There seems to be a lot of waffle on this subject, though guidance is still expected. I'm a sole practitioner, and this is what I intend to do.
Normally in February, I write out to all clients advising them of my forthcoming holidays and to bring them up to date with such things as MTD. This year, I am going to enclose a letter requesting their consent to hold data digitally and to advise them that I am the data controller for the practice. Avoiding the pre-ticked-box issue, I will ask them to return it, signed and dated. The letter will confirm that data will only be shared with HMRC, CoHouse and my software provider, that no other info will be shared except with express approval (ie mortgage lenders) and that anti-virus protection is in place.
Is there anything I am missing or doing wrong?