basis for processing.

Where such emails are sent to generic admin@ or info@ email addresses, these email addresses would not be considered personal data and would fall outside the scope of the UK GDPR. However, the Privacy and Electronic Communications Regulations (PECR) would still apply, and best practice would therefore suggest consent should still be obtained.

Consent should not be a condition of service, but should be specific and separate from other terms and conditions and be granular in nature. As such, firms should not embed consent to marketing, news and updates deep in engagement letters. A separate page should be used enabling clients to tick to opt in to each different communication (meeting the granular requirement) or where it is in an engagement letter, this should clearly be separate from the main terms, allowing clients to agree to the engagement but not other communications if they so wish.

There should also be clear instructions on how to opt-out of such communications at a later date. Communications should also contain opt-out instructions (often an unsubscribe link or instruction).

A simple example, to demonstrate consent using a letter for email communication, is shown below.

Consent should be renewed periodically. Best practice would suggest every two years as a minimum, however where annual engagement letters are issued it would be sensible to renew consent for other communications on a yearly basis.

Firms may wish to consider whether they would be able to apply a ‘soft opt-in’ approach for existing clients. It would be best practice to get positive consent as outlined above.

The ICO has published guidance on using consent as the lawful basis for processing and direct marketing which explores the requirements of the Privacy and Electronic Communications Regulations further. The European Data Protection Board (EDPB) has also published Guidelines on consent.

Please note: The EDPB includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. Although the UK has left the EU, these guidelines continue to be relevant.

Contract

You can place reliance upon contract as the lawful basis for processing where you need to process someone’s personal data to fulfil your contractual obligations to them or because they have asked you to do something before entering into a contract (e.g. provide a quote).

Any processing you do must, however, be necessary to perform the contract and if you could reasonably do what the individual needs you to do, without processing their personal data, this lawful basis will not apply.

There is often some overlap with the legitimate interests basis of processing. Where this occurs reliance should be placed on the contract in the first instance. Where you have engaged to complete an individual’s tax return for example, you would usually be relying on a contract as your lawful basis for processing their data.

Where however you have engaged to process a company’s payroll, as the employees are not a party to the contract you have with your client (the company), you would instead usually be relying on legitimate interests as your lawful basis for processing.

The ICO has published guidance on using a contract as the lawful basis for processing. The helpsheet Engagement letters and privacy notices includes guidance on the relevant data protection clauses to be included in an engagement letter.

Legal obligation

You can rely upon a legal obligation as the lawful basis for processing personal data, where it is necessary to comply with common law or statutory obligations. The legal obligation must be laid down by domestic law, but does not have to be an explicit statutory obligation, so it would include common law obligations too.

In the accountancy sector, one such legal obligation arises from the Proceeds of Crime Act 2002 which requires a suspicious activity report to the National Crime Agency where there is a suspicion of money laundering. Further guidance is available in the CCAB Anti-money laundering guidance for the accountancy sector.

Other instances where the legal obligation basis for processing would be utilised would be in an audit environment where a successor auditor taking over a statutory audit would have a right of access to the predecessor auditor’s files or where a member is compelled by a court order to provide access to files. A number of examples are explored in the Disclosure of confidential information (for members in practice) helpsheet.

The ICO has published guidance on using legal obligation as the lawful basis for processing.

Vital interests

Relying on vital interests as a lawful basis for processing is only really relevant where needed to process the personal data to protect someone’s life. It can only be used where necessary and where the individual is incapable of giving consent to the processing.

In an accountancy practice, the use of this lawful basis for processing is fortunately extremely rare and will generally only be of relevance where an individual is unexpectedly taken seriously ill and unable to provide consent themselves for their details to be passed onto relevant emergency services.

Public task

Reliance upon this lawful basis for processing is only relevant where you need to process personal data ‘in the exercise of official authority’ or to perform a specific task in the public interest that is set out in law.

It is unlikely that accountancy practices will need to rely on this lawful basis for processing, instead usually relying upon contract, legal obligation or consent. Where the public task basis is being considered as the lawful basis for processing, a firm would be best placed to seek legal advice.

Legitimate interests

Legitimate interest is the most flexible lawful basis for processing, but often it will be more appropriate to rely on another basis such as a contract for example. Where your client is the data subject (e.g. preparation of a personal tax return) then you would normally be relying on contract as the lawful basis for processing. Where the data subject is not a party to the contract you have with your client (e.g. you are preparing accounts for a company and are processing employee data as part of this work), then you would normally be relying on your legitimate interests to fulfil your engagement.

Legitimate interests may be those of a third party or your own, such as needing to disclose personal data in order to respond to a complaint being investigated by ICAEW or in the case of unpaid fees as explored in the ICO’s guidance on when individual’s interests override ours.

Where legitimate interest is used as the lawful basis for processing, you take on additional responsibility as you need to not only identify a legitimate interest, but you must be able to show that processing is necessary to achieve it and balance it against the individual’s interests, rights and freedoms.

Any processing carried out under this lawful basis must be necessary and if you can achieve the same result in another less intrusive way you will not be able to rely upon this basis.

The ICO has published general guidance on using legitimate interests as the lawful basis for processing and more detailed guidance containing more specific examples.

The ICO is the regulator for data protection in the UK and has its own website and helpline.

ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Technical Advisory Service on +44 (0)1908 248 250 or via webchat.