ICAEW.com works better with JavaScript enabled.

Data protection and privacy

Data protection and privacy are matters of professional concern to accountants in practice, industry or commerce. Organisations that collect, store or process personal information (personal data) on living and identifiable people (data subjects) must comply with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). Other relevant data protection and privacy legislation includes the Privacy and Electronic Communications Regulations (PECR), the Freedom of Information Act (FOIA) and the Data Protection (Charges and Information) Regulations 2018. This content is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters outlined.

In this section

FAQs, helpsheets and guidance

November 2020 Update: Data protection and Brexit

When the transition period ends on 31 December 2020, the UK will become what is known as a ‘third country’ by the EU. This means UK organisations or individuals cannot assume they can continue to process the personal data of EU data subjects in the same way as now.

Articles and features

HMRC to publish furlough claim details

If you are claiming furlough grant monies on behalf of your clients from 1 December 2020 you may wish to make your clients aware that HMRC is required to publish the names of employers and an indicative value of claims in the public domain irrespective of any data protection agreements you may have in place with them.

Webinars and recordings

Tech essentials - cyber recovery

Gain practical advice on how to be aware of vulnerabilities and threats, securing your data and recovering from a data breach.

Essential update: GDPR and cyber security

This webinar will offer practical advice on GDPR and examine how taking simple steps can reduce the risk of cybercrime against individuals and companies. Hear insights from Dr Jane Berney, Manager, Business Law, ICAEW and Mark Taylor, Technical Manager, ICAEW.

How to scope an approach to GDPR readiness

In this webinar Stephen Adshead describes how Crowe Clark Whitehill prepared for GDPR. The webinar provides an insight as to Crowe Clark Whitehill educated their employees on GDPR and the steps they took internally to ensure they were ready for this major update of data protection regulations.

How can I tell if I'm a GDPR compliant?

In this webinar we briefly explore what it means to be compliant with the General Data Protection Regulation. The GDPR is based around a set of key principles and the assertion: 'The protection of natural persons in relation to the processing of personal data is a fundamental right'. This webinar briefly highlights some of the key principles and obligations as it applies to being GDPR compliant.

Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business. Find out more about Atom Content Marketing

New law: Issues for UK businesses transferring personal data about EEA individuals to the UK mount up as end of Brexit transition period approaches

Businesses that transfer personal data about individuals in the EEA (the European Economic Area, which means EU member states, plus Norway, Iceland and Liechtenstein) to the UK should be taking action now to prepare for the end of the Brexit transition period, when the UK becomes a ‘third country’.

Case law: Information Commissioner’s Office publishes code of practice for providers of online services which children are likely to access

Organisations providing online services to children up to 18, or online services that children are likely to access, should consider whether they are complying with a new age appropriate design code of practice published by the Information Commissioner’s Office (ICO).

Disclaimer: These publications from Atom Content Marketing are for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.


The Library & Information Service provides a hand-picked collection of eBooks as a benefit of membership. If you are unable to access an eBook, please see our Help and support or contact library@icaew.com

Personnel records and data protection

This chapter of the handbook looks at what personnel records an organisation should keep, data protection (please note this section has not been updated to reflect the Data Protection Act 2018 /GPPR) and the monitoring of e-mail and telephone calls. A sample e-mail and internet policy is supplied.

Employer's handbook 2017-18

The Employer's Handbook gives guidance for all small- to medium-sized employers in the UK, clearly identifying the legal essentials and best-practice guidelines for effective people management.

EU General Data Protection Regulation (GDPR): A practical guide, The

This handbook offers advice on the practical implementation of GDPR and analyses its impact. The guide examines the scope of GDPR, the organisational and material requirements for data protection, the rights of data subjects, the role of the Supervisory Authorities, enforcement and fines under the GDPR, and differences between EU jurisdictions.

Terms of use: You are permitted to access, download, copy, or print out content from eBooks for your own research or study only, subject to the terms of use set by our suppliers and any restrictions imposed by individual publishers. Please see individual supplier pages for full terms of use.

The Library & Information Service provides a hand-picked collection of industry press articles as a benefit of membership. If you are unable to access an article, please see our Help and support or contact library@icaew.com

BA breach penalty sets precedent for future effectiveness of GDPR

Article looks at the ramifications of the reduction by 90% of BAs fine for a 2018 data breach where the information on hundreds of thousands of customers was stolen.

Data governance in digital transformation

The article discusses how to do safe data governance amidst the digital transformation of an organisation. Also cited are the benefits of data governance in organizations like enhanced competitiveness, better reputation, and lower costs and fines associated with data breaches, as well as the five pillars of data governance, including workforce development, organizational structure, data policies, and technology infrastructure.

Looking beyond Privacy Shield, how likely is a post-Brexit data adequacy deal?

In this article the author talks about the striking down of Privacy Shield has been hailed as a victory for digital rights and privacy campaign groups, and it will have consequences that go beyond transatlantic data transfers. It mentions that there are several things that British-based organizations can do right away to put themselves in the best possible position going forward.

Terms of use: You are permitted to access articles subject to the terms of use set by our suppliers and any restrictions imposed by individual publishers. Please see individual supplier pages for full terms of use.

Data Protection Act 2018

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Guide to Privacy and Electronic Communications Regulations

Guidance from the ICO for organisations that wish to send electronic marketing messages (by phone, fax, email or text), use cookies, or provide electronic communication services to the public.

Guide to the General Data Protection Regulation (GDPR)

Guide from the ICO explaining the provisions of the GDPR and what organisations need to do to comply with its requirements. Includes ‘In brief’ summaries and checklists as well as more detailed content in key areas.

* Some of the content on this web page was provided by the Chartered Accountants’ Trust for Education and Research, a registered charity, which owns the library and operates it for ICAEW.