ICAEW.com works better with JavaScript enabled.

Data protection and privacy are matters of professional concern to accountants in practice, industry or commerce. Organisations that collect, store or process personal information (personal data) on living and identifiable people (data subjects) must comply with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

Other relevant data protection and privacy legislation includes the Privacy and Electronic Communications Regulations (PECR), the Freedom of Information Act (FOIA) and the Data Protection (Charges and Information) Regulations 2018. This content is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters outlined.

Current legislation 

There are a number of pieces of legislation with which members should comply including: 

  • Data Protection Act 2018 (which incorporates the UK GDPR into UK law); 
  • Data Protection (Charges and Information) Regulations 2018; 
  • 2003 Privacy and Electronic Communications Regulations; and 
  • Freedom of Information Act 2000. 

Data Protection Act 2018 (DPA 2018) and the UK GDPR

The Data Protection Act 2018 (DPA 2018) came into force in 2018, replacing the Data Protection Act 1998 (DPA 98). It incorporated the UK GDPR into law.

The DPA 2018, like its predecessor, applies to the ‘processing of personal data’, by any business or organisation, whatever their size or sector. 

Key points:

  • Personal data is information about a particular living individual (the data subject)
  • Processing means anything you do with data such as collecting, recording, storing, using, analysing, combining, disclosing or deleting it.
  • There are 7 principles that apply to anyone who processes data including fairness, transparency and accountability
  • The DPA 2018 distinguishes between Data Controllers and Data Processors:
    • A data controller determines the purposes and means of the processing of personal data 
    • A data processor processes personal data on behalf of the controller 
    • For more on the responsibilities of data processors and data controllers  see ICAEW’s Technical Advisory Service Helpsheet UK GDPR – Data processor or data controller
  • Data subjects have a number of rights over their data
  • Anyone who processes data can only do so if they have a "lawful Basis" as set out in the legislation, to do so. Examples include consent, legitimate interest and performance of a contract. The lawful basis must be assessed on a case by case basis and the reasoning documented. See the TAS Helpsheet – Lawful basis for processing
  • A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. There are strict rules on when to report a breach - and stiff penalties if you don’t follow the rules- see here
  • The Information Commissioner’s Office (ICO) regulates data protection in the UK. It has produces detailed guidance on the DPA 2018 and members are strongly encouraged to review its website regularly for the most up to date guidance
  • You may need to comply with both the UK GDPR and the EU GDPR if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe. The EU GDPR is regulated separately by European supervisory authorities, and you may need to seek your own legal advice on your EU obligations.

International Transfers of Personal Data

The UK GDPR restricts the transfer of personal data outside the UK unless the rights of the individuals in respect of their personal data is protected in the same way as under the UK GDPR. This means personal data cannot be transferred unless there are procedures in place to guarantee this.

Similarly the EU GDPR restricts the transfer of personal data outside of the EEA

There are two types of procedures 

  1. Adequacy  Regulations  – whereby a country agrees that the data protection regime in the receiving country provides sufficient protection for all or some transfers of personal data. Transfers between the UK and the EEA are covered by an adequacy decision but it is subject to constant review and will need to be renegotiated in 2025. See here for the countries with adequacy decisions
  2. Safeguarding mechanisms such as Standard Contract Clauses (SCCs) or Binding Corporate Rules (BCRs)

Members are advised to check the ICO’s guidance on international transfers as the rules change frequently and to seek legal advice.

Data Protection (Charges and Information) Regulations 2018

The Data Protection (Charges and Information) Regulations 2018 introduced a new 3 tier fee structure for data controllers replacing the registration (notification) fee payable under the DPA 98. Under the new rules any organisation that determines the purpose for which personal data is processed (controllers) must pay a data protection fee unless they are exempt.

Privacy and Electronic Communications Regulations (PECR)

The 2003 Privacy and Electronic Communications Regulations (PECR) sit alongside the DPA 2018 and the GDPR. It gives people specific privacy rights in relation to electronic communications with rules on marketing calls, emails, texts and faxes as well as cookies (and similar technologies). It applies to any organisation that sends electronic marketing messages (by phone, fax, email or text), uses cookies, or provides electronic communication services to the public. It is expected to be revised in the near future.

See the ICO’s guides on PECR and Direct Marketing for further information on what this means for you and for details of any changes.

Freedom of Information Act 2000 (FOIA)

The Freedom of Information Act 2000 obliges public authorities to publish certain information about their activities; and members of the public are entitled to request information from public authorities. It is based on the principle that people have a right to know about the activities of public authorities, unless there is a good reason for them not to.

The FOIA designates a wide range of bodies as public authorities. The Secretary of State, however, may designate as a public authority for the purposes of the FOIA an entity that is providing, under a contract made with a public authority, a service whose provision is a function of that authority. In this case if a public authority, for example, outsources its internal audit services to a member, then the member could become subject to FOIA in respect of the outsourced (i.e. internal audit services in this example) service only.

For additional ICAEW guidance on the implications for members see:

Questions, links and more information from ICAEW


If you have any questions on how the above will affect you, please contact our Technical Advisory Service.

You can also contact the ICO for help.

Useful links

The Information Commissioner’s Office (ICO) has published the following guides:

More information from ICAEW