Are accountants data controllers or data processors?

Accountants are typically both. They are data controllers for their own operational data — staff records, marketing, practice management. They are data processors for client data they handle on clients instructions, such as payroll processing or bookkeeping. Both roles must be documented and governed separately.

Does MLR 2017 conflict with UK GDPR for accountants?

Yes. The Money Laundering Regulations 2017 require CDD records to be retained for five years from the end of the client relationship. UK GDPR requires personal data to be deleted when no longer needed. This conflict must be documented using the Article 17(3)(b) exemption from erasure where retention is required by law, and reflected in the firm privacy notice and data retention policy.

Do accountancy firms need a Data Processing Agreement with clients?

Where an accountancy firm processes personal data on a client s instructions — for example, running payroll or managing employee records — the firm acts as a data processor and a Data Processing Agreement compliant with Article 28(3) UK GDPR must be in place before processing begins.

Vertical guide · Accountancy & professional services

UK GDPR for accountants

Updated April 2026 UK GDPR · MLR 2017 · POCA 2002 ICAEW / ACCA applicable

An accountancy practice does not have a straightforward UK GDPR obligation — it has three overlapping ones. The firm is a data controller for its own operational data, a data processor for client data it handles under instruction, and a regulated entity under the Money Laundering Regulations 2017 whose statutory retention obligations directly conflict with UK GDPR's storage limitation principle. Each of these roles requires separate documentation, and the conflicts between them require a specific documented resolution.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

⚠ Three regulatory frameworks apply simultaneously

UK GDPR, the Money Laundering Regulations 2017, and POCA 2002 all apply to AML-supervised accountancy practices. Where they conflict — and they do, materially, on data retention and DSAR handling — the conflict must be documented and resolved in writing. A practice that complies with one and ignores the others faces serious risk from both the ICO and HMRC as its AML supervisor.

Controller and processor — both apply

Most accountancy practices are simultaneously data controllers and data processors, depending on the data in question. Understanding which role applies to which processing activity is the foundation of any compliance programme.

As a data controller, the practice determines the purposes and means of processing for its own operational data: staff records, partner and director data, practice management information, marketing, website analytics, and its own financial records. All UK GDPR obligations apply in full — lawful basis, transparency, data subject rights, security, breach notification, and accountability.

As a data processor, the practice processes personal data on behalf of its clients under the client's instructions. Payroll processing is the clearest example — the client is the employer (controller); the practice processes employee personal data (names, salaries, bank details, national insurance numbers) under the client's direction. Similarly, a practice managing employee expense systems, pension auto-enrolment, or bookkeeping with employee or customer data is processing as a processor.

The distinction matters because processor obligations are specific: the practice must have a Data Processing Agreement (DPA) in place with each client for whom it acts as processor, before processing begins. The DPA must comply with Article 28(3) UK GDPR. Without it, the practice is technically processing without a lawful basis for the processing relationship — and the client, as controller, is also in breach of Article 28(1).

Source: UK GDPR Articles 4(7), 4(8), 28; ICO guidance on controllers and processors

Data Processing Agreement requirements

Article 28(3) sets out the mandatory provisions a DPA must contain. A standard engagement letter, confidentiality clause, or professional services agreement does not satisfy these requirements. The DPA must specifically address:

That the processor will only process data on documented instructions from the controller
Confidentiality obligations on staff who process the data
Security measures appropriate to the risk (Article 32)
Sub-processor restrictions — the processor must not engage sub-processors without prior written consent, and sub-processors must be bound by equivalent obligations
Assistance to the controller in responding to data subject rights requests
Deletion or return of all data on termination of the engagement
Provision of all information necessary to demonstrate compliance and cooperation with audits
Notification of any personal data breach to the controller without undue delay

Many accountancy practices have DPAs in place but have not reviewed them against the Article 28(3) checklist. A DPA that does not contain all mandatory provisions is technically non-compliant, even if it broadly addresses data protection. Every DPA must be reviewed, and any gaps documented and remedied.

Source: UK GDPR Article 28(3)

The AML/GDPR retention conflict

This is the most significant data protection challenge specific to accountancy practices, and it is one that general UK GDPR guides do not address adequately. The Money Laundering Regulations 2017 (MLR 2017), regulation 40, requires accountancy firms to retain Customer Due Diligence (CDD) records — which are personal data — for five years from the end of the client relationship. HMRC, as the AML supervisor for most accountancy practices, enforces this obligation.

UK GDPR's storage limitation principle (Article 5(1)(e)) requires personal data to be deleted or anonymised when it is no longer needed for the purpose for which it was collected. The purpose of CDD data — verifying client identity for AML purposes — is fulfilled once the client relationship ends. A strict application of the storage limitation principle would require deletion at that point. MLR 2017 requires retention for five more years.

