At a glance
- With cyber incidents increasing, the UK government is strengthening data regulations
- Accountants handling sensitive data need to get their heads around the new rules
- The regulatory burden increases for those with clients in other jurisdictions
- Experts recommend steps for successfully keeping clients’ data secure
In December, the UK’s National Cyber Security Centre warned that the number of cyber incidents handled by officials rose by 16% in 2024, compared to the year before. Its CEO, Richard Horne, described the cyber risks facing the nation as “widely underestimated”.
In response to the growing cyber threat, the UK government is escalating its regulation of data privacy. For accountants, this means more time spent navigating complex changes for clients, and more pressure to shore up secure data practices.
On 23 October 2024, the government introduced the draft Data (Use and Access) Bill to the House of Lords, which seeks to amend several parts of the UK GDPR and the UK Data Protection Act 2018. The update will also remove requirements under the Privacy and Electronic Communications Regulations 2003 (PECR) to obtain consent for the deployment of cookies under some circumstances – for example if the cookies are necessary for security or fraud prevention – and will also increase non-compliance fines.
“On the one hand, looser regulations may accelerate innovation and the adoption of technologies like AI, providing competitive advantages. On the other, these jurisdictions face heightened vulnerabilities to data breaches, reputational harm, and compliance challenges in cross-border operations.”
Lauren Murphy, CEO, Friday Initiatives
The risks for accountants
Dr. Loredana Tassone, Managing Consultant and Head of EU and UK Representative Services at GRCI Law, says that accountants’ role as independent controllers leaves them exposed to the heavier fines. Data violations currently carry a maximum fine of £500,000, but the proposed new rules could raise them to £17.5 million or 4% of global turnover.

Tassone adds that mishandling client data or responding poorly to a breach can erode clients’ trust in their accountants.
She adds that non-compliance, “May also lead to reputational damage, attract lawsuits from affected clients and entail loss of business opportunities.”
Lauren Murphy, CEO of Friday Initiatives, adds: “Operational inefficiencies also arise from poor data governance, causing delays, inaccuracies in reporting, and missed opportunities to unlock value from data.”
What are the considerations for clients in other jurisdictions?
Operating in jurisdictions with less stringent data protection controls presents both opportunities and risks for accountants.
Says Murphy, “On the one hand, looser regulations may accelerate innovation and the adoption of technologies like AI, providing competitive advantages. On the other, these jurisdictions face heightened vulnerabilities to data breaches, reputational harm, and compliance challenges in cross-border operations.”

Accountants with clients in other jurisdictions should implement robust technical and organisational measures, as data handled in less-regulated jurisdictions is more susceptible to misuse, theft, or unauthorised access.
The main challenge lies in the transfer of personal data and cross-border data processing activities. Tassone says that to mitigate the risk, accountants must ensure compliance with GDPR when transferring data to jurisdictions with weaker protections.
Data protection rules in UK vs Australia
Different jurisdictions take differing approaches to data protection compliance. For example, both the UK and Australia have comprehensive data protection frameworks, with similar goals and foundational principles. However, they significantly differ in scope, enforcement mechanisms, and specific provisions.
UK | Australia |
---|---|
The UK’s GDPR strengthens individuals’ rights and ensures that data controllers are held accountable for how they handle personal data. It places a strong emphasis on documentation, often leading to compliance driven by paperwork rather than risk management. | Australia’s framework is less prescriptive, enabling businesses to prioritise practical risk mitigation. |
UK Open Banking faces challenges due to GDPR restrictions on personal data identification. | Australia’s Consumer Data Right integrates seamlessly with privacy laws, fostering innovation. |
For direct marketing, the UK introduces complexity with rules distinguishing corporate and individual subscribers, requiring careful processes to stay compliant. | For direct marketing, Australia requires express or inferred consent for B2B emails and strict compliance with its Do Not Call Register, pushing businesses towards relationship-driven marketing. |
Better efforts are needed to ensure more effective enforcement of data protection legislation. | Progress could be made by enhancing individual rights and increasing accountability for both data processors and controllers. |
What steps should accountants take to protect themselves and clients?
The first step for accountants is making someone responsible for compliance with data protection laws across the entire organisation, to ensure consistency in safeguarding client data.
Tassone says those with clients in other jurisdictions should conduct a transfer impact assessment to, “Evaluate the risks associated with international data transfers and to identify the appropriate security measures required to safeguard the data during the transfer.”
She adds that a gap analysis should be conducted to check the strength and weaknesses of the current compliance framework a client may have in place. The result of this audit should inform an action plan to commence a data privacy compliance project allowing to reinforce the level of compliance.
It will also be important for accountants to have a plan in place to tackle risks related to incidents and data breaches. Training staff regularly and keeping staff processing data abreast of risks associated with data processing activities and supervisory authority guidance and recommendations can keep clients safe.
To better protect clients’ data, UK accountants should adopt a governance-first mindset. Strategic governance ensures data practices align with client expectations and organisational risk tolerance, moving beyond mere checkbox compliance.