UK GDPR for outsourced accounting
What a UK accounting firm must have in place — legally and practically — before sending client records to a white-label provider. Controller vs processor, what a DPA must contain, breach notification, and the ICO's expectations.
Controller vs processor
Under UK GDPR, the controller is the party that decides why and how personal data is processed. The processor acts on the controller's instructions. When your firm engages a white-label provider:
- Your firm is the controller of your client's personal data.
- The white-label provider is a processor.
- If the provider engages anyone else (cloud storage, reviewers, etc.) those are sub-processors and must be named.
The Data Processing Agreement (DPA)
Article 28 of the UK GDPR requires a written contract between controller and processor before processing begins. The DPA must specify:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data and categories of data subjects
- The controller's obligations and rights
- Processor obligations: confidentiality, security, sub-processor rules, assistance with data-subject requests, breach notification, return or deletion of data on termination, audit rights
A reputable white-label provider will send you a DPA proactively, before requesting any data. If they don't, walk away.
Lawful basis
For accounting work on a client of yours, the lawful basis for sharing data with a processor is normally legitimate interest (delivery of the service the client engaged you for) or contract. You don't need separate client consent to use a processor, but your privacy notice should disclose that you may use processors and how data is protected.
Secure transfer
Standard email is not an acceptable channel for VAT records, bank statements or payroll data. Use the provider's encrypted portal. The ICO has repeatedly fined firms for emailing unencrypted client data — never assume “internal email is fine”.
Breach notification
If the processor experiences a data breach affecting your client's data, they must notify you without undue delay. You as the controller then have 72 hours to report a notifiable breach to the ICO. Your DPA should specify the processor's notification timeline in hours, not days.
International transfers
If the provider stores or processes data outside the UK, you need an appropriate transfer mechanism — typically the UK International Data Transfer Agreement (IDTA) or an adequacy decision. UK-managed providers with UK-based storage avoid this complication entirely.
Client disclosure
You are not legally required to name your processors to clients, but your privacy notice should state that you may use processors to deliver the service. If a client directly asks, answer truthfully. Most clients understand — accountants outsource printing, IT, payroll software and bookkeeping software routinely.
Quick compliance checklist
- ☐ DPA signed before any data transfer
- ☐ Encrypted portal for all file transfer
- ☐ Sub-processor list reviewed
- ☐ UK or adequate-jurisdiction storage
- ☐ Breach-notification timeline specified in hours
- ☐ Privacy notice mentions use of processors
- ☐ Documented internal record of processing activity (Article 30)
About FirmBooks
FirmBooks is a UK-managed white-label accounting service. We complete VAT returns, bookkeeping and year-end accounts for UK practices and return them under your firm's branding. Book a free meeting to learn more.
Book meeting