What ICAEW (and Your Clients) Expect From Your Practice's IT and Data Security

Ask most practice partners what “compliance” means and they’ll talk about filing deadlines, AML procedures, CPD and the standards their professional body sets. IT security rarely makes the list. Yet the way you handle, store and protect client data sits right at the heart of those same obligations, and increasingly, it’s what clients quietly judge you on too.

This article looks at what your professional body, the law, and your clients reasonably expect of your practice’s IT and data security. The aim isn’t to alarm you with technical detail; it’s to show that good IT is not separate from running a well-controlled, trustworthy practice, it’s how you actually deliver it.

The expectation: confidentiality and control

Whatever the badge on your door, ICAEW, ACCA or AAT, your professional framework rests on a few enduring principles. Two of them bear directly on IT: confidentiality and professional competence and due care.

Confidentiality is one of the fundamental principles every member is expected to uphold. You’re trusted with information that clients would not want shared, and you’re expected to keep it that way. Professional competence and due care, meanwhile, includes running your practice in an organised, properly controlled fashion, not leaving things to chance.

In the era of paper ledgers, “keeping client information confidential” meant a locked filing cabinet and a discreet manner. Today the same principle means MFA on your email, encrypted laptops, controlled access to your practice management system, and a backup you can actually restore from. The principle hasn’t changed; the implementation has moved into IT.

It’s worth being clear about what professional bodies generally don’t do: they tend not to publish a prescriptive, line-by-line technical specification for your IT. Their expectations are largely principle-based. That’s a double-edged sword. It means there’s no single checklist to tick, but it also means “nobody told me exactly what to do” is not much of a defence if client data is lost or exposed. The expectation to protect that data is unambiguous even where the technical detail is left to your judgement.

Why client trust raises the bar further

Your professional body is one audience. Your clients are another, and arguably a more demanding one. People hand their accountant information they’d hesitate to share with almost anyone else: income, debts, business performance, personal circumstances. They assume it’s safe with you.

A data breach in a practice isn’t just a technical incident. In a profession built on trust, it’s a reputational one. Larger clients increasingly ask direct questions about how their data is protected before they appoint or renew, and being able to answer confidently is becoming a quiet competitive advantage rather than a nice-to-have.

UK GDPR, in plain English

Your practice is a data controller under UK GDPR. You decide why and how personal data is processed, which puts the legal responsibility for handling it properly on you. Most practices also need to register with the Information Commissioner’s Office (ICO) and pay the annual data protection fee.

You don’t need to become a data protection lawyer, but a few obligations are worth understanding in plain terms.

Handle data lawfully and for a clear purpose

You should only hold personal data you actually need, use it for the purposes clients would expect, and keep it no longer than necessary. For an accountancy practice much of this is straightforward, you process data to provide the services you’ve been engaged for, and you retain records for as long as professional, tax and AML rules require. The discipline is in not hoarding data “just in case”, and in disposing of it securely when its time is up.

Keep it secure, “security of processing”

UK GDPR expects you to apply appropriate technical and organisational measures to keep personal data secure, taking into account how sensitive it is and what the risks are. The law deliberately doesn’t hand you a fixed shopping list, but the practical translation for a practice is consistent:

• access controlled so people see only what they need;
• strong authentication, including multi-factor authentication, on systems holding client data;
• encryption of laptops and portable devices;
• reliable, tested backups;
• and protection against malware and unauthorised access.

In other words, the things a competent IT setup does anyway. Security of processing is one of the clearest places where IT practice and legal compliance are the same conversation.

Know what a breach is, and that you may have to report it

A personal data breach isn’t only a dramatic hack. It includes a lost or stolen laptop, an email sent to the wrong client, a misconfigured cloud folder, or a ransomware attack that locks up your files. Some breaches must be reported to the ICO, generally without undue delay and typically within 72 hours of becoming aware of them, and in some cases the affected individuals must be told too.

The practical point for a practice is twofold. First, you need to be able to recognise a breach when one happens, which means staff who know what to look for and who to tell. Second, you need the IT foundations (logging, backups, knowing where data lives) to understand what was actually affected. Both of those are easier to get right before an incident than during one.

AML data is some of the most sensitive you hold

Accountancy practices are AML-supervised businesses, and anti-money-laundering obligations create their own data-handling duties that sit alongside GDPR.

To meet your AML responsibilities you carry out client due diligence: verifying identity, understanding beneficial ownership, assessing risk, and keeping records of all of it. That means you’re holding copies of passports and driving licences, proof-of-address documents, and risk assessments, a concentrated store of exactly the information identity thieves and fraudsters want.

