GDPR · Accountants & tax advisors

⚠ Multi-client data

GDPR for accountants & tax advisors.
You hold the data of dozens of businesses.

Your firm holds financial records, tax returns, IDs, bank details and payroll for dozens of client businesses and their employees — some of the most sensitive data there is, concentrated in one place. Most of it flows through email inboxes and shared drives, which makes an accounting practice a high-value breach target.

Free GDPR Check → Free GDPR Assessment for Your Firm → All GDPR sectors

€20M

or 4% turnover — max fine

72h

to report a breach (one inbox counts)

Payroll

= employee personal data

Tax law

sets legal retention of records

The reality

What most firms
are getting wrong.

None of this is malicious — it's just how the work flows. But each one is a real GDPR gap a client, a competitor or a disgruntled ex-collaborator can report.

📧

Sensitive documents by email

Clients email payslips, IDs and bank details as attachments. They land in personal inboxes, get forwarded, sit in "sent" folders — with no encryption, access control or deletion.

📂

One shared drive for every client

A single Google Drive or network folder holds every client's files, accessible to all staff and freelancers with no per-client access levels.

💸

Payroll sent by plain email

Payslips and payroll runs — employee personal data — go back to clients by plain email, where one wrong recipient or a leaked inbox is a reportable breach.

🔗

Software & portals with no DPA

Accounting and payroll software, client portals and cloud tools process client data with no data-processing agreement and no idea where it's stored.

🗄️

Records kept beyond retention

Files for former clients and old engagements sit on the server far beyond the legal retention period — data you no longer need but are still responsible for.

👤

Freelancers with full access

Seasonal and freelance staff get full access to everything, and that access is never revoked when the engagement or tax season ends — no off-boarding.

⚠️

It only takes one. A misdirected payroll email, a leaked inbox, a former freelancer who still has access, a client who asks "what data do you hold on us and why?" — any of these can turn into a complaint to the data protection authority. The fix is far cheaper than the incident.

The fix

How we make your
firm compliant — for real.

We don't hand you a policy and leave. We change how data actually flows through your practice, with tools your team and your clients will actually use.

📥

Secure client document exchange

A simple, encrypted portal for clients to send and receive payslips, IDs and tax documents — replacing email attachments — that's easier for everyone, not harder.

🔒

Encryption & per-client access

Client data encrypted and organised with per-client access control: each member of staff sees only the clients they work on — no more one-drive-for-everyone.

⏳

Retention schedule & deletion

A retention schedule aligned to fiscal and tax law, with automated deletion once the legal period lapses — so you stop holding data you no longer need.

📄

DPAs with your providers

Data-processing agreements and storage checks for your accounting, payroll and cloud providers and portals — so your supply chain is covered too.

🔑

Off-boarding & audit logs

A clear off-boarding process for staff and freelancers, with access revoked when an engagement ends, plus audit logs of who accessed what.

🎓

Training & breach plan

A short, practical staff briefing and a simple breach procedure (including "I emailed the wrong client"), plus the records an authority will ask for.

How we work

A path that fits
how firms actually work.

Data-flow audit

We follow real client data end-to-end: where the payslip, the ID and the tax return go, and on which device or tool.

Gap analysis

We flag the non-compliant flows and the concrete risks — prioritised, in plain language, not a 90-page report.

Remediation

We set up secure document exchange, encryption, per-client access, retention and the DPAs — and migrate you off email attachments and shared drives.

Train & document

A short team briefing, a breach plan and the records of processing — so it stays compliant day to day.

← All GDPR sectors

FAQ

GDPR for accountants,
answered.

The questions firms ask us most.

Is email safe for tax and payroll documents?+

Plain email is not a safe channel for payslips, IDs, bank details or tax returns. Attachments end up in personal inboxes, get forwarded, sit in "sent" folders, and are never deleted — with no encryption or access control. Payroll data is employee personal data, so a leaked payslip is a reportable breach. You need an encrypted client document exchange instead of email attachments.

How long must we keep accounting records vs GDPR minimisation?+

Tax and accounting law obliges you to keep certain records for a set number of years, and that legal obligation is a valid basis to retain them. But GDPR data minimisation means you must delete personal data once that legal retention period ends — you can't keep every client's files forever "just in case". We build a retention schedule aligned to fiscal and tax law, with deletion once the period lapses.

How should access work across staff and freelancers?+

Each member of staff should only see the clients and data they actually work on, not one shared drive with everything. Freelancers and seasonal staff need time-limited, scoped access with proper off-boarding when an engagement ends — too many firms leave full access open long after someone has left. We set up per-client access control, audit logs and an off-boarding checklist.

Do we need DPAs with our accounting/payroll software?+

Yes. Your accounting platform, payroll software, client portal, email and cloud storage all process personal data on your behalf, so you need a data-processing agreement (DPA) with each and must know where data is stored. We review your stack and put the right agreements and safeguards in place.

GDPR for accountants & tax advisors.You hold the data of dozens of businesses.

What most firmsare getting wrong.