5 Ways Accounting Firms Accidentally Breach GDPR Without Realising It

Most accounting firms don’t get into GDPR trouble because of elite hackers or sophisticated ransomware strains. They get into trouble because of very ordinary things:

  • rushed emails
  • insecure sharing habits
  • shared logins
  • forgotten accounts
  • unmanaged devices
  • ungoverned use of AI tools

For practices handling tax returns, payroll, bank data, and AML/KYC documentation every day, these “little” mistakes can be enough to trigger a personal data breach under the UK GDPR.

The Information Commissioner’s Office (ICO) frequently highlights that many reported incidents come down to human error and process failures – especially misdirected emails and accidental disclosures. You can see this reflected in their data security incident trends: ICO Data Security Trends

This article looks at five ways accounting firms commonly drift into GDPR risk, with real-world cases from adjacent professional sectors, and practical steps you can take to avoid becoming the next cautionary story.

1 – Sending Client Data to the Wrong Person

Why this is still such a big problem

The ICO’s guidance on common data protection mistakes explicitly calls out emails sent to the wrong person as a recurrent cause of data breaches: ICO Common Mistakes Guide

Inside an accounting firm, that often looks like:

  • a tax return emailed to the wrong “John Smith” in your address book
  • a payroll spreadsheet attached to the wrong client thread
  • a bulk update sent with visible “To/Cc” instead of “Bcc”
  • the wrong PDF attached, containing another client’s information

Why it matters under GDPR

Under the UK GDPR, sending personal data to an unintended recipient is an unauthorised disclosure – a personal data breach, even if it was accidental and even if the recipient is another professional.

The ICO and legal commentators emphasise that you must assess the risk to individuals, and in some cases notify both the ICO and the affected data subjects. A helpful explainer: What to Do When Email Sent to Wrong Person

For accountants, this often involves highly sensitive financial and identity data, so the risk level is frequently more than “low”.

Practical ways to reduce this risk

  • Turn off or restrict autocomplete in email where possible.
  • Use secure client portals or encrypted links for documents, not direct attachments.
  • Standardise on Bcc or mail-merge tools for bulk emails.
  • Create a simple, written incident response process for mis-sent emails (containment, risk assessment, notification decision).
  • Train staff using realistic accounting scenarios – January tax rush, payroll deadlines, client chasing.

2 – Using Insecure Channels for Client Data

The convenience trap

Under time pressure, people use whatever “works”:

  • WhatsApp to send a PDF of a passport
  • personal Gmail for “quick” forwarding
  • shared cloud links set to “anyone with the link can view”
  • SMS or messaging apps for sending bank details

From a GDPR point of view, this often fails the requirement to have appropriate technical and organisational measures for protecting personal data.

ICO guidance on accidental personal information breaches: ICO Accidental Breach Guide

Typical accounting workflows at risk

  • Clients sending ID documents for AML/KYC checks.
  • Directors emailing salary details or dividends using personal accounts.
  • Staff working remotely, forwarding files between personal and work inboxes.
  • Ad-hoc file-sharing via public links that are never revoked.

What good looks like

  • A secure, centrally managed client portal for all document exchange.
  • Clear firm-wide rule – no client personal or financial data via WhatsApp, SMS or personal email.
  • Configured cloud storage with strict sharing settings (no public links; access per client).
  • MFA for all cloud services used with client data.
  • Regular user training on the difference between “convenient” and “compliant”.

3 – Shared Logins, Weak Access Controls & Forgotten Accounts

Why this is more dangerous than it looks

It is still common to see:

  • one shared login for Companies House or HMRC access
  • generic “admin” or “info” accounts used by several people
  • junior staff using partner logins “to get things done”
  • accounts left active after staff leave

GDPR expects you to restrict access to authorised users and to know who accessed what and when. That is hard to do with shared accounts.

The ICO’s security expectations refer to proportionate access controls as part of “appropriate technical and organisational measures”: ICO Security Guidance

Real-world example – law firm, same pattern of risk

In April 2025, UK law firm DPP Law Ltd was fined £60,000 after a cyber attack exploited a legacy administrator account without multi-factor authentication. Attackers stole over 32GB of highly sensitive data, which then appeared on the dark web.

ICO press release: Law Firm Fined £60,000

Although this was a law firm, not an accountancy practice, the pattern is very similar – a privileged account on a legacy system, too much access, and not enough control.

What accounting firms should do

  • Eliminate shared logins – every user gets their own account.
  • Enforce multi-factor authentication (MFA) wherever possible.
  • Maintain a formal joiner–mover–leaver process for access creation, changes and removal.
  • Run periodic reviews of who has access to which systems and which clients.
  • Log and, where feasible, monitor access to sensitive data (payroll, tax, AML files).

These are the same sorts of controls formalised in ISO 27001 and supported by certification schemes like Cyber Essentials – and they are increasingly expected by larger clients.

4 – Hoarding Data & Losing Track of Devices

The “we never delete anything” mindset

Accountants often keep everything:

  • email threads going back years
  • multiple copies of client spreadsheets
  • old backups on USB drives or external disks
  • local copies of documents on laptops “just in case”

GDPR’s storage limitation principle requires that personal data is kept no longer than necessary for the purposes for which it was collected.

The ICO expects organisations to have clear retention policies and to align their practices with them: ICO Retention Guidance

Where this becomes a real risk

The storage issue often becomes most visible when something goes wrong, such as:

  • a laptop used for client work is lost or stolen
  • a phone with company email and cloud access goes missing
  • old USB drives or disks with client data are misplaced

If those devices hold years of data that should have been archived or deleted, it can increase both the scale of the breach and the questions you get asked about your retention practices.

