Save content
Have you found this content useful? Use the button above to save it to your profile.
Binary figures and locks digitally rendered on raised computer keys

ICO: Small businesses ‘increasingly reliant’ on accountants for data protection help


The Information Commissioner's Office has called on accountants to recognise the ‘crucial role’ they play in helping small business clients stay on the right side of data protection rules. To aid this, the data watchdog has provided a list of questions for accountants to ask SME clients about data protection compliance.

23rd Feb 2023
Save content
Have you found this content useful? Use the button above to save it to your profile.

A study conducted by the UK’s information regulator found that 34% of SME businesses trust their accountants for advice, while 20% actively use accountants to keep up to date on data protection and GDPR.

Faye Spencer, Head of Business Services at the Information Commissioner's Office (ICO), called accountants a “key part” of the SME support network as businesses look to their professional network for guidance as they grow.

“It’s clear from our engagement with SMEs that many are reliant on their accountant to ensure their business dealings are compliant with data protection laws,” said Spencer. “We’re encouraging accountants across the UK to recognise the role they play and the value they can add when it comes to offering peace of mind to clients running their own businesses.”

Established in 1984 and funded predominantly by the million or so companies that pay the data protection fee (plus grants and income generated from fines), the ICO is an independent regulatory body designed to deal with a range of information and data legislation,  including the Data Protection Act 2018 and the General Data Protection Regulation

Along with policing various data regulations, the ICO provides free resources for small businesses such as advice and guidance on data protection, electronic marketing and freedom of information on its SME hub.

Key questions for accountants

To coincide with its call for accounting firms to support small businesses with data protection advice, the ICO has provided a list of key questions for accountants to ask SME clients about their data protection compliance:

1. How much do small business clients know about data protection compliance and the ICO? Have they heard of the legislation or given any thought to how they will apply it to their own business? The regulator encourages SMEs to register with it so they have access to its free resources.  

2. What types of personal information will they collect on a day-to-day basis? Ask clients to make a list of the personal information they already have or are likely to collect as part of their business operations, as they will need to account for it all.

3. Encourage clients to ask ‘why’ they are holding this personal information? If they’re holding or using people’s personal information, it must always be fair, as well as lawful. This means they should only use their data in ways they’d reasonably expect.

4. What security measures do they have in place? Check client security lines up with the sensitivity of the information they hold. Clients should put stronger measures in place if the data poses a higher risk or is sensitive.

5. Do they know what to do if their business has a personal data breach? ICO guidance states that a data breach action plan is essential for all businesses. If they do have a personal data breach, they'll need to report it to the ICO, unless they're satisfied it's unlikely to result in a risk to the people affected. The ICO has a guide on how to respond to a personal data breach so clients know what steps to take in an emergency.  

6. Do they have a privacy notice? The data watchdog states that it’s essential for businesses to tell people why they hold information about them, what they'll do with it, and how long they'll keep it before safely disposing of it. This should be recorded in a privacy notice – the ICO has a template for SMEs to use.

7. Do they know what a subject access request (SAR) is? Customers and the general public have the legal right to ask businesses what personal information they hold about them. The ICO has a step-by-step guide on how to deal with a subject access request.  

Will 'trusted data protection adviser' status add to accountants’ workload?

Some accounting firms will no doubt agree with, and in some cases revel in, the ‘trusted data protection adviser’ tag bestowed upon them by the ICO. However, there will be some that feel the additional burden of providing non-financial advice on issues such as this could act as a drain on their bottom line. 

There’s no doubt that the role of ‘accountant as tech consultant’ has grown steadily over the years. Once the preserve of elite firms passing audit clients back and forth between their consulting wings, now technology has encroached on almost all parts of the business ecosystem, and conversations about the right tools have become a regular part of working life for practices large and small.

But for smaller firms, such services are potentially time-consuming and difficult to price – or to charge for in the first place. With SME clients, particularly those starting out with limited capital to invest in advisory services, this conundrum seems particularly acute. In such cases, the ability to direct clients to resources such as those provided by the ICO could prove helpful.

"This is the ICO basically saying ‘businesses are not listening to us, who do they listen to and can we get them to share the message’," said Billie McLoughlin, practice consultant at 2020 Innovation. "It feels a little unfair in my opinion as the burden once again falls to accountants.

"Accountants, the unsung heroes over the past three years, are now being poked and prodded from yet another angle to offer support to their clients for very little reward.

"Accountants should share this information and available resources from the ICO amongst the team to raise awareness, but not get too bogged down in the detail. Ensuring they know where to send clients to educate themselves is enough in my opinion as firms' resources are best spent elsewhere. Those accountants who believe they have the capacity to offer tailored advice or training sessions for clients they can do so, but it is essential they charge accordingly."

