ICAEW, GDPR and Cyber Obligations for Accountancy Practices

Accountancy practices operate under professional obligations from their supervisory body — ICAEW, ACCA, CIMA, or AAT — alongside the data protection obligations of UK GDPR and the specific requirements of the Money Laundering Regulations. Together, these frameworks create a comprehensive set of expectations about how client financial data is held, protected, and managed. Demonstrating compliance with all of them simultaneously requires a security programme that is more robust than most small practices have in place.

ICAEW and Professional Body Obligations

The ICAEW's Code of Ethics requires members to maintain professional competence and due care, and to keep client information confidential. While the Code does not specify technical security controls, the principle of confidentiality — treating information about clients as confidential unless there is a right or duty to disclose — creates a professional obligation to protect that information from unauthorised access. A practice that is breached because it lacked appropriate security has arguably failed its professional obligation of confidentiality, not just its GDPR obligations.

ICAEW's practice assurance standards require that practices maintain appropriate systems, procedures, and controls for managing client data. The practice assurance assessment process includes review of client confidentiality and data management procedures. A practice with inadequate security controls may receive adverse findings under practice assurance, with consequences for continued membership and the ability to hold a practising certificate.

ACCA, CIMA, and AAT have equivalent professional obligations under their respective codes of ethics. All major professional bodies have published guidance on cyber security for their members, and the direction of travel in their regulatory approach is consistent: cyber security is a professional competence obligation, not just an IT matter.

Money Laundering Regulations: The AML Dimension

Accountancy practices that provide tax, bookkeeping, and accountancy services are accountable persons under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. AML obligations require practices to maintain records of customer due diligence — identification documents, source of funds documentation, and risk assessments — for the required retention period.

AML records are specific targets for criminal groups, both because they contain high-quality identification documents (useful for identity fraud) and because their destruction or corruption creates a regulatory compliance emergency for the practice. A ransomware attack that encrypts AML records creates a Money Laundering Reporting Officer reporting obligation alongside the GDPR breach notification requirement.

UK GDPR: Financial Personal Data at Scale

The personal data held by an accountancy practice is financially sensitive at a level that the ICO treats seriously. Director personal data in company accounts, employee payroll details, self-assessment tax return information, and VAT records all constitute personal data with significant fraud utility. The practice is responsible for this data as a data controller — it cannot outsource its GDPR obligations to its software providers or its clients.

The accountability principle requires the practice to demonstrate its security measures. A practice that cannot produce evidence of MFA on its HMRC agent accounts, encryption on its practice management system, a documented breach response procedure, and staff training on data protection cannot demonstrate compliance. Following a breach, the ICO will ask for exactly this evidence — and its absence is an aggravating factor in enforcement decisions.

Making Tax Digital and Cloud Security

Making Tax Digital for Income Tax Self Assessment (MTD for ITSA) — rolling out to businesses and landlords from April 2026 — requires the use of MTD-compatible software for quarterly tax submissions. This migration to cloud-based accounting software for a growing proportion of clients creates a new security consideration: the practice's access to client cloud accounting platforms (Xero, QuickBooks, FreeAgent, Sage) via practice management integrations adds a new category of privileged access that requires the same security standards as HMRC agent credentials.

A compromised practice system that has OAuth tokens or cached credentials for client Xero or QuickBooks accounts has access to live financial data, the ability to process payments (where the platform supports it), and the ability to export complete financial records. This access should be managed with the same rigour as any privileged credential: MFA, unique passwords, access revocation on staff departure, and monitoring for unusual access patterns.