This creates a clear chain of obligations:

• the records must be kept for the period AML rules require;
• they must be kept securely the whole time, because they’re sensitive personal data under GDPR as well as AML records;
• and they must be disposed of properly once the retention period ends.

Sloppy IT around your AML files is a compliance problem on two fronts at once. A shared drive everyone can browse, due diligence scans sitting in an inbox, or an unencrypted laptop with client ID documents on it are not just untidy, they undermine both your AML and your data protection position. Treating your client due diligence store as a high-security asset, with tight access control and encryption, is simply what good handling looks like here.

Remote and hybrid working: confidentiality outside the office

Most practices now work in some hybrid pattern, with staff handling confidential records from home, at least part of the week. That’s entirely workable, but it stretches your duty of confidentiality across the kitchen table, the home broadband router and the family laptop, and it needs to be handled deliberately.

What “well controlled” looks like for remote work:

• staff connect to practice systems securely and over up-to-date, protected devices, ideally practice-managed rather than personal computers;
• laptops are encrypted, so a device left on a train doesn’t become a reportable breach;
• access still runs through individual accounts with MFA, not shared logins or saved passwords;
• client data lives in your managed systems (practice management software, a sanctioned cloud), not scattered across personal email, USB sticks and downloads folders;
• and people understand the basics, locking screens, not letting family use work devices, being alert to phishing.

The principle is the same as it’s always been: client information stays confidential and under your control. Hybrid working just means that control has to follow your staff home, by design rather than by luck.

The core argument: good IT is compliance

Here’s the idea worth holding on to. It’s tempting to think of compliance and IT as two separate budgets, one for the professional and legal stuff, one for the computers. In reality, for the obligations above, your IT controls are the mechanism by which you meet them.

• The duty of confidentiality is delivered by access control, MFA and encryption.
• “Security of processing” under GDPR is delivered by backups, malware protection and secure configuration.
• Keeping AML records safe is delivered by controlled storage and encryption.
• Being able to handle a breach is delivered by backups, logging and a team that knows what to do.
• Running a “well-controlled practice” is, in large part, running well-controlled systems.

This is also why a recognised baseline like Cyber Essentials maps so neatly onto professional expectations, it covers many of the same fundamentals. Our Cyber Essentials guide for accountancy practices walks through those controls in plain English. And because backups are so central to both GDPR resilience and your professional duty to keep records, it’s worth reading alongside how to back up your practice properly.

What good looks like: a practical checklist

You don’t need a compliance department to meet these expectations. For most small and mid-sized practices, the picture below is both achievable and genuinely sufficient. Treat it as a self-check rather than a rigid standard.

• Multi-factor authentication is switched on everywhere staff log in, email, practice management software, cloud accounting, remote access.
• Individual accounts and least-privilege access, everyone has their own login, no shared passwords, and people can only reach the data their role needs.
• Administrator accounts are controlled and used sparingly, since they’re the most damaging to lose.
• Devices are encrypted and kept up to date, including laptops used at home.
• Backups run automatically, are kept separate, and are tested so you know you could actually restore.
• Malware protection and a sensible firewall are in place and current.
• AML and client due diligence records are stored in a controlled, access-restricted location, not in inboxes or open shared folders.
• A retention and disposal habit so old personal data isn’t kept indefinitely or deleted insecurely.
• Staff awareness of phishing, invoice fraud and what counts as a data breach, see our guide to invoice fraud and business email compromise.
• You know where client data lives, so you could answer a client’s, or the ICO’s, questions if you had to.

If you can tick most of those honestly, you’re in good shape. If a few make you wince, that’s useful to know now rather than after an incident.

Where to start

The expectations from ICAEW, ACCA and AAT, from UK GDPR, and from your AML supervisor all point the same way: protect client data, and run a practice that’s properly in control of its systems. The reassuring part is that meeting them rarely calls for anything exotic, it’s the disciplined basics, done consistently.

If you’d like an honest, jargon-free read on where your practice currently stands, that’s exactly what a free Practice IT Health Check is for. In 15 to 20 minutes we’ll talk through your backups, security posture and any obvious compliance gaps, and tell you plainly what, if anything, is worth tackling first. No pressure, no sales script, and nothing you have to action unless you want to.

Good IT and good compliance aren’t two jobs. They’re the same job, and getting it right is a lot more comfortable than explaining, after the fact, why you didn’t.