The ICO is currently running a pilot programme with around 60 UK SMEs, trialling a new self assessment and development programme. The SME Data Essentials pilot is aimed at providing organisations with information to manage their own data compliance, and ultimately bringing down the cost of data regulation compliance.

23 February 2023: This article was amended to add a comment

Replies (14)

Please login or register to join the discussion.

By snickersinatwix
23rd Feb 2023 09:41

Yet another thing that we are expected to manage.............. it is never ending.

Thanks (7)
Replying to snickersinatwix:
By jilbo
23rd Feb 2023 09:50

snickersinatwix wrote:

Yet another thing that we are expected to manage.............. it is never ending.

My thoughts exactly!

Thanks (6)
By whiteways
23rd Feb 2023 10:25

Is the ICO offering to pay accountants for the extra work?

Thanks (5)
By jon_griffey
23rd Feb 2023 10:58

This is really not a matter for accountants. It is a very complex area of law. I for one am not a data protection lawyer or IT security specialist, nor am I Yoda and so in no position to advise. If we start going through this list and asking questions like 'what security measures do they have in place' and 'why they are holding this personal information' then this starts a dialogue and we are getting sucked in to advising in an area that is outside our competence.

If the client then gets into trouble over some data breach, we don't want them pointing the finger at us/our insurers that we owed a duty of care etc. Stick to what we know.

The root problem appears to be that the whole thing is too complicated. If the ICO free resources are so good and easy to understand then we can just point the client there? Is there not a similar list there that clients can read for themselves?

Thanks (8)
By ireallyshouldknowthisbut
23rd Feb 2023 11:33

hang on, so 66% of business DONT trust their accountants advice? Wow.

However I am not advising clients on GDPR. Its not going to happen. Some firms may train up staff to do this, but up to them, I cant see clients paying for it.

The only time I get involved this his racket, is letting customers know they don't necessarily need to pay the fee just because the ICO asked them to.

Thanks (4)
By tanyajackson
23rd Feb 2023 11:39

This is not our responsibility, nor are we licensed to give such advice. As someone else pointed out, it is complex. I would offer no more advice on this, than I would on employment law. The most I would do is direct the client to the ICO to take the questionnaire.
This is definately a bridge tooooooo far.

Thanks (6)
By johnjenkins
23rd Feb 2023 11:47

Let's think this through. They want us to ask questions with the outcome of "yes you will have to pay".
So all they want us for is to identify people who should pay for their service cos the letters they are sending out are getting put in the bin.

Thanks (2)
By Hugo Fair
23rd Feb 2023 12:35

It's true what they say about getting older then - time really does go more slowly - I could have sworn that it wasn't one year since 1st April 2022.

It's a farcical suggestion ... even handing out a leaflet (should the ICO create a suitable one) is a step too far into the territory of unqualified professional advice.
[Leaving aside the unproductive time spent asking all those questions, there's no purpose unless you then get involved in the answers and where those will take you and your client].

It *might* increase the number of people who register (out of fright) and thereby increase the ICO's revenues (and the pool from which they would hope to extract more in future) ... but it's hardly going to increase the trust that your clients do (or don't) have in your utterances.

And it's not simple (as others have commented) - it can only be understood by a person whose job is to deal with it ... which means either a dedicated part of an employee's role or hiring an external consultant.
Neither of which will be music to the ears of a typical SME in the best of times, but right now ...?

Thanks (4)
By Tornado
23rd Feb 2023 13:04

My 'Professional Advice' is, always has been and always will be, "Go to the ICO Website where you will find all the information you need to know about Data Protection".

Thanks (6)
By Pozzer6
23rd Feb 2023 13:11

No chance! It’s a legal thing so why would we get involved. The only advice I give is to log on to ICO site and follow their advice.

Thanks (3)
By carnmores
23rd Feb 2023 14:38



Thanks (2)
Laurent Guyot
By Laurent Guyot
23rd Feb 2023 15:11

Who is going to be called on to support accountants to stay on the right side of data protection rule? (and provide the support to their own clients....)

Firms which manage financial or sensitive information daily do have a role to play but more as role models for their clients with best practices and solutions, but the responsibility for data protection should not be passed on. Running any business means making sure data is protected.

Thanks (3)
Mark Lee headshot 2023
By Mark Lee
27th Feb 2023 18:15

Does the ICO really mean SMEs or smaller businesses or even micro-entities?
SME of course stands for Small and Medium-Sized Enterprises. That's over 99.8% of all UK businesses.

Thanks (1)
Replying to bookmarklee:
By johnjenkins
28th Feb 2023 09:34

Mark, the only thing that the ICO is after is money. They are trying to pressure all business to sign up so they got a nice little income yearly for doing s.d all. the problem they are having is that when they send letters out people are putting them straight in the bin. Why else would they want us on board?

Thanks (1)