Practical controls for firms

  • Define clear retention periods for different record types (tax, statutory accounts, payroll, AML, marketing).
  • Configure systems to automate as much of that retention as possible (email archiving rules, document lifecycles).
  • Encrypt all laptops, tablets and phones used for firm work; enable remote wipe where possible.
  • Reduce reliance on USB sticks and unmanaged external drives for client data.
  • Keep an asset register and a simple process for provisioning and retiring devices.

Even if you are never fined purely for “hoarding”, these measures significantly reduce the impact of any incident and demonstrate to clients and regulators that you take data protection seriously.

5 – Feeding Client Data into AI Tools Without Governance

The new risk that is quietly spreading

Many accounting firms are experimenting with AI tools to:

  • draft client emails
  • summarise technical content
  • translate or rephrase advice
  • generate checklists and workflows

Some staff will also, understandably, paste small amounts of client data into public AI tools to “get a quick answer” – especially if there is no clear policy.

The ICO has published detailed guidance on AI and data protection, highlighting issues such as lawful basis, transparency, data minimisation and accountability: ICO AI Guidance

While there are not yet widely publicised ICO fines against small firms specifically for AI misuse, regulators are signalling that AI processing of personal data will be held to the same standards as other forms of processing.

Specific risks for accounting firms

  • Staff pasting identifiable client data into consumer AI tools without contractual data protection guarantees.
  • No DPIA (Data Protection Impact Assessment) carried out for higher-risk AI use cases.
  • AI outputs being over-trusted and not checked for accuracy, fairness or bias.
  • Lack of documentation about what AI tools are used, on what data and for what purpose.

Sensible governance steps

  • Publish a clear internal AI policy for staff – what is allowed, what is not, and which tools can be used.
  • Restrict use of client personal data to enterprise-grade AI tools with appropriate contracts and data-processing terms.
  • Conduct DPIAs for higher-risk AI use cases, especially where they involve profiling or could meaningfully affect individuals.
  • Log significant AI use cases so you can explain them if challenged.
  • Consider aligning with emerging AI governance frameworks such as ISO 42001 to give structure to your approach.

At this stage, AI governance is about getting ahead of a foreseeable risk, not reacting to a wave of enforcement – but in a heavily regulated profession like accountancy, that is usually where you want to be.

A Note on Real-World Enforcement & “Firms Like Yours”

You might reasonably ask:

“But are accounting firms actually getting fined for this stuff?”

Publicly, most high-profile ICO decisions involve larger organisations and adjacent professions (outsourcing firms, law firms, local authorities, telecoms, etc.). Two useful examples from professional services illustrate the expectations placed on organisations handling sensitive financial data.

Capita £14m fine – professional services & pensions data

Capita, a major outsourcing and professional services company, was fined a total of £14m for failing to protect personal data in a 2023 cyber attack that affected over 6.6 million people, including members of hundreds of pension schemes.

ICO press release: Capita Fined £14m

Although Capita is not an accounting firm, the type of data involved – pensions, payroll, financial details – is very similar to what many accountants handle.

DPP Law £60k fine – sensitive client data on the dark web

As noted earlier, DPP Law Ltd was fined £60,000 after attackers accessed a legacy system through an administrator account without MFA and exfiltrated around 32GB of highly sensitive data later found on the dark web: DPP Law Fined £60k

Again, not an accounting firm, but extremely similar in terms of sensitivity of client data and professional obligations.

There are fewer named public enforcement actions specifically against accountancy practices, but sector-level information released through FOI shows that accountancy and payroll firms do report data breaches to the ICO each year, including both cyber incidents and human-error incidents such as misdirected emails and lost devices.

Example FOI (Accountancy & Payroll under financial services): ICO FOI Data

So even if you have not yet seen a peer firm named and shamed, the pattern is clear – similar data, similar risks, similar expectations. Waiting for a “test case” in your exact niche is unlikely to be a winning strategy.

Why This Matters Commercially – Not Just Legally

GDPR is often framed as a compliance headache, but for accounting firms it is increasingly a commercial issue.

🔒 Client Expectations

Large clients, public-sector bodies and regulated entities expect evidence of good security – often Cyber Essentials, Cyber Essentials Plus or ISO 27001.

📋 Due Diligence

Tender documents and due-diligence questionnaires routinely ask how you protect client data, manage incidents and govern AI use.

⚠️ Trust Damage

A serious breach can damage trust with clients and referrers in a way that outlasts any fine.

In other words, good GDPR practice and strong cyber governance are part of your value proposition as a modern accounting firm, not just a regulatory burden.

How PPCS Helps Accounting Firms Tidy Up “Accidental” GDPR Risk

At PPCS, we specialise in cyber security, GDPR and AI governance for accounting practices. Our focus is simple – identify where accidental breaches are most likely to happen in your firm, put practical controls in place and help you evidence those controls to clients, regulators and your own partners.

Typical support includes:

  • GDPR and security gap assessments tailored to real accounting workflows.
  • Cyber Essentials and ISO 27001 implementation scoped for accounting firms.
  • AI governance and ISO 42001 readiness for safe, compliant AI adoption.
  • Secure email and document sharing configurations (Microsoft 365, Google Workspace, client portals).
  • Joining up HR, IT and partners around access control and device management.
  • Incident response playbooks that cover both cyber attacks and human error (like mis-sent emails).
  • Staff training designed for accountants, not generic IT security awareness.

If you would like to understand where your firm’s real GDPR risks are – and what it would take to fix them – PPCS can help you map that out in a structured, commercially sensible way.

Protect Your Accounting Firm from Accidental GDPR Breaches

Talk to PPCS about GDPR compliance, Cyber Essentials and practical security controls for accounting practices.

Contact PPCS Today