This conflict is resolved by Article 17(3)(b) of UK GDPR, which provides an exemption from the right to erasure where retention of the data is necessary for compliance with a legal obligation to which the controller is subject. The MLR 2017 five-year retention obligation constitutes such a legal obligation. However, this exemption does not apply automatically — it must be:

Documented in the practice's data retention policy
Reflected in the privacy notice served on clients (explaining that CDD data is retained for five years post-engagement under MLR 2017)
Applied consistently to the correct categories of data only (CDD records, not all client data)
Subject to a destruction process at the end of the five-year period, with destruction recorded

A practice that retains CDD data for five years under MLR 2017 without this documentation is not compliant with either UK GDPR or good data governance practice — it is simply retaining data by default. The ICO's position is that retention justified by legal obligation must still be documented and proportionate.

Source: MLR 2017 Regulation 40; UK GDPR Articles 5(1)(e), 17(3)(b); HMRC AML supervision guidance

DSAR and tipping off — the critical conflict

A client who is the subject of a Suspicious Activity Report (SAR) filed with the National Crime Agency (NCA) may submit a data subject access request to the practice. Responding fully to the DSAR would disclose the fact that a SAR has been filed — which constitutes the criminal offence of tipping off under the Proceeds of Crime Act 2002 s.333A, if it is likely to prejudice any investigation that might result.

The DPA 2018 Schedule 2 paragraph 2 provides an exemption from the right of access where disclosure would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. This is the mechanism by which the tipping-off risk is managed in the DSAR context.

A documented procedure should be in place before this situation arises. At minimum, that procedure should cover:

A check of the firm’s SAR log on receipt of every DSAR
Escalation to the MLRO where the requester matches a SAR subject
A documented assessment of whether the DPA 2018 Schedule 2 exemption applies
Selective withholding of SAR-related information while providing the remainder of the response
A structured response record retained as evidence

Given the criminal liability for tipping off, qualified legal advice should be obtained in any live case.

Source: POCA 2002 s.333A; DPA 2018 Schedule 2 Para 2; NCA Circular 004/2021

Professional body obligations

ICAEW and ACCA member firms have data protection obligations that interact with UK GDPR in two ways. First, member firms must comply with UK GDPR as a matter of law — professional body membership does not substitute for or supplement statutory compliance. Second, some professional body standards reference data protection more specifically — for example, anti-money laundering standards that address the confidentiality of CDD data.

ICAEW's Quality Assurance monitoring programme includes assessment of firms' data protection arrangements. Firms that cannot produce evidence of a compliant UK GDPR programme — including documented DPAs with clients for processor activities, a breach log, staff training records, and a data retention policy that addresses the AML conflict — are at risk of adverse findings. Evidence of a completed, governed compliance programme materially strengthens the firm's position in a QA review.

The evidence record for accountancy practices

For an accountancy practice, the evidence record must address both the standard UK GDPR obligations and the sector-specific ones. On request, a compliant practice should be able to produce:

An Article 30 ROPA covering both controller and processor activities
Executed Article 28(3)-compliant DPAs with all clients for whom it acts as processor
A privacy notice addressing CDD retention under MLR 2017
A breach log and documented breach response procedure
Documented staff training records
A data retention policy with the AML/GDPR conflict documented and resolved
A DSAR log showing how data subject access requests have been handled

GDPRLedger Pro is designed specifically for this complexity. The Standard programme covers the 54 core UK GDPR obligations applicable to any SME. The Pro programme adds 33 sector-specific tasks covering the processor role, the AML/GDPR retention conflict, the DPA review for regulated processors, the tipping-off procedure, the regulatory obligations matrix, and the annual re-attestation programme that reflects AML record destruction triggers. Both produce a timestamped, SHA-256 tamper-evident evidence pack.

For an AML-regulated practice, this evidence record may be assessed by the ICO, HMRC as AML supervisor, and ICAEW or ACCA in a quality assurance review. Three different audiences — one evidence record.

Record this. Every DPA executed, every CDD retention decision, every DSAR received and how it was handled, every SAR log check, every breach, every staff training session — with dates. For an AML-regulated practice, the evidence record is assessed by the ICO, by HMRC as AML supervisor, and potentially by ICAEW or ACCA in a QA review. Three different audiences, one evidence record.

Not legal advice. This guide is derived from UK GDPR (DPA 2018 / DUAA 2025), MLR 2017, POCA 2002, and ICO published guidance as at April 2026. The interaction between AML obligations and data protection is highly fact-specific and firm-specific. Consult a qualified solicitor, data protection practitioner, and your AML compliance officer for advice specific to your firm. Consult a qualified solicitor for legal advice.